How to Exploit the Heap Overflow Bug *CTF 2019 oob-v8

1. Contents

• Many Heap Overflow Bugs can be Exploited in a Similar Way
• PoC of the V8 Heap Overflow Vulnerability – *CTF 2019 oob-v8
• Exploitation Idea
• Actual Exploitation Steps of the V8 Heap Overflow Bug
• V8 Environment Setup
• Auxiliary Type Conversion Functions
• Prepare Objects in Memory
• Leak Addresses and Fake Objects
• Arbitrary Reads and Writes
• RWX Page and Shellcode Injection
• Summary

2. Many Heap Overflow Bugs can be Exploited in a Similar Way

I have introduced a v8 heap overflow bug before: V8 Array Overflow Exploitation: 2019 KCTF Problem 5 小虎还乡. This is another one: *CTF 2019 oob-v8. The interesting things I’m going to show you in this post are:

1) This bug only allows you to read or overwrite specific 8 bytes. But you can use it to achieve arbitrary reads and writes. 2) This is a different heap overflow bug. But you can exploit it in a very similar way to the 2019 KCTF Problem 5. In fact, many heap overflow bugs can all be exploited in such a similar way. To show you this, I will use the same headings as the 2019 KCTF Problem 5 post. Feel free to compare the two posts!

. Second, read this section and build the vulnerable v8:  Therein, at Command 5, the [commit-hash-number] is 6dc88c191f5ecc5389dc26efa3ca0907faef3598. Before Command 8, run: git apply < oob.diff. Remember to put oob.diff into the folder “v8”.