theori-io / pwnjs Goto Github PK
View Code? Open in Web Editor NEWA Javascript library for browser exploitation
A Javascript library for browser exploitation
Hi,
Thanks for opening source such excellent exploit framework.
I found that the gadget pattern need change in the latest chakra.dll(2018/11/05).
The entrySlice pattern in the code is 0x8B, 0xF8, 0x41, 0x83, -1, 0x02
, which matches code in Js::JavascriptString::EntryLocaleCompare
instead of Js::JavascriptString::EntrySlice
now.
// Js::JavascriptString::EntryLocaleCompare
.text:0000000180075ACA E8 CD 6F 1E 00 call ?GetEngineExtension@EngineInterfaceObject@Js@@QEBAPEAVEngineExtensionObjectBase@2@W4EngineInterfaceExtensionKind@2@@Z ; Js::EngineInterfaceObject::GetEngineExtension(Js::EngineInterfaceExtensionKind)
.text:0000000180075ACF 48 8B F8 mov rdi, rax
.text:0000000180075AD2 41 83 FC 02 cmp r12d, 2
// Js::JavascriptString::EntrySlice
.text:000000018026B350 E8 DF 20 ED FF call ?ConvertToIndex@JavascriptString@Js@@CAIPEAXPEAVScriptContext@2@@Z ; Js::JavascriptString::ConvertToIndex(void *,Js::ScriptContext *)
.text:000000018026B355 8B D8 mov ebx, eax
.text:000000018026B357 41 83 FF 02 cmp r15d, 2
We may need more compatible pattern or searching approach for new version Edge.
pwn.js
fails because it cannot find the following gadget:
'linkToBeginningThreadContext', [0x48, 0x8B, 0xC4, 0x4C, 0x89, 0x40, 0x18, 0x48, 0x89, 0x50, 0x10, 0x48, 0x89, 0x48, 0x08, 0x48, 0x83, 0x61]]
Is it possible to get some information on why this gadget is required?
Thank you in advance
ok so i tried the examples,
but no one is working, unpatched window.
Hi,
First of all, a very cool project!
Unfortunately, it doesn't work any longer on the newer Chakra versions (testing on Windows 1709 with November patches).
One issue is that some of the gadgets need updating as they can no longer be found.
The more serious issue, however, is that amd64_callfunction now includes
call qword ptr [chakra!_guard_dispatch_icall_fptr]
instead of
call eax
and currently pwnjs relies on the code in amd64_callfunction to load the 3rd and 4th params into r8 and r9. So nopReturn should point to something that is allowed by CFG and immediately returns.
Possibly there are other issues with the newer Chakra version, I haven't tested very thoroughly.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.