Skip to content

Latest commit

 

History

History
115 lines (89 loc) · 3.49 KB

README.md

File metadata and controls

115 lines (89 loc) · 3.49 KB

Logo

docker-webkit

Dockerized WebKit Dev/Research Environment


Dependencies

Image Tags

$ docker images

REPOSITORY           TAG               SIZE
blacktop/webkit      latest            946MB
blacktop/webkit      jsc               946MB
blacktop/webkit      minibrowser       946MB
blacktop/webkit      snapshot          946MB
blacktop/webkit      CVE-2018-4262     946MB

Getting Started

$ docker run --init -it --rm blacktop/webkit:snapshot

>>> print("HALP!");
HALP!

Run a javascript file

$ cat test.js
print(1+1);
$ docker run --init -it --rm -v `pwd`:/data blacktop/webkit:snapshot /data/test.js
2

Debugging

$ docker run --init -it --rm blacktop/webkit:snapshot gdb

pwndbg> r
Starting program: /webkit/WebKitBuild/Debug/bin/jsc
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ff0edf52700 (LWP 18)]
>>> describe([1,2,3,4])
Object: "0x7ff0acec01b0" with butterfly "0x7fe806be4010"
(Structure 0x7ff0acefe370:
      [Array, {}, CopyOnWriteArrayWithInt32, Proto:0x7ff0acec0010, Leaf]), StructureID: 64910
>>> ^C

NOTE: You might need to add --cap-add=SYS_PTRACE or --security-opt seccomp:unconfined to debug the kernel

Telescope the Object

pwndbg> tele 0x7ff0acec01b0
00:0000│   0x7ff0acec01b0 ◂— 0x10822150000fd8e
01:0008│   0x7ff0acec01b8 —▸ 0x7fe806be4010 ◂— 0xffff000000000001 <--------- 🦋
02:0010│   0x7ff0acec01c0 ◂— 0xbadbeef0
... ↓

Telescope the butterfly (minus 8 to see the length)

pwndbg> tele 0x7fe806be4010-8
00:0000│   0x7fe806be4008 ◂— 0x400000004         <--------- LENGTH
01:0008│   0x7fe806be4010 ◂— 0xffff000000000001  <--------- array values
02:0010│   0x7fe806be4018 ◂— 0xffff000000000002
03:0018│   0x7fe806be4020 ◂— 0xffff000000000003
04:0020│   0x7fe806be4028 ◂— 0xffff000000000004
05:0028│   0x7fe806be4030 ◂— 0xbadbeef0

CVE-2018-4262

$ wget https://raw.githubusercontent.com/blacktop/docker-webkit/master/CVE-2018-4262/test.js
$ docker run --init -it --rm -v `pwd`:/data blacktop/webkit:CVE-2018-4262 /data/test.js

Object: "0x7f5843db4340" 👈 with butterfly 0x7f48000e4008
      (Structure 0x7f5843df2ae0:[Array, {}, ArrayWithContiguous, Proto:0x7f5843dc80a0]),
            StructureID: 99
Leaked Address: 6.91776252510795e-310

Convert double to address

$ python -c 'import struct
print(hex(struct.unpack("Q", struct.pack("d", 6.91776252510795e-310))[0]))'

0x7f5843db4340 👍😎👍