Skip to content

blacktop/docker-webkit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits

.github

.github

 
 

.vscode

.vscode

 
 

CVE-2018-4262

CVE-2018-4262

 
 

docs

docs

 
 

iOS

iOS

 
 

ret2

ret2

 
 

scripts

scripts

 
 

snapshot

snapshot

 
 

.gitignore

.gitignore

 
 

LATEST

LATEST

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

Repository files navigation

Logo

docker-webkit

Dockerized WebKit Dev/Research Environment

Dependencies

Image Tags

$ docker images

REPOSITORY           TAG               SIZE
blacktop/webkit      latest            946MB
blacktop/webkit      jsc               946MB
blacktop/webkit      minibrowser       946MB
blacktop/webkit      snapshot          946MB
blacktop/webkit      CVE-2018-4262     946MB

Getting Started

$ docker run --init -it --rm blacktop/webkit:snapshot

>>> print("HALP!");
HALP!

Run a javascript file

$ cat test.js
print(1+1);
$ docker run --init -it --rm -v `pwd`:/data blacktop/webkit:snapshot /data/test.js
2

Debugging

$ docker run --init -it --rm blacktop/webkit:snapshot gdb

pwndbg> r
Starting program: /webkit/WebKitBuild/Debug/bin/jsc
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ff0edf52700 (LWP 18)]
>>> describe([1,2,3,4])
Object: "0x7ff0acec01b0" with butterfly "0x7fe806be4010"
(Structure 0x7ff0acefe370:
      [Array, {}, CopyOnWriteArrayWithInt32, Proto:0x7ff0acec0010, Leaf]), StructureID: 64910
>>> ^C

NOTE: You might need to add --cap-add=SYS_PTRACE or --security-opt seccomp:unconfined to debug the kernel

Telescope the Object

pwndbg> tele 0x7ff0acec01b0
00:0000│   0x7ff0acec01b0 ◂— 0x10822150000fd8e
01:0008│   0x7ff0acec01b8 —▸ 0x7fe806be4010 ◂— 0xffff000000000001 <--------- 🦋
02:0010│   0x7ff0acec01c0 ◂— 0xbadbeef0
... ↓

Telescope the butterfly (minus 8 to see the length)

pwndbg> tele 0x7fe806be4010-8
00:0000│   0x7fe806be4008 ◂— 0x400000004         <--------- LENGTH
01:0008│   0x7fe806be4010 ◂— 0xffff000000000001  <--------- array values
02:0010│   0x7fe806be4018 ◂— 0xffff000000000002
03:0018│   0x7fe806be4020 ◂— 0xffff000000000003
04:0020│   0x7fe806be4028 ◂— 0xffff000000000004
05:0028│   0x7fe806be4030 ◂— 0xbadbeef0

CVE-2018-4262

$ wget https://raw.githubusercontent.com/blacktop/docker-webkit/master/CVE-2018-4262/test.js
$ docker run --init -it --rm -v `pwd`:/data blacktop/webkit:CVE-2018-4262 /data/test.js

Object: "0x7f5843db4340" 👈 with butterfly 0x7f48000e4008
      (Structure 0x7f5843df2ae0:[Array, {}, ArrayWithContiguous, Proto:0x7f5843dc80a0]),
            StructureID: 99
Leaked Address: 6.91776252510795e-310

Convert double to address

$ python -c 'import struct
print(hex(struct.unpack("Q", struct.pack("d", 6.91776252510795e-310))[0]))'

0x7f5843db4340 👍😎👍

About

Dockerized WebKit Dev/Research Environment

Topics

javascript docker gdb webkit pwndbg vulnerability-research webkitgtk jsc minibrowser

Resources

Readme

License

View license
Activity

Stars

7 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Sponsor this project

Packages

No packages published

Languages