This repository is for CSED499I-01 class, POSTECH. The goal of this project is to write an exploit code for an V8 that works for V8 that runs with --wasm-write-protect-code-memory flag, with an assumption of OOB read and write. The working V8 environment is 8.4.0 version, commit 780665ad.
The purpose of this repository is to demonstrate how WebAssembly module can be utilized in exploiting V8, even with --wasm-write-protect-code-memory flag. The exploit codes of this repository demonstrates that WebAssembly module can be utilized as a provider for ROP gadgets, thereby allowing useful gadgets to be contained in a WebAssembly compiled code.
This repository contains five files. First, oob.patch file is a patch file that allows oob access for JSArrays. The patch is based on *CTF 2019 oob-v8 problem, but it is patched in a different way. (How oob function works, Pointer compression) Second, wasm-pwn-rwx.js file exploits patched V8 utilizing RWX page generated by WebAssembly module. Third, wasm-pwn-rx.js file exploits patched V8 using a technique similar to JIT spraying. Fourth, wasm2buffer.py converts a .wasm file into code buffer. Finally, addThree.wat shows a WebAssembly text format code which is used in wasm-pwn-rx.js.
wasm-pwn-rwx.js file runs only without --wasm-write-protect-code-memory flag. However, wasm-pwn-rx.js file can run with --wasm-write-protect-code-memory flag.