关联漏洞
标题:多款Apple产品WebKit组件缓冲区错误漏洞 (CVE-2018-4441)Description:Apple Safari等都是美国苹果(Apple)公司的产品。Apple Safari是一款Web浏览器,是Mac OS X和iOS操作系统附带的默认浏览器。Apple iOS是一套为移动设备所开发的操作系统。Apple tvOS是一套智能电视操作系统。WebKit是其中的一个Web浏览器引擎组件。 多款Apple产品中的WebKit组件存在缓冲区错误漏洞。该漏洞源于网络系统或产品在内存上执行操作时,未正确验证数据边界,导致向关联的其他内存位置上执行了错误的读写操作。攻击者可利用该漏洞导致缓冲区溢出或堆
Description
A WebKit exploit using CVE-2018-4441 to obtain RCE on PS4 6.20.
介绍
PS4 6.20 WebKit Code Execution PoC
==============
This repo contains a proof-of-concept (PoC) RCE exploit targeting the PlayStation 4 on firmware 6.20 leveraging CVE-2018-4441. The exploit first establishes an arbitrary read/write primitive as well as an arbitrary object address leak in `wkexploit.js`. It will then setup a framework to run ROP chains in `index.html` and by default will provide two hyperlinks to run test ROP chains - one for running the `sys_getpid()` syscall, and the other for running the `sys_getuid()` syscall to get the PID and user ID of the process respectively.
Each file contains a comment at the top giving a brief explanation of what the file contains and how the exploit works. Credit for the bug discovery is to lokihardt from Google Project Zero (p0). The bug report can be found [here](https://bugs.chromium.org/p/project-zero/issues/detail?id=1685&desc=2).
Note: It's been patched in the 6.50 firmware update.
Files
==============
Files in order by name alphabetically;
* `index.html` - Contains post-exploit code, going from arb. R/W -> code execution.
* `rop.js` - Contains a framework for ROP chains.
* `syscalls.js` - Contains an (incomplete) list of system calls to use for post-exploit stuff.
* `wkexploit.js` - Contains the heart of the WebKit exploit.
Notes
==============
* This vulnerability was patched in 6.50 firmware!
* This only gives you code execution in **userland**. This is **not** a jailbreak nor a kernel exploit, it is only the first half.
* This exploit targets firmware 6.20. It should work on lower firmwares however the gadgets will need to be ported, and the `p.launchchain()` method for code execution may need to be swapped out.
* In my tests the exploit as-is is pretty stable, but it can become less stable if you add a lot of objects and such into the exploit. This is part of the reason why `syscalls.js` contains only a small number of system calls.
Usage
==============
Setup a web-server hosting these files on localhost using xampp or any other program of your choosing. Additionally, you could host it on a server. You can access it on the PS4 by either;
1) Fake DNS spoofing to redirect the manual page to the exploit page, or
2) Using the web browser to navigate to the exploit page (not always possible).
Vulnerability Credit
==============
I wrote the exploit however I did not find the vulnerability, as mentioned above the bug (CVE-2018-4441) was found by lokihardt from Google Project Zero (p0) and was disclosed via the Chromium public bug tracker.
Resources
==============
[Chromium Bug Report](https://bugs.chromium.org/p/project-zero/issues/detail?id=1685&desc=2) - The vulnerability.
[Phrack: Attacking JavaScript Engines by saelo](http://www.phrack.org/papers/attacking_javascript_engines.html) - A life saver. Exploiting this would have been about 1500x more difficult without this divine paper.
Thanks
==============
lokihardt - The vulnerability
st4rk - Help with the exploit
qwertyoruiop - WebKit School
saelo - Phrack paper
文件快照
[4.0K] /data/pocs/83781dc2ece1aa657be5ebc8862729c2a6c8568f
├── [ 16K] index.html
├── [ 487] LICENSE
├── [3.0K] README.md
├── [1.5K] rop.js
├── [1.5K] syscalls.js
└── [ 13K] wkexploit.js
0 directories, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。