Environment setup for Browser Exploitation

The recommended stats are the following

• Ubuntu 22.04

• 16 GB of RAM

• CPU with 8 Cores

These should be enough to compile and run everything we need.

Building Browsers

Chrome and Safari are open source so we can download and build our own copies to debug without having to reverse engineer anything.

There are generally two build flavors: Release and Debug

• Debug

  • Binaries have all debug info and symbols and are larger in size because of that

  • Debug Asserts are present

  • Additional debugging tools are provided

• Release

  • Binaries are smaller in size

  • No Debug Asserts

Debug Asserts might block vulnerabilities and make it harder to write a functioning exploit.

Building Chrome

The Chromium source tree is about 30GB of code in debug build, generally it's recommended to have 40GB of free space just for source and an additional 20GB for the release build.

Here are some useful links

• Overall location: https://chromium.googlesource.com

• Src Tree: https://chromium.googlesource.com/chromium/src.git

• Github V8 Mirror: https://github.com/v8/v8

• DEPS file: https://chromium.googlesource.com/chromium/src.git/+/refs/heads/master/DEPS

These are not the complete code as Chromium pulls a rather large amount of components from other locations. If we have a running Chrome instance we can view its version by visiting about:version.

To pull the Chromium code we'll need to install the Depot Tools (30GB of space)

mkdir chromium && cd chromium && fetch --nohooks chromium # get the initial code
cd src && gclient sync # do whenever you checkout a different version

and install the dependencies

./build/install-build-deps.sh
gclient runhooks

Then we can generate the build file

gn gen out/Default

and chose the build variables

gn args out/Default

We can configure more of these options

is_debug=[true|false] # change the build type to debug or release
symbol_level=[0|1|2] # change how many symbols are included
blink_symbol_level=0 # include to remove blink symbols

If we only want to build Chrome we can run

ninja -C ./out/Default/ chrome

or if we just want a standalone V8 shell we can use the following

mkdir v8 && cd v8 && fetch --nohooks v8
gclient sync --with_branch_heads  # run anytime you change v8 version
cd v8 && ./build/install-build-deps.sh

# first time build
tools/dev/gm.py x64.release
# or 
tools/dev/gm.py x64.debug

# rebuilding
ninja -C ./out/x64.release d8

./out/x64.release/d8

Building WebKit

WebKit is much smaller in size so about 20GB of free space should be enough for the build.

WebKit is tracked with SVN instead of git: https://trac.webkit.org/browser#webkit/branches If targeting Safari, find branch version in about menu:

To download the code we could download it from SVN which is slow, or download the archive of the repository directly from here; then we select the branch

tar xfv WebKit-SVN-source.tar.bz2 && cd webkit
svn switch https://svn.webkit.org/repository/webkit/branches/safari-<branch-here>

Safari branches sometimes have issues being built, so we will just use trunk

Safari is for macOS and it's not available on Linux and Safari branches don't support GTK so we can build WebKit for UNIX using MiniBrowser. First of all we'll install the dependencies

Tools/gtk/install-dependencies
Tools/Scripts/update-webkitgtk-libs

and start the build

# chose a mode
./Tools/Scripts/set-webkit-configuration --debug # for debug
./Tools/Scripts/set-webkit-configuration --release # for release

./Tools/Scripts/build-webkit --gtk --cmakeargs="-GNinja" --no-bubblewrap-sandbox MiniBrowser

# to run
Tools/Scripts/run-minibrowser --gtk

In order to build JavaScriptCore we'll use

./Tools/Scripts/set-webkit-configuration --debug # for debug
./Tools/Scripts/set-webkit-configuration --release # for release

Tools/Scripts/build-webkit --jsc-only --cmakeargs="-GNinja" jsc
./WebKitBuild/Release/bin/jsc

To run WebKit with ASAN (Address Sanitizer), which will try to detect corruption and UAFs, we will need

./Tools/Scripts/set-webkit-configuration --asan --debug
./Tools/Scripts/build-webkit --gtk --cmakeargs="-GNinja" MiniBrowser

Unified Builds combine source to speed up the compilation process, they're good for building but bad for debugging so we should disable JSC if needed keeping in mind that this will make the build process much slower

-DENABLE_UNIFIED_BUILDS=OFF

Code Browsing

• Chromium sourecode: https://cs.chromium.org/chromium/

• WebKit (JSC): http://ret2-webkit-woboq.s3-website-us-east-1.amazonaws.com/jsc/jsc/

Debugging the processes

To debug the browsers we need to find the right processes to attach to:

• Chrome: to start a Chrome process for debugging use the following flags

--no-sandbox --renderer-startup-dialog --disable-hang-monitor

When attaching a debugger like GDB to it we'll see

[10506:10506:0904/174115:2537132352130:ERROR:child_process.cc(131)]
Renderer (10506) paused waiting for debugger to attach. Send SIGUSR1 to unpause.

so to resume the process' execution we'll send the right signal and continue

gdb -p 10506
(gdb) signal SIGUSR1
(gdb) c

Because of its size, fully debugging Chrome can be extremely slow; a way to get around that is to use gdb-add-index to cache debugging symbols or directly debugging the release build where symbols are completely missing.

• WebKit: WebKit processes are much easier to find in the output of a command like ps fa, in this case we want to attack to the first WebKitWebProcess entry on the list

There are also some GDB debugging scripts we can use that take advantage of some special debugging commands some JS engines use (in debug builds)

• Chrome GDB helper code library

• WebKit GDB helper script