Showing posts from January, 2020

Firefox Spidermonkey JS Engine Exploitation

In this paper, I present a set of techniques that enable command execution within the Spidermonkey JS Engine given a relative read/write (rw) bug. A relative rw bug is also known as an out of bounds (OOB) bug. I will discuss how to convert a relative rw primitive into an arbitrary rw primitive by overwriting the backing store pointer of a JavaScript typed array. From an arbitrary rw primitive I gain command execution by overwriting an entry in the Global Offset Table (GOT) with a pointer to the system libc call. Finally, I demonstrate how to determine the GOT offsets by implementing an ELF-parser within the JavaScript exploit code, that parses the in-memory Spidermonkey ELF image. Firefox Spidermonkey JS Engine Exploitation.PDF