Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 1c3a4e9
Showing
71 changed files
with
44,595 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,101 @@ | ||
# General | ||
.DS_Store | ||
.AppleDouble | ||
.LSOverride | ||
|
||
# Icon must end with two \r | ||
Icon | ||
|
||
|
||
# Thumbnails | ||
._* | ||
|
||
# Files that might appear in the root of a volume | ||
.DocumentRevisions-V100 | ||
.fseventsd | ||
.Spotlight-V100 | ||
.TemporaryItems | ||
.Trashes | ||
.VolumeIcon.icns | ||
.com.apple.timemachine.donotpresent | ||
|
||
# Directories potentially created on remote AFP share | ||
.AppleDB | ||
.AppleDesktop | ||
Network Trash Folder | ||
Temporary Items | ||
.apdisk | ||
|
||
# Logs | ||
logs | ||
*.log | ||
npm-debug.log* | ||
yarn-debug.log* | ||
yarn-error.log* | ||
|
||
# Runtime data | ||
pids | ||
*.pid | ||
*.seed | ||
*.pid.lock | ||
|
||
# Directory for instrumented libs generated by jscoverage/JSCover | ||
lib-cov | ||
|
||
# Coverage directory used by tools like istanbul | ||
coverage | ||
|
||
# nyc test coverage | ||
.nyc_output | ||
|
||
# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files) | ||
.grunt | ||
|
||
# Bower dependency directory (https://bower.io/) | ||
bower_components | ||
|
||
# node-waf configuration | ||
.lock-wscript | ||
|
||
# Compiled binary addons (https://nodejs.org/api/addons.html) | ||
build/Release | ||
|
||
# Dependency directories | ||
node_modules/ | ||
jspm_packages/ | ||
|
||
# Typescript v1 declaration files | ||
typings/ | ||
|
||
# Optional npm cache directory | ||
.npm | ||
|
||
# Optional eslint cache | ||
.eslintcache | ||
|
||
# Optional REPL history | ||
.node_repl_history | ||
|
||
# Output of 'npm pack' | ||
*.tgz | ||
|
||
# Yarn Integrity file | ||
.yarn-integrity | ||
|
||
# dotenv environment variables file | ||
.env | ||
|
||
# Swap | ||
[._]*.s[a-v][a-z] | ||
[._]*.sw[a-p] | ||
[._]s[a-v][a-z] | ||
[._]sw[a-p] | ||
|
||
# Session | ||
Session.vim | ||
|
||
# Temporary | ||
.netrwhist | ||
*~ | ||
# Auto-generated tag files | ||
tags |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
# pwn.js | ||
|
||
## Basic Usage | ||
|
||
Pre-built version of the library is located at /dist/pwn.js. API documentation is available in /docs, and examples of complete exploits are in /examples. | ||
|
||
If you want to implement a new Chakra exploit, you can use this basic template: | ||
|
||
```js | ||
var Exploit = (function() { | ||
var ChakraExploit = pwnjs.ChakraExploit, | ||
Integer = pwnjs.Integer; | ||
|
||
function Exploit() { | ||
ChakraExploit.call(this); | ||
// TODO: implement your exploit | ||
// TODO: leak any Chakra.dll address (e.g. a vtable) | ||
this.initChakra(vtable); | ||
} | ||
Exploit.prototype = Object.create(ChakraExploit.prototype); | ||
Exploit.prototype.constructor = Exploit; | ||
Exploit.prototype.read = function (address, size) { | ||
switch (size) { | ||
case 8: | ||
case 16: | ||
case 32: | ||
case 64: | ||
// TODO: implement memory read of address | ||
} | ||
} | ||
Exploit.prototype.write = function (address, value, size) { | ||
switch (size) { | ||
case 8: | ||
case 16: | ||
case 32: | ||
case 64: | ||
// TODO: implement memory write of value to address | ||
} | ||
} | ||
return Exploit; | ||
})(); | ||
``` | ||
|
||
Using an exploit in a payload is easier if you use the deprecated _with_ statement: | ||
|
||
```js | ||
with (new Exploit()) { | ||
var malloc = importFunction('msvcrt.dll', 'malloc', Uint8Ptr); | ||
// ... | ||
} | ||
``` | ||
|
||
You can also define an Exploit object (non-deprecated, but more verbose): | ||
|
||
```js | ||
var e = new Exploit(); | ||
var malloc = e.importFunction('msvcrt.dll', 'malloc', Uint8Ptr); | ||
// ... | ||
``` | ||
|
||
## Build Instructions | ||
|
||
You can rebuild the library using webpack: | ||
|
||
``` | ||
$ npm install | ||
$ npm run build | ||
``` | ||
|
||
You can rebuild the documentation using jsdoc: | ||
|
||
``` | ||
$ npm run jsdoc | ||
``` | ||
|
||
Also, you can run a small HTTP server to host the documentation and examples: | ||
|
||
``` | ||
$ npm start | ||
``` |
Oops, something went wrong.