Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
docker-webkit
Dockerized WebKit Dev/Research Environment
Dependencies
Image Tags
$ docker images
REPOSITORY TAG SIZE
blacktop/webkit latest 946MB
blacktop/webkit jsc 946MB
blacktop/webkit minibrowser 946MB
blacktop/webkit snapshot 946MB
blacktop/webkit CVE-2018-4262 946MBGetting Started
$ docker run --init -it --rm blacktop/webkit:snapshot
>>> print("HALP!");
HALP!Run a javascript file
$ cat test.js
print(1+1);$ docker run --init -it --rm -v `pwd`:/data blacktop/webkit:snapshot /data/test.js
2Debugging
$ docker run --init -it --rm blacktop/webkit:snapshot gdb
pwndbg> r
Starting program: /webkit/WebKitBuild/Debug/bin/jsc
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ff0edf52700 (LWP 18)]
>>> describe([1,2,3,4])
Object: "0x7ff0acec01b0" with butterfly "0x7fe806be4010"
(Structure 0x7ff0acefe370:
[Array, {}, CopyOnWriteArrayWithInt32, Proto:0x7ff0acec0010, Leaf]), StructureID: 64910
>>> ^CNOTE: You might need to add
--cap-add=SYS_PTRACEor--security-opt seccomp:unconfinedto debug the kernel
Telescope the Object
pwndbg> tele 0x7ff0acec01b0
00:0000│ 0x7ff0acec01b0 ◂— 0x10822150000fd8e
01:0008│ 0x7ff0acec01b8 —▸ 0x7fe806be4010 ◂— 0xffff000000000001 <--------- 🦋
02:0010│ 0x7ff0acec01c0 ◂— 0xbadbeef0
... ↓Telescope the butterfly (minus 8 to see the length)
pwndbg> tele 0x7fe806be4010-8
00:0000│ 0x7fe806be4008 ◂— 0x400000004 <--------- LENGTH
01:0008│ 0x7fe806be4010 ◂— 0xffff000000000001 <--------- array values
02:0010│ 0x7fe806be4018 ◂— 0xffff000000000002
03:0018│ 0x7fe806be4020 ◂— 0xffff000000000003
04:0020│ 0x7fe806be4028 ◂— 0xffff000000000004
05:0028│ 0x7fe806be4030 ◂— 0xbadbeef0CVE-2018-4262
$ wget https://raw.githubusercontent.com/blacktop/docker-webkit/master/CVE-2018-4262/test.js
$ docker run --init -it --rm -v `pwd`:/data blacktop/webkit:CVE-2018-4262 /data/test.js
Object: "0x7f5843db4340" 👈 with butterfly 0x7f48000e4008
(Structure 0x7f5843df2ae0:[Array, {}, ArrayWithContiguous, Proto:0x7f5843dc80a0]),
StructureID: 99
Leaked Address: 6.91776252510795e-310Convert double to address
$ python -c 'import struct
print(hex(struct.unpack("Q", struct.pack("d", 6.91776252510795e-310))[0]))'
0x7f5843db4340 👍😎👍