bjrjk/pwn-learning

Files

History

Jack Ren b871bb78c7 Added REVISION, args.gn and patch for existing PwnCollegeV8Exploitation Levels

2024-09-16 17:05:38 +08:00

..

args.gn

Added REVISION, args.gn and patch for existing PwnCollegeV8Exploitation Levels

2024-09-16 17:05:38 +08:00

Exploit.js

Level 6 of PwnCollegeV8Exploitation

2024-09-16 09:16:29 +08:00

patch

Added REVISION, args.gn and patch for existing PwnCollegeV8Exploitation Levels

2024-09-16 17:05:38 +08:00

README.md

Level 6 of PwnCollegeV8Exploitation

2024-09-16 09:16:29 +08:00

REVISION

Added REVISION, args.gn and patch for existing PwnCollegeV8Exploitation Levels

2024-09-16 17:05:38 +08:00

README.md

Level 6

Problem

Given a vulnerable builtin Array.prototype.functionMap(func):

It takes a PACKED_DOUBLE_ELEMENTS JSArray receiver and a JSFunction argument.
reinterpret_cast elements to a FixedDoubleArray, then for each element e:
- Trigger a custom JavaScript callback func, with
  - Input: this double element e
  - Output: any double element o
- And store o to e's original position.

Key Knowledge

Side Effect based Array Element Type Confusion
- CVE-2018-4233
- Use this technique to construct Address Of & Fake Object primitive.