Browser Exploitation

  • Old Webkit Download
https://trac.webkit.org/browser/webkit/tags
* [Safari-605.1.15.2](https://trac.webkit.org/browser/webkit/tags/Safari-605.1.15.2)
* SVN: 225504
* 
$ svn checkout -r225504 https://svn.webkit.org/repository/webkit/trunk Webkit.225504
.
.
A    Webkit.225504/Makefile.shared
A    Webkit.225504/ReadMe.md
 U   Webkit.225504
Checked out revision 225504.
$
$ cd Webkit.225504
$ cd Tools/Scripts
$ ./build-webkit --jsc-only --debug
*************************************************************
Xcode 7.0 or later is required to build WebKit.
  • brew install cmake
  • 하지만 실패
❯ git clone git://git.webkit.org/WebKit.git Webkit.git
❯ cd Webkit.git

~/Study/BrowserExploitation/Safari/vulversion01/Webkit.git master
❯ git checkout 3af5ce129e6636350a887d01237a65c2fce77823
파일을 가져옵니다: 100% (77520/77520), 완료.
주의: '3af5ce129e6636350a887d01237a65c2fce77823' 체크아웃하기.

지금 'HEAD가 분리된' 상태입니다. 이 상태에서는 여기저기 돌아보고,
실험적으로 바꾸고 커밋하더라도, 체크아웃할 수 있는 다른 브랜치에
영향을 미치지 않고 변경 사항을 잃어버릴 수 있습니다.

커밋을 유지하는 브랜치를 새로 만드려면, (지금이든 나중이든) 체크아웃
명령을 다시 하면서 -b 옵션을 사용하면 됩니다. 예를 들어:

  git checkout -b <새-브랜치-이름>

HEAD의 현재 위치는 3af5ce129e6 Overlay with -webkit-overflow-scrolling:touch doesn't become scrollable after added text makes it taller https://bugs.webkit.org/show_bug.cgi?id=158342 rdar://problem/26652811

~/Study/BrowserExploitation/Safari/vulversion01/Webkit.git 3af5ce1... 32s
❯
  • fixed 이슈를 확인해볼 수 있음
❯ git log --reverse --ancestry-path 3af5ce129e6636350a887d01237a65c2fce77823..master
commit 7cf9d2911af9f255e0301ea16604c9fa4af340e2
Author: mark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Nov 16 05:12:25 2018 +0000

    RegExp operations should not take fast patch if lastIndex is not numeric.
    https://bugs.webkit.org/show_bug.cgi?id=191731
    <rdar://problem/46017305>

    Reviewed by Saam Barati.

    JSTests:

    * stress/regress-191731.js: Added.

    Source/JavaScriptCore:

    This is because if lastIndex is an object with a valueOf() method, it can execute
    arbitrary code which may have side effects, and side effects are not permitted by
    the RegExp fast paths.

    * builtins/RegExpPrototype.js:
    (globalPrivate.hasObservableSideEffectsForRegExpMatch):
    (overriddenName.string_appeared_here.search):
    (globalPrivate.hasObservableSideEffectsForRegExpSplit):
    (intrinsic.RegExpTestIntrinsic.test):
    * builtins/StringPrototype.js:
    (globalPrivate.hasObservableSideEffectsForStringReplace):

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@238267 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • valueOf() 에 문제가 있었다는 것을 확인해볼 수 있음.
$ xcode-select --install
xcode-select: note: install requested for command line developer tools
$ xcode-select -p
/Applications/Xcode.app/Contents/Developer
$ xcodebuild -version
Xcode 10.3
Build version 10G8
$ Tools/Scripts/build-webkit --jsc-only --debug
~/Study/BrowserExploitation/Safari/vulversion01/Webkit.git 3af5ce1...
$ cd WebKitBuild/Debug/bin/
$./jsc
>>> 1+1
2
>>> print("Hello")
Hello
undefined
>>> a = {}
[object Object]
>>> a.list=[1,2,3,4]
1,2,3,4

+ Recent posts