theori-io / pwnjs Goto Github PK

A Javascript library for browser exploitation

JavaScript 100.00%

pwnjs's Introduction

pwn.js

Basic Usage

Pre-built version of the library is located at /dist/pwn.js. API documentation is available in /docs or here, and examples of complete exploits are in /examples.

If you want to implement a new Chakra exploit, you can use this basic template:

var Exploit = (function() {
    var ChakraExploit = pwnjs.ChakraExploit,
        Integer = pwnjs.Integer;

    function Exploit() {
        ChakraExploit.call(this);
        // TODO: implement your exploit
        // TODO: leak any Chakra.dll address (e.g. a vtable)
        this.initChakra(vtable);
    }
    Exploit.prototype = Object.create(ChakraExploit.prototype);
    Exploit.prototype.constructor = Exploit;
    Exploit.prototype.read = function (address, size) {
        switch (size) {
            case 8:
            case 16:
            case 32:
            case 64:
                // TODO: implement memory read of address
        }
    }
    Exploit.prototype.write = function (address, value, size) {
        switch (size) {
            case 8:
            case 16:
            case 32:
            case 64:
                // TODO: implement memory write of value to address
        }
    }
    return Exploit;
})();

Using an exploit in a payload is easier if you use the deprecated with statement:

with (new Exploit()) {
    var malloc = importFunction('msvcrt.dll', 'malloc', Uint8Ptr);
    // ...
}

You can also define an Exploit object (non-deprecated, but more verbose):

var e = new Exploit();
var malloc = e.importFunction('msvcrt.dll', 'malloc', Uint8Ptr);
// ...

Build Instructions

You can rebuild the library using webpack:

$ npm install
$ npm run build

You can rebuild the documentation using jsdoc:

$ npm run jsdoc

Also, you can run a small HTTP server to host the documentation and examples:

$ npm start

pwnjs's People

Contributors

Stargazers

Watchers

Forkers

idkwim vngkv123 riusksk sploitamos tardummy01 maldiohead bigfoxses d4nnyk mehrdad-shokri s3ize bbghunter kernullist akpotter secretnonempty whsz6 insecuritea patlux vbty zenhumany mikalv chubbymaggie lovesuae rhpco pentestingtools johnjohnsp1 suriya73 joseph-giron weizn11 shpik-kr xunnun himakiran team-firebugs expertasif m00zh33 luan0ap cokesme dyjakan mcd-50 sufuf3 cxh852456 subzeroking changochen balawatermelon moriarty2016 awesie h0wl fatgrass advaitj sivadotrender siowcy j0hnnyw xeaon jack51706 yaoyi2008 externalist losiry anonik9900 jonaskaempf jmckinlay ikv163 wg135 antirootkit raystyle humeafo ma3k4h3d m00tiny ekodikara exploitamos ro9ueadmin tawngphait tracesrc allpaca bwry sigma-random ahmedsakrr l9sk 1ik3 killvxk fengjixuchui imulmul greencandle969 skysider zoecur reset-kim zero0707007 freeide 5l1v3r1 xvezda ykankaya gsongx sung3r 0m414c49 fuzzheaded youngshingjun israelccarvalho fdlucifer xpl0ited1 d0iasm skyn9ne jrandomsage

pwnjs's Issues

cannot find the linkToBeginningThreadContext gadget

pwn.js fails because it cannot find the following gadget:

'linkToBeginningThreadContext', [0x48, 0x8B, 0xC4, 0x4C, 0x89, 0x40, 0x18, 0x48, 0x89, 0x50, 0x10, 0x48, 0x89, 0x48, 0x08, 0x48, 0x83, 0x61]]

Is it possible to get some information on why this gadget is required?

Thank you in advance

Gadget update

Hi,

First of all, a very cool project!

Unfortunately, it doesn't work any longer on the newer Chakra versions (testing on Windows 1709 with November patches).

One issue is that some of the gadgets need updating as they can no longer be found.

The more serious issue, however, is that amd64_callfunction now includes
call qword ptr [chakra!_guard_dispatch_icall_fptr]
instead of
call eax
and currently pwnjs relies on the code in amd64_callfunction to load the 3rd and 4th params into r8 and r9. So nopReturn should point to something that is allowed by CFG and immediately returns.

Possibly there are other issues with the newer Chakra version, I haven't tested very thoroughly.

nothing is working?

ok so i tried the examples,

but no one is working, unpatched window.

Gadget pattern mismatches in Edge chakra.dll

Hi,
Thanks for opening source such excellent exploit framework.

I found that the gadget pattern need change in the latest chakra.dll(2018/11/05).

The entrySlice pattern in the code is 0x8B, 0xF8, 0x41, 0x83, -1, 0x02, which matches code in Js::JavascriptString::EntryLocaleCompare instead of Js::JavascriptString::EntrySlice now.

// Js::JavascriptString::EntryLocaleCompare
.text:0000000180075ACA E8 CD 6F 1E 00                                call    ?GetEngineExtension@EngineInterfaceObject@Js@@QEBAPEAVEngineExtensionObjectBase@2@W4EngineInterfaceExtensionKind@2@@Z ; Js::EngineInterfaceObject::GetEngineExtension(Js::EngineInterfaceExtensionKind)
.text:0000000180075ACF 48 8B F8                                      mov     rdi, rax
.text:0000000180075AD2 41 83 FC 02                                   cmp     r12d, 2

// Js::JavascriptString::EntrySlice
.text:000000018026B350 E8 DF 20 ED FF                                call    ?ConvertToIndex@JavascriptString@Js@@CAIPEAXPEAVScriptContext@2@@Z ; Js::JavascriptString::ConvertToIndex(void *,Js::ScriptContext *)
.text:000000018026B355 8B D8                                         mov     ebx, eax
.text:000000018026B357 41 83 FF 02                                   cmp     r15d, 2

We may need more compatible pattern or searching approach for new version Edge.

theori-io / pwnjs Goto Github PK

pwnjs's Introduction

pwn.js

Basic Usage

Build Instructions

pwnjs's People

Contributors

Stargazers

Watchers

Forkers

pwnjs's Issues

cannot find the linkToBeginningThreadContext gadget

Gadget update

nothing is working?

Gadget pattern mismatches in Edge chakra.dll

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent