点击上方“蓝字”,学习更多hacker小技巧!
1
Background
众所周知沙箱是Chrome重要的安全机制,有沙箱就意味着v8、音视频解码等等渲染层的漏洞不能直接打到host上,所以我们想要pwn Chrome至少要两个漏洞,沙箱进程的rce和沙箱逃逸。
Mojo是Chrome新的IPC机制,从Mojo文档中可以看到,Mojo is a collection of runtime libraries providing a platform-agnostic abstraction of common IPC primitives, a message IDL format, and a bindings library with code generation for multiple target languages to facilitate convenient message passing across arbitrary inter- and intra-process boundaries. 目前来看无论是CTF还是Real World中,利用Mojo进行Chrome沙箱逃逸都很常见。
2
0CTF/TCTF2020 Quals ChromiumSBX
3
参考链接
https://theori.io/research/escaping-chrome-sandbox/
https://mem2019.github.io/jekyll/update/2020/07/03/TCTF-Chromium-SBX.html
https://gist.github.com/ujin5/5b9a2ce2ffaf8f4222fe7381f792cb38
https://docs.google.com/drawings/d/1TuECFL9K7J5q5UePJLC-YH3satvb1RrjLRH-tW_VKeE/edit
扫码领hacker资料,常用工具,以及各种福利
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论