Level 6 of PwnCollegeV8Exploitation
This commit is contained in:
Jack Ren
20
JavaScript/PwnCollegeV8Exploitation/Level6/README.md
Normal file
20
JavaScript/PwnCollegeV8Exploitation/Level6/README.md
Normal file
@@ -0,0 +1,20 @@
|
||||
# Level 6
|
||||
|
||||
## Problem
|
||||
|
||||
Given a vulnerable builtin `Array.prototype.functionMap(func)`:
|
||||
- It takes a `PACKED_DOUBLE_ELEMENTS` JSArray receiver and a JSFunction argument.
|
||||
- **reinterpret_cast** `elements` to a `FixedDoubleArray`, then for each element `e`:
|
||||
- Trigger a custom JavaScript callback `func`, with
|
||||
- Input: this double element `e`
|
||||
- Output: any double element `o`
|
||||
- And store `o` to `e`'s original position.
|
||||
|
||||
## Key Knowledge
|
||||
|
||||
- Side Effect based Array Element Type Confusion
|
||||
- CVE-2018-4233
|
||||
- [saelo/cve-2018-4233: Exploit for CVE-2018-4233, a WebKit JIT optimization bug used during Pwn2Own 2018](https://github.com/saelo/cve-2018-4233)
|
||||
- [Attacking Client-Side JIT Compilers (v2)](https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf#page=106)
|
||||
- [Pwn2Own 2018 CVE-2018-4233 分析](https://www.anquanke.com/post/id/244472)
|
||||
- Use this technique to construct Address Of & Fake Object primitive.
|
||||
Reference in New Issue
Block a user