GitHub - theori-io/pwnjs: A Javascript library for browser exploitation
source link: https://github.com/theori-io/pwnjs
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
pwn.js
Basic Usage
Pre-built version of the library is located at /dist/pwn.js. API documentation is available in /docs or here, and examples of complete exploits are in /examples.
If you want to implement a new Chakra exploit, you can use this basic template:
var Exploit = (function() {
var ChakraExploit = pwnjs.ChakraExploit,
Integer = pwnjs.Integer;
function Exploit() {
ChakraExploit.call(this);
// TODO: implement your exploit
// TODO: leak any Chakra.dll address (e.g. a vtable)
this.initChakra(vtable);
}
Exploit.prototype = Object.create(ChakraExploit.prototype);
Exploit.prototype.constructor = Exploit;
Exploit.prototype.read = function (address, size) {
switch (size) {
case 8:
case 16:
case 32:
case 64:
// TODO: implement memory read of address
}
}
Exploit.prototype.write = function (address, value, size) {
switch (size) {
case 8:
case 16:
case 32:
case 64:
// TODO: implement memory write of value to address
}
}
return Exploit;
})();
Using an exploit in a payload is easier if you use the deprecated with statement:
with (new Exploit()) {
var malloc = importFunction('msvcrt.dll', 'malloc', Uint8Ptr);
// ...
}
You can also define an Exploit object (non-deprecated, but more verbose):
var e = new Exploit();
var malloc = e.importFunction('msvcrt.dll', 'malloc', Uint8Ptr);
// ...
Build Instructions
You can rebuild the library using webpack:
$ npm install
$ npm run build
You can rebuild the documentation using jsdoc:
$ npm run jsdoc
Also, you can run a small HTTP server to host the documentation and examples:
$ npm start
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK