Announcement

Collapse
No announcement yet.

Question about Chrome's mojom binding files

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Question about Chrome's mojom binding files

    Question about whether Chrome's mojom binding files should be re-extracted if the operating system platform changes.
    The following file lists are files extracted from the official Chrome source. The same is used for both 32-bit and 64-bit versions of Windows and can be used for exploits. However, I suspect it's not available in Android Chrome. The crash occurs repeatedly in the mojom binding routine.
    I may have to extract mojom binding files after git checkout with Android Chrome source.
    I hope my prediction is not wrong. If someone already knows the information, please help me. But I think I'll find it by myself.
    I would like to make this site a forum where knowledge is shared among those who research lonely like me.

    Code:
    needed_bindings = [
      'components/services/filesystem/public/interfaces/types.mojom.js',
    
      'mojo/public/js/mojo_bindings.js',
    
      'mojo/public/mojom/base/big_buffer.mojom.js',
      'mojo/public/mojom/base/file.mojom.js',
      'mojo/public/mojom/base/file_error.mojom.js',
      'mojo/public/mojom/base/file_path.mojom.js',
      'mojo/public/mojom/base/file_info.mojom.js',
      'mojo/public/mojom/base/string16.mojom.js',
      'mojo/public/mojom/base/time.mojom.js',
      'mojo/public/mojom/base/unguessable_token.mojom.js',
    
      'services/network/public/mojom/data_pipe_getter.mojom.js',
      'services/network/public/mojom/http_request_headers.mojom.js',
      'services/network/public/mojom/mutable_network_traffic_annotation_tag.mojom.js',
      'services/network/public/mojom/network_param.mojom.js',
      'services/network/public/mojom/url_loader.mojom.js',
      'services/network/public/mojom/url_loader_factory.mojom.js',
    
      'third_party/blink/public/mojom/blob/blob.mojom.js',
      'third_party/blink/public/mojom/blob/blob_registry.mojom.js',
      'third_party/blink/public/mojom/blob/blob_url_store.mojom.js',
      'third_party/blink/public/mojom/blob/data_element.mojom.js',
      'third_party/blink/public/mojom/blob/serialized_blob.mojom.js',
    
      'third_party/blink/public/mojom/filesystem/file_system.mojom.js',
      'third_party/blink/public/mojom/filesystem/file_writer.mojom.js',
    
      'url/mojom/origin.mojom.js',
      'url/mojom/url.mojom.js',
    ]
    Are the following hexadecimal values changing by platform every time? Or something like a fixed hash? First of all, I can only guess.

    Code:
      ---- file_system.mojom.js from 64/32 bit exploit ----
    
      var ReceivedSnapshotListener = {
        name: 'blink.mojom.ReceivedSnapshotListener',
        kVersion: 0,
        ptrClass: ReceivedSnapshotListenerPtr,
        proxyClass: ReceivedSnapshotListenerProxy,
        stubClass: ReceivedSnapshotListenerStub,
        validateRequest: validateReceivedSnapshotListenerRequest,
        validateResponse: null,
        mojomId: 'third_party/blink/public/mojom/filesystem/file_system.mojom',
        fuzzMethods: {
          didReceiveSnapshotFile: {
            params: ReceivedSnapshotListener_DidReceiveSnapshotFile_Params,
          },
        },
      };
      ReceivedSnapshotListenerStub.prototype.validator = validateReceivedSnapshotListenerRequest;
      ReceivedSnapshotListenerProxy.prototype.validator = null;
      var kFileSystemManager_Open_Name = 0x305E02BE/*843017063*/;
      var kFileSystemManager_ResolveURL_Name = 1715903949;
      var kFileSystemManager_Move_Name = 298732595;
      var kFileSystemManager_Copy_Name = 1979857049;
      var kFileSystemManager_Remove_Name = 212722906;
      var kFileSystemManager_ReadMetadata_Name = 612940749;
      var kFileSystemManager_Create_Name = 1842694723;
      var kFileSystemManager_Exists_Name = 1055330596;
      var kFileSystemManager_ReadDirectory_Name = 1769511045;
      var kFileSystemManager_ReadDirectorySync_Name = 767171495;
      var kFileSystemManager_Write_Name = 2059911059;
      var kFileSystemManager_WriteSync_Name = 1736157815;
      var kFileSystemManager_Truncate_Name = 348301191;
      var kFileSystemManager_TruncateSync_Name = 843157182;
      var kFileSystemManager_TouchFile_Name = 209740850;
      var kFileSystemManager_CreateSnapshotFile_Name = 843134;
      var kFileSystemManager_GetPlatformPath_Name = 2099104250;
      var kFileSystemManager_CreateWriter_Name = 0x63B8D2A6/*1074062040*/;
      var kFileSystemManager_ChooseEntry_Name = 1927498088;
    
      function FileSystemManagerPtr(handleOrPtrInfo) {
        this.ptr = new bindings.InterfacePtrController(FileSystemManager,
                                                       handleOrPtrInfo);
      }
    
      function FileSystemManagerAssociatedPtr(associatedInterfacePtrInfo) {
        this.ptr = new associatedBindings.AssociatedInterfacePtrController(
            FileSystemManager, associatedInterfacePtrInfo);
      }
    
      FileSystemManagerAssociatedPtr.prototype =
          Object.create(FileSystemManagerPtr.prototype);
      FileSystemManagerAssociatedPtr.prototype.constructor =
          FileSystemManagerAssociatedPtr;
    
      function FileSystemManagerProxy(receiver) {
        this.receiver_ = receiver;
      }
      FileSystemManagerPtr.prototype.open = function() {
        return FileSystemManagerProxy.prototype.open
            .apply(this.ptr.getProxy(), arguments);
      };
    
      FileSystemManagerProxy.prototype.open = function(originUrl, fileSystemType) {
        var params_ = new FileSystemManager_Open_Params();
        params_.originUrl = originUrl;
        params_.fileSystemType = fileSystemType;
        return new Promise(function(resolve, reject) {
          var builder = new codec.MessageV1Builder(
              kFileSystemManager_Open_Name,
              codec.align(FileSystemManager_Open_Params.encodedSize),
              codec.kMessageExpectsResponse, 0);
          builder.encodeStruct(FileSystemManager_Open_Params, params_);
          var message = builder.finish();
          this.receiver_.acceptAndExpectResponse(message).then(function(message) {
            var reader = new codec.MessageReader(message);
            var responseParams =
                reader.decodeStruct(FileSystemManager_Open_ResponseParams);
            resolve(responseParams);
          }).catch(function(result) {
            reject(Error("Connection error: " + result));
          });
        }.bind(this));
      };

  • #2
    The contents above are files extracted from the original exploit(from 64bit Windows. Of course, 32 bits is the same.). The same content was extracted from the compiled ARM build source. What is this? The following is my own android chrome build and extracted mojom file. In the extracted mojom js source, it is the index number. However, it is not an index number for files extracted from exploits. What the hell is this? Should I find all these values?

    Code:
      ---- out/DEBUG_GN_ARM_PACKED/gen/third_party/blink/public/mojom/filesystem/file_system.mojom.js ----
    
      var ReceivedSnapshotListener = {
        name: 'blink.mojom.ReceivedSnapshotListener',
        kVersion: 0,
        ptrClass: ReceivedSnapshotListenerPtr,
        proxyClass: ReceivedSnapshotListenerProxy,
        stubClass: ReceivedSnapshotListenerStub,
        validateRequest: validateReceivedSnapshotListenerRequest,
        validateResponse: null,
      };
      ReceivedSnapshotListenerStub.prototype.validator = validateReceivedSnapshotListenerRequest;
      ReceivedSnapshotListenerProxy.prototype.validator = null;
      // -------------------------------------------------
      var kFileSystemManager_Open_Name = 0;
      var kFileSystemManager_ResolveURL_Name = 1;
      var kFileSystemManager_Move_Name = 2;
      var kFileSystemManager_Copy_Name = 3;
      var kFileSystemManager_Remove_Name = 4;
      var kFileSystemManager_ReadMetadata_Name = 5;
      var kFileSystemManager_Create_Name = 6;
      var kFileSystemManager_Exists_Name = 7;
      var kFileSystemManager_ReadDirectory_Name = 8;
      var kFileSystemManager_ReadDirectorySync_Name = 9;
      var kFileSystemManager_Write_Name = 10;
      var kFileSystemManager_WriteSync_Name = 11;
      var kFileSystemManager_Truncate_Name = 12;
      var kFileSystemManager_TruncateSync_Name = 13;
      var kFileSystemManager_TouchFile_Name = 14;
      var kFileSystemManager_CreateSnapshotFile_Name = 15;
      var kFileSystemManager_GetPlatformPath_Name = 16;
      var kFileSystemManager_CreateWriter_Name = 17;
      var kFileSystemManager_ChooseEntry_Name = 18;
      // -------------------------------------------------
      function FileSystemManagerPtr(handleOrPtrInfo) {
        this.ptr = new bindings.InterfacePtrController(FileSystemManager,
                                                       handleOrPtrInfo);
      }
    
      function FileSystemManagerAssociatedPtr(associatedInterfacePtrInfo) {
        this.ptr = new associatedBindings.AssociatedInterfacePtrController(
            FileSystemManager, associatedInterfacePtrInfo);
      }
    
      FileSystemManagerAssociatedPtr.prototype =
          Object.create(FileSystemManagerPtr.prototype);
      FileSystemManagerAssociatedPtr.prototype.constructor =
          FileSystemManagerAssociatedPtr;
    
      function FileSystemManagerProxy(receiver) {
        this.receiver_ = receiver;
      }
      FileSystemManagerPtr.prototype.open = function() {
        return FileSystemManagerProxy.prototype.open
            .apply(this.ptr.getProxy(), arguments);
      };
    
      FileSystemManagerProxy.prototype.open = function(originUrl, fileSystemType) {
        var params_ = new FileSystemManager_Open_Params();
        params_.originUrl = originUrl;
        params_.fileSystemType = fileSystemType;
        return new Promise(function(resolve, reject) {
          var builder = new codec.MessageV1Builder(
              kFileSystemManager_Open_Name,
              codec.align(FileSystemManager_Open_Params.encodedSize),
              codec.kMessageExpectsResponse, 0);
          builder.encodeStruct(FileSystemManager_Open_Params, params_);
          var message = builder.finish();
          this.receiver_.acceptAndExpectResponse(message).then(function(message) {
            var reader = new codec.MessageReader(message);
            var responseParams =
                reader.decodeStruct(FileSystemManager_Open_ResponseParams);
            resolve(responseParams);
          }).catch(function(result) {
            reject(Error("Connection error: " + result));
          });
        }.bind(this));
      };

    Comment


    • #3
      The mojom files are replaced by my android build source. It works very well. I didn't have to care about the index number of the code. I was able to successfully trigger the vulnerability on Android chrome. To trigger the vulnerability, the size of the file operation pointer must match exactly 32 bit Android chrome.

      Comment


      • #4
        The following is the size of the file operation pointer size for each platform.
        I found it manually by 4 increments(or decrements). It was a pain.

        Code:
        - 64 bit Windows Chrome
        const kFileWriterImplSize = 0x140;
        Code:
        - 32 bit Windows Chrome
        const kFileWriterImplSize = 0xE8;
        Code:
        - Android Mobile Chrome
        const kFileWriterImplSize = 0xC0;

        Comment

        Working...
        X