bjrjk/pwn-learning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
72f089aba9ef0b2ff96fd49bc804ac0dc2605afb
pwn-learning/JavaScript/PwnCollegeV8Exploitation/Level4
History
Jack Ren 90245c7091 Minor Changes to Level 3 & 4 of PwnCollegeV8Exploitation 
1. The threshold to trigger MAGLEV compilation is different when gdb is attached to d8 or not.
    - When gdb attached to d8, the training loop count to trigger MAGLEV is 100,000.
    - But when the standalone d8 running, the training loop count to trigger MAGLEV is only 10,000. If you still use 100,000, it will trigger TURBOFAN then code data structure will change and shellcode execution fails.
2. Fixed other miscellaneous minor mistakes.
2024-09-15 08:57:29 +08:00
..
Exploit.js
Minor Changes to Level 3 & 4 of PwnCollegeV8Exploitation
2024-09-15 08:57:29 +08:00
README.md
Level 4 of PwnCollegeV8Exploitation
2024-09-11 14:25:17 +08:00

README.md

Level 4

Problem

Given a vulnerability which can set an array's length by using Array.prototype.setLength().

Key Knowledge

  • Heap Fengshui
  • OOB Access other heap content by corrupting array's length