Chrome V8 Fantasy

ChromeV8漏洞

shellcode写入位置

本地环境

​x
brew install cmake
git clone https://github.com/juj/emsdk.git
cd emsdk
​
./emsdk install latest
./emsdk activate latest
source ./emsdk_env.sh
​

代码

xxxxxxxxxx
#include <stdio.h>
​
int main(int argc, char ** argv) {
  printf("Hello World\n");
}
​

编译命令

xxxxxxxxxx
emcc hello.c -Os -s WASM=1 -s SIDE_MODULE=1 -s EXPORTED_FUNCTIONS="['main']" -o hello.wasm

调试

通过在线编译环境(WasmExplorer)编写测试代码

xxxxxxxxxx
int hack(int x) {
   int ret = puts("the gay is lazy, nothing left.");
   return ret + x;
}

生成js代码:

xxxxxxxxxx
function webAssembly() {
   let wasmCode = null
   let wasmModel = null
   let wasmInstance = null
   let wasmImports = null
   let wasmBuffer = null
   let wasmFunc = null
   wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,138,128,128,128,0,2,96,0,1,127,96,1,127,1,127,2,140,128,128,128,0,1,3,101,110,118,4,112,117,116,115,0,1,3,130,128,128,128,0,1,1,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,104,97,99,107,0,1,10,143,128,128,128,0,1,137,128,128,128,0,0,65,16,16,0,32,0,106,11,11,165,128,128,128,0,1,0,65,16,11,31,116,104,101,32,103,97,121,32,105,115,32,108,97,122,121,44,32,110,111,116,104,105,110,103,32,108,101,102,116,46,0])
​
   wasmImports = {
      env: {
         puts: function puts (i32) {
               // eval(`hacking('xxooxxoo')`)
               return 0x41414141
         }
      }
   }
​
   wasmInstance = new WebAssembly.Instance(new WebAssembly.Module(wasmCode), wasmImports)
   wasmBuffer = new Uint8Array(wasmInstance.exports.memory.buffer)
   wasmFunc = wasmInstance.exports.hack
   ;%DebugPrint(wasmFunc);
   ;%SystemBreak();
   console.log('WebAssembly function return: 0x' + wasmFunc().toString(16))
}
​
webAssembly()
​

挂上d8调试:

xxxxxxxxxx
gdb --args ./v8/out.gn/ia32.debug/d8 --allow-natives-syntax ./test.js
​

断下来之后:

xxxxxxxxxx
​
DebugPrint: 0x2ce97431: [Function] in OldSpace
 - map: 0x33c86131 <Map(HOLEY_ELEMENTS)> [FastProperties]
 - prototype: 0x2ce853b1 <JSFunction (sfi = 0x43505701)>
 - elements: 0x4c2046d1 <FixedArray[0]> [HOLEY_ELEMENTS]
 - function prototype: <no-prototype-slot>
 - shared_info: 0x2ce9740d <SharedFunctionInfo 1>
 - name: 0x4c206495 <String[1]: 1>
 - formal_parameter_count: 1
 - kind: NormalFunction
 - context: 0x2ce84f5d <NativeContext[248]>
 - code: 0xf349c961 <Code JS_TO_WASM_FUNCTION>
 - WASM instance 0x2ce97321
 - WASM function index 1
 - properties: 0x4c2046d1 <FixedArray[0]> {
    #length: 0x435106dd <AccessorInfo> (const accessor descriptor)
    #name: 0x435106a5 <AccessorInfo> (const accessor descriptor)
    #arguments: 0x43510635 <AccessorInfo> (const accessor descriptor)
    #caller: 0x4351066d <AccessorInfo> (const accessor descriptor)
 }
​

优化后的代码 JS_TO_WASM_FUNCTION:

xxxxxxxxxx
pwndbg> job 0xf349c961
0xf349c961: [Code]
 - map: 0x4c2045b1 <Map>
kind = JS_TO_WASM_FUNCTION
compiler = turbofan
address = 0xf349c961
​
Instructions (size = 180)
0xf349c9a0     0  55             push ebp
0xf349c9a1     1  89e5           mov ebp,esp
0xf349c9a3     3  56             push esi
0xf349c9a4     4  57             push edi
0xf349c9a5     5  83ec08         sub esp,0x8
0xf349c9a8     8  8b470b         mov eax,[edi+0xb]
0xf349c9ab     b  8b4003         mov eax,[eax+0x3]
0xf349c9ae     e  8b4807         mov ecx,[eax+0x7]
0xf349c9b1    11  8945f0         mov [ebp-0x10],eax
0xf349c9b4    14  894df4         mov [ebp-0xc],ecx
0xf349c9b7    17  89c2           mov edx,eax
0xf349c9b9    19  8b4508         mov eax,[ebp+0x8]
0xf349c9bc    1c  e81f693940     call 0x338332e0  (ToNumber)    ;; code: Builtin::ToNumber
0xf349c9c1    21  a801           test al,0x1
0xf349c9c3    23  0f8539000000   jnz 0xf349ca02  <+0x62>
0xf349c9c9    29  d1f8           sar eax,1
0xf349c9cb    2b  f20f2ac8       cvtsi2sd xmm1,eax
0xf349c9cf    2f  8b75f4         mov esi,[ebp-0xc]
0xf349c9d2    32  8b4677         mov eax,[esi+0x77]
0xf349c9d5    35  8b4df0         mov ecx,[ebp-0x10]
0xf349c9d8    38  8b490b         mov ecx,[ecx+0xb]
0xf349c9db    3b  d1f9           sar ecx,1
0xf349c9dd    3d  f20f2cd1       cvttsd2si edx,xmm1
0xf349c9e1    41  83fa01         cmp edx,0x1
0xf349c9e4    44  0f8051000000   jo 0xf349ca3b  <+0x9b>
0xf349c9ea    4a  03c8           add ecx,eax
0xf349c9ec    4c  89d0           mov eax,edx
0xf349c9ee    4e  ffd1           call ecx
0xf349c9f0    50  89c1           mov ecx,eax
0xf349c9f2    52  03c8           add ecx,eax
0xf349c9f4    54  0f802b000000   jo 0xf349ca25  <+0x85>
0xf349c9fa    5a  89c8           mov eax,ecx
0xf349c9fc    5c  89ec           mov esp,ebp
0xf349c9fe    5e  5d             pop ebp
0xf349c9ff    5f  c20800         ret 0x8
0xf349ca02    62  8b4df4         mov ecx,[ebp-0xc]
0xf349ca05    65  39413f         cmp [ecx+0x3f],eax
0xf349ca08    68  0f8407000000   jz 0xf349ca15  <+0x75>
0xf349ca0e    6e  f20f104803     movsd xmm1,[eax+0x3]
0xf349ca13    73  ebba           jmp 0xf349c9cf  <+0x2f>
0xf349ca15    75  660f76c9       pcmpeqd xmm1,xmm1
0xf349ca19    79  660f73f134     psllq xmm1,52
0xf349ca1e    7e  660f73d101     psrlq xmm1,1
0xf349ca23    83  ebaa           jmp 0xf349c9cf  <+0x2f>
0xf349ca25    85  8945f4         mov [ebp-0xc],eax
0xf349ca28    88  e85376623c     call 0x2fac4080  (AllocateHeapNumber)    ;; code: Builtin::AllocateHeapNumber
0xf349ca2d    8d  f20f2a4df4     cvtsi2sd xmm1,[ebp-0xc]
0xf349ca32    92  f20f114803     movsd [eax+0x3],xmm1
0xf349ca37    97  89c1           mov ecx,eax
0xf349ca39    99  ebbf           jmp 0xf349c9fa  <+0x5a>
0xf349ca3b    9b  83ec08         sub esp,0x8
0xf349ca3e    9e  f20f110c24     movsd [esp],xmm1
0xf349ca43    a3  e8b809c963     call 0x5712d400  (DoubleToI)    ;; code: Builtin::DoubleToI
0xf349ca48    a8  8b1424         mov edx,[esp]
0xf349ca4b    ab  83c408         add esp,0x8
0xf349ca4e    ae  eb9a           jmp 0xf349c9ea  <+0x4a>
0xf349ca50    b0  90             nop
0xf349ca51    b1  0f1f00         nop
​

漏洞利用中写shellcode的地方位置:

xxxxxxxxxx
pwndbg> job 0x2ce9740d
0x2ce9740d: [SharedFunctionInfo] in OldSpace
 - map: 0x4c204589 <Map[36]>
 - name: 0x4c206495 <String[1]: 1>
 - kind: NormalFunction
 - function_map_index: 137
 - formal_parameter_count: 1
 - expected_nof_properties:
 - language_mode: sloppy
 - data: 0x2ce973f9 <WasmExportedFunctionData>
 - code (from data): 0xf349c961 <Code JS_TO_WASM_FUNCTION>
 - function token position: -1
 - start position: -1
 - end position: -1
 - no debug info
 - scope info: 0x4c2046c9 <ScopeInfo[0]>
 - length: 1
 - feedback_metadata: 0x4c2055b9: [FeedbackMetadata]
 - map: 0x4c204a25 <Map>
 - slot_count: 0
​
pwndbg> job 0x2ce973f9
0x2ce973f9: [WasmExportedFunctionData] in OldSpace
 - map: 0x4c207389 <Map[20]>
 - wrapper_code: 0xf349c961 <Code JS_TO_WASM_FUNCTION>
 - instance: 0x2ce97321 <Instance map = 0x33c88ae9>
 - function_index: 1
​
pwndbg> job 0x2ce97321
0x2ce97321: [WasmInstanceObject] in OldSpace
 - map: 0x33c88ae9 <Map(HOLEY_ELEMENTS)>
 - module_object: 0x4c112bd5 <Module map = 0x33c88819>
 - exports_object: 0x4c112d01 <Object map = 0x33c898a9>
 - native_context: 0x2ce84f5d <NativeContext[248]>
 - memory_object: 0x2ce973c1 <Memory map = 0x33c88fe9>
 - imported_function_instances: 0x4c112cb9 <FixedArray[1]>
 - imported_function_callables: 0x4c112cc5 <FixedArray[1]>
 - managed_native_allocations: 0x4c112cb1 <Foreign>
 - memory_start: 0xf3550000
 - memory_size: 65536
 - memory_mask: ffff
 - imported_function_targets: 0x56f6db10
 - globals_start: (nil)
 - imported_mutable_globals: 0x56f6db20
 - indirect_function_table_size: 0
 - indirect_function_table_sig_ids: (nil)
 - indirect_function_table_targets: (nil)
​
pwndbg> dd 0x56f6db10
56f6db10     563144e0 00000000 00000000 00000011
56f6db20     00000000 00000000 00000000 00000021
56f6db30     f7ec43ac 00000000 00000000 56f6daf0
56f6db40     31619bea 56f76360 00000001 00000021
​

查找链为:

xxxxxxxxxx
JSFunciton -> SharedFunctionInfo -> WasmExportedFunctionData -> instance -> imported_function_targets[x]

最终的imported_function_targets依次存放着导入函数的代码.

如 0x563144e0 处为 hack 函数的实现:

xxxxxxxxxx
pwndbg> db 0x563144e0 80
563144e0     55 89 e5 6a 0c 56 83 ec 18 8b 4e 13 8b 56 2f 8b
563144f0     52 07 8b 5e 3f 8b 7a 0f 89 55 f0 8b 51 17 89 4d
56314500     f4 89 c1 03 c8 0f 80 74 00 00 00 ff f2 ff f1 b8
56314510     01 00 00 00 89 f1 89 fe 8b 7d f0 89 da 3b 77 0f
56314520     0f 84 2a 00 00 00 89 e0 83 ec 08 83 e4 f0 89 44

下断点并执行

中断到wasm执行代码中:

xxxxxxxxxx
 ► 0x563144e0    push   ebp
   0x563144e1    mov    ebp, esp
   0x563144e3    push   0xc
   0x563144e5    push   esi
   0x563144e6    sub    esp, 0x18
   0x563144e9    mov    ecx, dword ptr [esi + 0x13]
   0x563144ec    mov    edx, dword ptr [esi + 0x2f]
   0x563144ef    mov    edx, dword ptr [edx + 7]
   0x563144f2    mov    ebx, dword ptr [esi + 0x3f]
   0x563144f5    mov    edi, dword ptr [edx + 0xf]
   ...
   0x56314550    mov    ecx, dword ptr [edi + 0x17]
   0x56314553    add    ecx, 0x3f
   0x56314556    call   ecx   // 执行 hack 函数
​

也可以直接通过 wasmInstance 直接找到 imported_function_targets

漏洞挖掘的问题

主流的挖掘流程:

• 目标选择是否合理
• 目标代码逻辑难以理解
• 优化机制使代码覆盖率提高难度极大
• 崩溃可利用率极低

漏洞利用的问题

类型混淆的职业受害者:

• 受害高度一致性
• 利用套路一致性
• 蝴蝶效应的思考
• 新的挖掘模型

蝴蝶效应引发的漏洞模型？

• 避开所有难点
• 持续积累
• 历史漏洞复现
• 理论可行性分析