Firefox Spidermonkey JS Engine Exploitation


In this paper, I present a set of techniques that enable command execution within the Spidermonkey JS Engine given a relative read/write (rw) bug. A relative rw bug is also known as an out of bounds (OOB) bug. I will discuss how to convert a relative rw primitive into an arbitrary rw primitive by overwriting the backing store pointer of a JavaScript typed array. From an arbitrary rw primitive I gain command execution by overwriting an entry in the Global Offset Table (GOT) with a pointer to the system libc call. Finally, I demonstrate how to determine the GOT offsets by implementing an ELF-parser within the JavaScript exploit code, that parses the in-memory Spidermonkey ELF image.

Firefox Spidermonkey JS Engine Exploitation.PDF

Popular posts from this blog

Empowering Women in Cybersecurity: InfoSect's 2024 Training Initiative

C++ Memory Corruption (std::string) - part 4

C++ Memory Corruption (std::vector) - part 2