https://github.com/blacktop/docker-webkit

Dockerized WebKit Dev/Research Environment
https://github.com/blacktop/docker-webkit

docker gdb javascript jsc minibrowser pwndbg vulnerability-research webkit webkitgtk

Last synced: about 2 months ago
JSON representation

Dockerized WebKit Dev/Research Environment

• Host: GitHub
• URL: https://github.com/blacktop/docker-webkit
• Owner: blacktop
• License: other
• Created: 2019-06-15T01:06:32.000Z (almost 6 years ago)
• Default Branch: master
• Last Pushed: 2020-03-07T16:00:08.000Z (over 5 years ago)
• Last Synced: 2025-03-30T00:05:32.168Z (2 months ago)
• Topics: docker, gdb, javascript, jsc, minibrowser, pwndbg, vulnerability-research, webkit, webkitgtk
• Language: Python
• Size: 174 KB
• Stars: 7
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE

Awesome Lists containing this project

README

        


  

  
docker-webkit

  
Dockerized WebKit Dev/Research Environment

  


    

          

    

          

    

          



---

## Dependencies

- [ubuntu:bionic](https://hub.docker.com/_/ubuntu/)

## Image Tags

```bash

$ docker images

REPOSITORY           TAG               SIZE

blacktop/webkit      latest            946MB

blacktop/webkit      jsc               946MB

blacktop/webkit      minibrowser       946MB

blacktop/webkit      snapshot          946MB

blacktop/webkit      CVE-2018-4262     946MB

```

## Getting Started

```bash

$ docker run --init -it --rm blacktop/webkit:snapshot

>>> print("HALP!");

HALP!

```

### Run a javascript file

```bash

$ cat test.js

print(1+1);

```

```bash

$ docker run --init -it --rm -v `pwd`:/data blacktop/webkit:snapshot /data/test.js

2

```

### Debugging

```bash

$ docker run --init -it --rm blacktop/webkit:snapshot gdb

pwndbg> r

Starting program: /webkit/WebKitBuild/Debug/bin/jsc

warning: Error disabling address space randomization: Operation not permitted

[Thread debugging using libthread_db enabled]

Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

[New Thread 0x7ff0edf52700 (LWP 18)]

>>> describe([1,2,3,4])

Object: "0x7ff0acec01b0" with butterfly "0x7fe806be4010"

(Structure 0x7ff0acefe370:

      [Array, {}, CopyOnWriteArrayWithInt32, Proto:0x7ff0acec0010, Leaf]), StructureID: 64910

>>> ^C

```

> **NOTE:** You might need to add `--cap-add=SYS_PTRACE` or `--security-opt seccomp:unconfined` to debug the kernel

#### Telescope the `Object`

```bash

pwndbg> tele 0x7ff0acec01b0

00:0000│   0x7ff0acec01b0 ◂— 0x10822150000fd8e

01:0008│   0x7ff0acec01b8 —▸ 0x7fe806be4010 ◂— 0xffff000000000001 <--------- 🦋

02:0010│   0x7ff0acec01c0 ◂— 0xbadbeef0

... ↓

```

#### Telescope the `butterfly` *(minus 8 to see the length)*

```bash

pwndbg> tele 0x7fe806be4010-8

00:0000│   0x7fe806be4008 ◂— 0x400000004         <--------- LENGTH

01:0008│   0x7fe806be4010 ◂— 0xffff000000000001  <--------- array values

02:0010│   0x7fe806be4018 ◂— 0xffff000000000002

03:0018│   0x7fe806be4020 ◂— 0xffff000000000003

04:0020│   0x7fe806be4028 ◂— 0xffff000000000004

05:0028│   0x7fe806be4030 ◂— 0xbadbeef0

```

### `CVE-2018-4262`

```bash

$ wget https://raw.githubusercontent.com/blacktop/docker-webkit/master/CVE-2018-4262/test.js

$ docker run --init -it --rm -v `pwd`:/data blacktop/webkit:CVE-2018-4262 /data/test.js

Object: "0x7f5843db4340" 👈 with butterfly 0x7f48000e4008

      (Structure 0x7f5843df2ae0:[Array, {}, ArrayWithContiguous, Proto:0x7f5843dc80a0]),

            StructureID: 99

Leaked Address: 6.91776252510795e-310

```

#### Convert `double` to address

```bash

$ python -c 'import struct

print(hex(struct.unpack("Q", struct.pack("d", 6.91776252510795e-310))[0]))'

0x7f5843db4340 👍😎👍

```