- A+
点击上方“蓝字”,学习更多hacker小技巧!
1
Background

众所周知沙箱是Chrome重要的安全机制,有沙箱就意味着v8、音视频解码等等渲染层的漏洞不能直接打到host上,所以我们想要pwn Chrome至少要两个漏洞,沙箱进程的rce和沙箱逃逸。


Mojo是Chrome新的IPC机制,从Mojo文档中可以看到,Mojo is a collection of runtime libraries providing a platform-agnostic abstraction of common IPC primitives, a message IDL format, and a bindings library with code generation for multiple target languages to facilitate convenient message passing across arbitrary inter- and intra-process boundaries. 目前来看无论是CTF还是Real World中,利用Mojo进行Chrome沙箱逃逸都很常见。
2
0CTF/TCTF2020 Quals ChromiumSBX

3
参考链接

https://theori.io/research/escaping-chrome-sandbox/
https://mem2019.github.io/jekyll/update/2020/07/03/TCTF-Chromium-SBX.html
https://gist.github.com/ujin5/5b9a2ce2ffaf8f4222fe7381f792cb38
https://docs.google.com/drawings/d/1TuECFL9K7J5q5UePJLC-YH3satvb1RrjLRH-tW_VKeE/edit





扫码领hacker资料,常用工具,以及各种福利