Environment setup for Browser Exploitation
The recommended stats are the following
Ubuntu 22.04
16 GB of RAM
CPU with 8 Cores
These should be enough to compile and run everything we need.
Building Browsers
Chrome and Safari are open source so we can download and build our own copies to debug without having to reverse engineer anything.
There are generally two build flavors: Release and Debug
Debug
Binaries have all debug info and symbols and are larger in size because of that
Debug Asserts are present
Additional debugging tools are provided
Release
Binaries are smaller in size
No Debug Asserts
Debug Asserts might block vulnerabilities and make it harder to write a functioning exploit.
Building Chrome
The Chromium source tree is about 30GB of code in debug build, generally it's recommended to have 40GB of free space just for source and an additional 20GB for the release build.
Here are some useful links
Overall location: https://chromium.googlesource.com
Src Tree: https://chromium.googlesource.com/chromium/src.git
Github V8 Mirror: https://github.com/v8/v8
DEPS file: https://chromium.googlesource.com/chromium/src.git/+/refs/heads/master/DEPS
These are not the complete code as Chromium pulls a rather large amount of components from other locations. If we have a running Chrome instance we can view its version by visiting about:version
.
To pull the Chromium code we'll need to install the Depot Tools (30GB of space)
mkdir chromium && cd chromium && fetch --nohooks chromium # get the initial code
cd src && gclient sync # do whenever you checkout a different version
and install the dependencies
./build/install-build-deps.sh
gclient runhooks
Then we can generate the build file
gn gen out/Default
and chose the build variables
gn args out/Default
We can configure more of these options
is_debug=[true|false] # change the build type to debug or release
symbol_level=[0|1|2] # change how many symbols are included
blink_symbol_level=0 # include to remove blink symbols
If we only want to build Chrome we can run
ninja -C ./out/Default/ chrome
or if we just want a standalone V8 shell we can use the following
mkdir v8 && cd v8 && fetch --nohooks v8
gclient sync --with_branch_heads # run anytime you change v8 version
cd v8 && ./build/install-build-deps.sh
# first time build
tools/dev/gm.py x64.release
# or
tools/dev/gm.py x64.debug
# rebuilding
ninja -C ./out/x64.release d8
./out/x64.release/d8
Building WebKit
WebKit is much smaller in size so about 20GB of free space should be enough for the build.
WebKit is tracked with SVN instead of git: https://trac.webkit.org/browser#webkit/branches If targeting Safari, find branch version in about menu:

To download the code we could download it from SVN which is slow, or download the archive of the repository directly from here; then we select the branch
tar xfv WebKit-SVN-source.tar.bz2 && cd webkit
svn switch https://svn.webkit.org/repository/webkit/branches/safari-<branch-here>
Safari branches sometimes have issues being built, so we will just use trunk
Safari is for macOS and it's not available on Linux and Safari branches don't support GTK so we can build WebKit for UNIX using MiniBrowser. First of all we'll install the dependencies
Tools/gtk/install-dependencies
Tools/Scripts/update-webkitgtk-libs
and start the build
# chose a mode
./Tools/Scripts/set-webkit-configuration --debug # for debug
./Tools/Scripts/set-webkit-configuration --release # for release
./Tools/Scripts/build-webkit --gtk --cmakeargs="-GNinja" --no-bubblewrap-sandbox MiniBrowser
# to run
Tools/Scripts/run-minibrowser --gtk
In order to build JavaScriptCore we'll use
./Tools/Scripts/set-webkit-configuration --debug # for debug
./Tools/Scripts/set-webkit-configuration --release # for release
Tools/Scripts/build-webkit --jsc-only --cmakeargs="-GNinja" jsc
./WebKitBuild/Release/bin/jsc
To run WebKit with ASAN (Address Sanitizer), which will try to detect corruption and UAFs, we will need
./Tools/Scripts/set-webkit-configuration --asan --debug
./Tools/Scripts/build-webkit --gtk --cmakeargs="-GNinja" MiniBrowser
Unified Builds combine source to speed up the compilation process, they're good for building but bad for debugging so we should disable JSC if needed keeping in mind that this will make the build process much slower
-DENABLE_UNIFIED_BUILDS=OFF
Code Browsing
Chromium sourecode: https://cs.chromium.org/chromium/
WebKit (JSC): http://ret2-webkit-woboq.s3-website-us-east-1.amazonaws.com/jsc/jsc/
Debugging the processes
To debug the browsers we need to find the right processes to attach to:
Chrome: to start a Chrome process for debugging use the following flags
--no-sandbox --renderer-startup-dialog --disable-hang-monitor
When attaching a debugger like GDB to it we'll see
[10506:10506:0904/174115:2537132352130:ERROR:child_process.cc(131)]
Renderer (10506) paused waiting for debugger to attach. Send SIGUSR1 to unpause.
so to resume the process' execution we'll send the right signal and continue
gdb -p 10506
(gdb) signal SIGUSR1
(gdb) c
WebKit: WebKit processes are much easier to find in the output of a command like
ps fa
, in this case we want to attack to the firstWebKitWebProcess
entry on the list
There are also some GDB debugging scripts we can use that take advantage of some special debugging commands some JS engines use (in debug builds)
Last updated