Solution to the v8 HorsePower challenge in picoCTF. Start reading in step1-readwrite-heap for an explanation, then step2, step3, shellcode.js and payload.c and then exploit.js . step1-readwrite-heap-orig.js is the first version of step1 I initially used, before realizing I could simplify it a bit (Which is step1-readwrite-heap.js)
NOTE: The files should (All except exploit.js) be run using d8 with the --allow-natives-syntax to enable %DebugPrint
Using %DebugPrint lets you check against the expect pointers easily, without having to muck around in gdb
Example:
./d8 step1-readwrite-heap.js --allow-natives-syntax
All the scripts end in an infinite loop, so that you can breakpoint if running in gdb
To send the exploit on windows:
type .\exploit.js | python .\send.py
On linux:
cat ./exploit.js | python2 ./send.py
Generate shellcode for payload.c (In linux/WSL):
node shellcode.js
(Copy stdout to the machine_code array in exploit.js)
Generate shellcode, put it in exploit.js, and send it(In linux/WSL):
node ./setup_and_run.js
Exploiting v8: *CTF 2019 oob-v8
Comprehensive guide to browser exploitation
Assembly language files and Shellcode
Stackoverflow answer on how to invoke syscalls with inline assembly