bjrjk/pwn-learning

Files

History

Jack Ren 41c959a465 Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/

2024-09-27 10:32:08 +08:00

..

args.gn

Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/

2024-09-27 10:32:08 +08:00

Exploit.js

Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/

2024-09-27 10:32:08 +08:00

patch

Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/

2024-09-27 10:32:08 +08:00

README.md

Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/

2024-09-27 10:32:08 +08:00

REVISION

Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/

2024-09-27 10:32:08 +08:00

README.md

Level 6

Problem

Given a vulnerable builtin Array.prototype.functionMap(func):

It takes a PACKED_DOUBLE_ELEMENTS JSArray receiver and a JSFunction argument.
reinterpret_cast elements to a FixedDoubleArray, then for each element e:
- Trigger a custom JavaScript callback func, with
  - Input: this double element e
  - Output: any double element o
- And store o to e's original position.

Key Knowledge

Side Effect based Array Element Type Confusion
- CVE-2018-4233
- Use this technique to construct Address Of & Fake Object primitive.
How to build d8 and debug them?
- Building V8 from source
- Building V8 with GN