Most of what is written from here is courtesy of Faith and their fantastic writeup for this challenge. Please go check them out!
从这里写的大部分内容都是由 Faith 和他们为这一挑战撰写的精彩文章提供的。请去看看!
从这里写的大部分内容都是由 Faith 和他们为这一挑战撰写的精彩文章提供的。请去看看!
Ok so first off, we’re gonna need an old VM. Why? It’s an old challenge with an old version of v8. Back then, the v8 version compilation steps required the
好的,首先,我们需要一个旧的 VM。为什么?对于旧版本的 v8 来说,这是一个古老的挑战。当时,v8 版本的编译步骤需要
python
command to point at python2
instead of python3
like on my ParrotOS VM, and there is the odd number of other steps. Long story short, there is a very real possibility for needing to jerry-rig a bunch of stuff, and I don’t want to break a VM I actually use. Whoops.好的,首先,我们需要一个旧的 VM。为什么?对于旧版本的 v8 来说,这是一个古老的挑战。当时,v8 版本的编译步骤需要
python
命令指向而不是 python3
像在我的 ParrotOS VM 上那样, python2
并且还有其他奇数个步骤。长话短说,很有可能需要对一堆东西进行 jerry-rig,而且我不想破坏我实际使用的 VM。哎 呦。So, we’re gonna use a Ubuntu 18.04 VM. You can get the ISO file directly from here (amd64 version), and then set up a VM in VMware Workstation or your preferred virtualisation program.
因此,我们将使用 Ubuntu 18.04 VM。您可以直接从此处获取 ISO 文件(amd64 版本),然后在 VMware Workstation 或您喜欢的虚拟化程序中设置虚拟机。
因此,我们将使用 Ubuntu 18.04 VM。您可以直接从此处获取 ISO 文件(amd64 版本),然后在 VMware Workstation 或您喜欢的虚拟化程序中设置虚拟机。
Now we want to set up the system we’re actually attacking. Instead of building v8 itself, we’re going to build d8, the REPL (read–eval–print loop) for v8. It’s essentially the command-line of v8, meaning we can compile less.
现在我们想要设置我们实际攻击的系统。我们将构建 d8,而不是构建 v8 本身,即 v8 的 REPL(读取-求值-打印循环)。它本质上是 v8 的命令行,这意味着我们可以编译更少。
现在我们想要设置我们实际攻击的系统。我们将构建 d8,而不是构建 v8 本身,即 v8 的 REPL(读取-求值-打印循环)。它本质上是 v8 的命令行,这意味着我们可以编译更少。
First off, install useful stuff.
首先,安装有用的东西。
首先,安装有用的东西。
$ sudo apt update
$ sudo apt install git vim
Now let’s grab the
现在让我们获取构建 v8 所需的
depot_tools
, which is needed for building v8, then add it to our PATH
现在让我们获取构建 v8 所需的
depot_tools
,然后将其添加到我们的 PATH
:$ git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
$ echo “export PATH=/tools/depot_tools:$PATH“ >> ~/.bashrc
Restart terminal for
重新启动终端进行
PATH
to update. Then in folder of choice (I am in ~/Desktop/oob-v8
), we fetch v8 and install all the dependencies needed to build it:重新启动终端进行
PATH
更新。然后在选择的文件夹中(我在 ~/Desktop/oob-v8
),我们获取 v8 并安装构建它所需的所有依赖项:$ fetch v8
$ cd v8
v8$ ./build/install-build-deps.sh
The next step is to
下一步是质
checkout
the commit that the challenge is based on, then sync the local files to that:下一步是质
checkout
询所基于的提交,然后将本地文件同步到该提交:v8$ git checkout 6dc88c191f5ecc5389dc26efa3ca0907faef3598
v8$ gclient sync
Now we want to apply the
现在我们要应用我们得到的文件
diff
file we get given. The challenge archive can be found here, and we’ll extract it. The oob.diff
file defines the changes made to the source code since the commit we checked out, which includes the vulnerability.现在我们要应用我们得到的文件
diff
。挑战档案可以在这里找到,我们将提取它。该文件 oob.diff
定义了自我们签出提交以来对源代码所做的更改,其中包括漏洞。$ 7z x Chrome.tar.gz
$ tar -xvf Chrome.tar
$ cp Chrome/oob.diff .
Now let’s apply it then prepare and build the release version:
现在让我们应用它,然后准备并构建发布版本:
现在让我们应用它,然后准备并构建发布版本:
v8$ git apply ../oob.diff
v8$ ./tools/dev/v8gen.py x64.release
v8$ ninja -C ./out.gn/x64.release
But there is small problem when it gets run:
但是当它运行时存在小问题:
但是当它运行时存在小问题:
Traceback (most recent call last):
File “/tools/depot_tools/ninja.py”, line 14, in <module>
import gclient_paths
File “/tools/depot_tools/gclient_paths.py”, line 24, in <module>
def FindGclientRoot(from_dir, filename=‘.gclient’):
File “/usr/lib/python3.6/functools.py”, line 477, in lru_cache
raise TypeError(‘Expected maxsize to be an integer or None’)
TypeError: Expected maxsize to be an integer or None
According to this GitHub issue in NVIDIA, this is because in python 3.8+
根据 NVIDIA 中的这个 GitHub 问题,这是因为在 python 3.8+
lru_cache
has gotten a user_function
argument. We can try and update to python3.8, but the fear is that it will break something. Oh well! Let’s try anyway.根据 NVIDIA 中的这个 GitHub 问题,这是因为在 python 3.8+
lru_cache
中得到了一个 user_function
争论。我们可以尝试更新到 python3.8,但担心它会破坏一些东西。那好吧!无论如何,让我们尝试一下。$ sudo apt install python3.8
Now we have Python 3.8 installed in
现在我们已经安装了 Python 3.8
/usr/bin/python3.8
, we can try and overwrite the symlink /usr/bin/python3
to point here instead of the default 3.6.9 version that came with the ISO.现在我们已经安装了 Python 3.8
/usr/bin/python3.8
,我们可以尝试覆盖指向此处的符号链接 /usr/bin/python3
,而不是 ISO 附带的默认 3.6.9 版本。$ sudo ln -sf /usr/bin/python3.8 /usr/bin/python3
Now we hope and pray that rerunning the
现在我们希望并祈祷重新运行该
ninja
command breaks nothing:现在我们希望并祈祷重新运行该
ninja
命令不会破坏任何事情:$ ninja –version
depot_tools/ninja.py: Could not find Ninja in the third_party of the current project, nor in your PATH.
Please take one of the following actions to install Ninja:
– If your project has DEPS, add a CIPD Ninja dependency to DEPS.
– Otherwise, add Ninja to your PATH *after* depot_tools.
Ok, no
好的,不
ninja
. Let’s follow this StackOverflow post and install it:好的,不
ninja
. 让我们按照这个 StackOverflow 帖子并安装它:$ sudo apt install ninja-build
Then run it again: 然后再次运行它:
v8$ ninja -C ./out.gn/x64.release
And it starts working! The output
它开始工作!输出
release
version is found in v8/out.gn/x64.release/d8
. Now let’s build debug.它开始工作!输出
release
版本位于 v8/out.gn/x64.release/d8
中。现在让我们构建调试。v8$ ./tools/dev/v8gen.py x64.debug
v8$ ninja -C ./out.gn/x64.debug
And it’s done. Epic! 它完成了。史诗!
I’m going to revert default Python to version 3.6 to minimise the possibility of something breaking.
我将把默认的 Python 恢复到 3.6 版,以尽量减少出现问题的可能性。
我将把默认的 Python 恢复到 3.6 版,以尽量减少出现问题的可能性。
$ sudo ln -sf /usr/bin/python3.6 /usr/bin/python3
I’m also going to install
我还将安装
gef
, the GDB extension. gef
is actively maintained, and also actually supports Ubuntu 18.04 (which pwndbg
does not officially, although that’s due to requiring Python 3.8+ which we have technically set up in a roundabout way – use at your own risk!).我还将安装
gef
,GDB 扩展。 gef
正在积极维护,并且实际上还支持 Ubuntu 18.04(这不是 pwndbg
正式的,尽管这是由于需要 Python 3.8+,我们在技术上以迂回的方式设置了它 – 使用风险自负!$ bash -c “$(curl -fsSL https://gef.blah.cat/sh)“
Now we can move on to the challenge itself.
现在我们可以继续挑战本身。
现在我们可以继续挑战本身。
原文始发于ir0nstone:*CTF 2019 – oob-v8
相关文章
暂无评论...