adding RealWorld CTF

Author: Sajjad Arshad

RealWorldCTF/.DS_Store

@@ -0,0 +1,22 @@
+## The source code ##
+https://github.com/zh-explorer/shadow
+https://github.com/zh-explorer/Coroutine
+
+
+## The flag ##
+/home/pwn/flag
+
+
+## build env && remote system env ##
+
+$ g++ --version
+g++ (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0
+
+$ cmake --version
+cmake version 3.10.2
+
+$ /lib/x86_64-linux-gnu/libc.so.6
+GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1) stable release version 2.27.
+
+$ cat /etc/issue
+Ubuntu 18.04.3 LTS

RealWorldCTF/2019/.DS_Store

@@ -0,0 +1,232 @@
+diff --git a/bin/ChakraCore/CMakeLists.txt b/bin/ChakraCore/CMakeLists.txt
+index f4ec551..57d53d9 100644
+--- a/bin/ChakraCore/CMakeLists.txt
++++ b/bin/ChakraCore/CMakeLists.txt
+@@ -50,6 +50,7 @@ set(lib_target "${lib_target}"
+   ${LINKER_END_GROUP}
+   pthread
+   dl
++  "-z noexecstack"
+   )
+ 
+ if(CC_TARGET_OS_ANDROID OR CC_TARGET_OS_LINUX)
+diff --git a/bin/ch/CMakeLists.txt b/bin/ch/CMakeLists.txt
+index 7e495f2..ef03dfb 100644
+--- a/bin/ch/CMakeLists.txt
++++ b/bin/ch/CMakeLists.txt
+@@ -84,6 +84,9 @@ else() # // shared library below
+ 
+   if(CC_TARGET_OS_ANDROID OR CC_TARGET_OS_LINUX)
+       set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -pie") # osx clang sets this by default
++      set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -z relro")
++      set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -z now")
++      set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -z noexecstack")
+   endif()
+ 
+   set(lib_target
+diff --git a/bin/ch/WScriptJsrt.cpp b/bin/ch/WScriptJsrt.cpp
+index 5b6e2d8..6bfb08d 100644
+--- a/bin/ch/WScriptJsrt.cpp
++++ b/bin/ch/WScriptJsrt.cpp
+@@ -1081,145 +1081,8 @@ bool WScriptJsrt::Initialize()
+ {
+     HRESULT hr = S_OK;
+     char CH_BINARY_LOCATION[2048];
+-#ifdef CHAKRA_STATIC_LIBRARY
+-    const char* LINK_TYPE = "static";
+-#else
+-    const char* LINK_TYPE = "shared";
+-#endif
+-#ifdef HAS_ICU
+-    int icuVersion = PlatformAgnostic::ICUHelpers::GetICUMajorVersion();
+-#else
+-    int icuVersion = -1;
+-#endif
+-
+-    JsValueRef wscript;
+-    IfJsrtErrorFail(ChakraRTInterface::JsCreateObject(&wscript), false);
+-
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "Echo", EchoCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "Quit", QuitCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "LoadScriptFile", LoadScriptFileCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "LoadScript", LoadScriptCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "LoadModule", LoadModuleCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "SetTimeout", SetTimeoutCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "ClearTimeout", ClearTimeoutCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "Attach", AttachCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "Detach", DetachCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "DumpFunctionPosition", DumpFunctionPositionCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "RequestAsyncBreak", RequestAsyncBreakCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "LoadBinaryFile", LoadBinaryFileCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "LoadTextFile", LoadTextFileCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "Flag", FlagCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "RegisterModuleSource", RegisterModuleSourceCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "GetModuleNamespace", GetModuleNamespace));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "GetProxyProperties", GetProxyPropertiesCallback));
+-
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "SerializeObject", SerializeObject));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "Deserialize", Deserialize));
+-
+-    // ToDo Remove
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "Edit", EmptyCallback));
+-
+-    // Platform
+-    JsValueRef platformObject;
+-    IfJsrtErrorFail(ChakraRTInterface::JsCreateObject(&platformObject), false);
+-    JsPropertyIdRef platformProperty;
+-    IfJsrtErrorFail(CreatePropertyIdFromString("Platform", &platformProperty), false);
+-
+-    // Set CPU arch
+-    JsPropertyIdRef archProperty;
+-    IfJsrtErrorFail(CreatePropertyIdFromString("ARCH", &archProperty), false);
+-    JsValueRef archValue;
+-    IfJsrtErrorFail(ChakraRTInterface::JsCreateString(
+-        CPU_ARCH_TEXT, strlen(CPU_ARCH_TEXT), &archValue), false);
+-    IfJsrtErrorFail(ChakraRTInterface::JsSetProperty(platformObject, archProperty,
+-        archValue, true), false);
+-
+-    // Set Build Type
+-    JsPropertyIdRef buildProperty;
+-    IfJsrtErrorFail(CreatePropertyIdFromString("BUILD_TYPE", &buildProperty), false);
+-    JsValueRef buildValue;
+-#ifdef _DEBUG
+-#define BUILD_TYPE_STRING_CH "Debug" // (O0)
+-#elif defined(ENABLE_DEBUG_CONFIG_OPTIONS)
+-#define BUILD_TYPE_STRING_CH "Test" // (O3 with debug config options)
+-#else
+-#define BUILD_TYPE_STRING_CH "Release" // (O3)
+-#endif
+-    IfJsrtErrorFail(ChakraRTInterface::JsCreateString(
+-        BUILD_TYPE_STRING_CH, strlen(BUILD_TYPE_STRING_CH), &buildValue), false);
+-    IfJsrtErrorFail(ChakraRTInterface::JsSetProperty(platformObject, buildProperty,
+-        buildValue, true), false);
+-#undef BUILD_TYPE_STRING_CH
+-
+-    // Set Link Type [static / shared]
+-    JsPropertyIdRef linkProperty;
+-    IfJsrtErrorFail(CreatePropertyIdFromString("LINK_TYPE", &linkProperty), false);
+-    JsValueRef linkValue;
+-    IfJsrtErrorFail(ChakraRTInterface::JsCreateString(
+-        LINK_TYPE, strlen(LINK_TYPE), &linkValue), false);
+-    IfJsrtErrorFail(ChakraRTInterface::JsSetProperty(platformObject, linkProperty,
+-      linkValue, true), false);
+-
+-    // Set Binary Location
+-    JsValueRef binaryPathValue;
+-    PlatformAgnostic::SystemInfo::GetBinaryLocation(CH_BINARY_LOCATION, sizeof(CH_BINARY_LOCATION));
+-
+-    JsPropertyIdRef binaryPathProperty;
+-    IfJsrtErrorFail(CreatePropertyIdFromString("BINARY_PATH", &binaryPathProperty), false);
+-
+-    IfJsrtErrorFail(ChakraRTInterface::JsCreateString(
+-        CH_BINARY_LOCATION,
+-        strlen(CH_BINARY_LOCATION), &binaryPathValue), false);
+-    IfJsrtErrorFail(ChakraRTInterface::JsSetProperty(
+-        platformObject, binaryPathProperty, binaryPathValue, true), false);
+-
+-    // Set destination OS
+-    JsPropertyIdRef osProperty;
+-    IfJsrtErrorFail(CreatePropertyIdFromString("OS", &osProperty), false);
+-    JsValueRef osValue;
+-    IfJsrtErrorFail(ChakraRTInterface::JsCreateString(
+-        DEST_PLATFORM_TEXT, strlen(DEST_PLATFORM_TEXT), &osValue), false);
+-    IfJsrtErrorFail(ChakraRTInterface::JsSetProperty(platformObject, osProperty,
+-        osValue, true), false);
+-
+-    // set Internationalization library
+-    JsPropertyIdRef intlLibraryProp;
+-    IfJsrtErrorFail(CreatePropertyIdFromString("INTL_LIBRARY", &intlLibraryProp), false);
+-    JsValueRef intlLibraryStr;
+-    IfJsrtErrorFail(ChakraRTInterface::JsCreateString(INTL_LIBRARY_TEXT, strlen(INTL_LIBRARY_TEXT), &intlLibraryStr), false);
+-    IfJsrtErrorFail(ChakraRTInterface::JsSetProperty(platformObject, intlLibraryProp, intlLibraryStr, true), false);
+-    JsPropertyIdRef icuVersionProp;
+-    IfJsrtErrorFail(CreatePropertyIdFromString("ICU_VERSION", &icuVersionProp), false);
+-    JsValueRef icuVersionNum;
+-    IfJsrtErrorFail(ChakraRTInterface::JsIntToNumber(icuVersion, &icuVersionNum), false);
+-    IfJsrtErrorFail(ChakraRTInterface::JsSetProperty(platformObject, icuVersionProp, icuVersionNum, true), false);
+-
+-    IfJsrtErrorFail(ChakraRTInterface::JsSetProperty(wscript, platformProperty,
+-        platformObject, true), false);
+-
+-    JsValueRef argsObject;
+-
+-    if (!CreateArgumentsObject(&argsObject))
+-    {
+-        return false;
+-    }
+-
+-    JsPropertyIdRef argsName;
+-    IfJsrtErrorFail(CreatePropertyIdFromString("Arguments", &argsName), false);
+-    IfJsrtErrorFail(ChakraRTInterface::JsSetProperty(wscript, argsName, argsObject, true), false);
+-
+-    JsPropertyIdRef wscriptName;
+-    IfJsrtErrorFail(CreatePropertyIdFromString("WScript", &wscriptName), false);
+-
+     JsValueRef global;
+     IfJsrtErrorFail(ChakraRTInterface::JsGetGlobalObject(&global), false);
+-    IfJsrtErrorFail(ChakraRTInterface::JsSetProperty(global, wscriptName, wscript, true), false);
+-
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(global, "print", EchoCallback));
+-
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(global, "read", LoadTextFileCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(global, "readbuffer", LoadBinaryFileCallback));
+-    IfFalseGo(WScriptJsrt::InstallObjectsOnObject(global, "readline", ReadLineStdinCallback));
+ 
+     JsValueRef console;
+     IfJsrtErrorFail(ChakraRTInterface::JsCreateObject(&console), false);
+@@ -1231,31 +1094,7 @@ bool WScriptJsrt::Initialize()
+ 
+     IfJsrtErrorFail(InitializeModuleCallbacks(), false);
+ 
+-    // When the command-line argument `-Test262` is set,
+-    // WScript will have the extra support API below and $262 will be
+-    // added to global scope
+-    if (HostConfigFlags::flags.Test262)
+-    {
+-        IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "Broadcast", BroadcastCallback));
+-        IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "ReceiveBroadcast", ReceiveBroadcastCallback));
+-        IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "Report", ReportCallback));
+-        IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "GetReport", GetReportCallback));
+-        IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "Leaving", LeavingCallback));
+-        IfFalseGo(WScriptJsrt::InstallObjectsOnObject(wscript, "Sleep", SleepCallback));
+-
+-        // $262
+-        const char Test262[] =
+-            #include "262.js"
+-        ;
+-
+-        JsValueRef Test262ScriptRef;
+-        IfJsrtErrorFailLogAndRetFalse(ChakraRTInterface::JsCreateString(Test262, strlen(Test262), &Test262ScriptRef));
+-
+-        JsValueRef fname;
+-        IfJsrtErrorFailLogAndRetFalse(ChakraRTInterface::JsCreateString("262", strlen("262"), &fname));
+-        IfJsrtErrorFailLogAndRetFalse(ChakraRTInterface::JsRun(Test262ScriptRef, WScriptJsrt::GetNextSourceContext(), fname, JsParseScriptAttributeNone, nullptr));
+-    }
+-
++    
+ Error:
+     return hr == S_OK;
+ }
+diff --git a/lib/Runtime/Language/InterpreterStackFrame.cpp b/lib/Runtime/Language/InterpreterStackFrame.cpp
+index 9839571..1d6addb 100644
+--- a/lib/Runtime/Language/InterpreterStackFrame.cpp
++++ b/lib/Runtime/Language/InterpreterStackFrame.cpp
+@@ -2018,12 +2018,12 @@ namespace Js
+                 varSizeInBytes = varAllocCount * sizeof(Var);
+                 allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes);
+                 stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step)
+-                if (stackVarAllocCount != 0)
+-                {
+-                    size_t stackVarSizeInBytes = stackVarAllocCount * sizeof(Var);
+-                    PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + stackVarSizeInBytes);
+-                    stackAllocation = (Var*)_alloca(stackVarSizeInBytes);
+-                }
++                //if (stackVarAllocCount != 0)
++                //{
++                //    size_t stackVarSizeInBytes = stackVarAllocCount * sizeof(Var);
++                //    PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + stackVarSizeInBytes);
++                //    stackAllocation = (Var*)_alloca(stackVarSizeInBytes);
++                //}
+             }
+             else
+             {

RealWorldCTF/2019/Across_the_Great_Wall/libCoroutine.so

@@ -0,0 +1,2 @@
+The chakracore is built upon commit: 630f662f62ea80a09816771b9b33a89755abfc8f
+build command: ./build.sh -no-icu -j

RealWorldCTF/2019/Across_the_Great_Wall/readme.txt

@@ -0,0 +1 @@
+APPL????