Firefox Spidermonkey JS Engine Exploitation


In this paper, I present a set of techniques that enable command execution within the Spidermonkey JS Engine given a relative read/write (rw) bug. A relative rw bug is also known as an out of bounds (OOB) bug. I will discuss how to convert a relative rw primitive into an arbitrary rw primitive by overwriting the backing store pointer of a JavaScript typed array. From an arbitrary rw primitive I gain command execution by overwriting an entry in the Global Offset Table (GOT) with a pointer to the system libc call. Finally, I demonstrate how to determine the GOT offsets by implementing an ELF-parser within the JavaScript exploit code, that parses the in-memory Spidermonkey ELF image.

Firefox Spidermonkey JS Engine Exploitation.PDF

Comments

  1. Unknown17 January 2022 at 04:45

    Autospin88 dan ElangGame - Situs game slot online terbesar, tercepat, terlengkap dan terfavorit.

    Ada banyak promosi yang sangat menarik dan merchandise keren yang hanya ada di Autospin88 dan ElangGame.

    Autospin88 pasti Autowin..
    ElangGame Slot Gacor

    Klik langsung di sini ya guys DAFTAR AUTOSPIN88

    Atau Klik DAFTAR ELANGGAME

    ReplyDelete

Post a Comment

Popular posts from this blog

C++ Memory Corruption (std::vector) - part 2

Summary This is the 2nd part of the C++ memory corruption series*. In this post, we'll look at corrupting the std::vector class in Linux and see what exploitation primitives we can gain. We'll see that we can build arbitrary read/write primitives. * https://blog.infosectcbr.com.au/2020/08/c-memory-corruption-part-1.html   Author: Dr Silvio Cesare Introduction C++ is a common language for memory corruption. However, there is much more literature on exploiting C and not C++ programs. C++ presents new classes, objects, and data structures which can all be effectively used for building exploitation primitives.  In this post, we'll look at the std::vector class and see what specific primitives we can obtain.  Let's start by looking at /usr/include/c++/bits/stl_vector.h namespace std _GLIBCXX_VISIBILITY ( default ) { _GLIBCXX_BEGIN_NAMESPACE_VERSION _GLIBCXX_BEGIN_NAMESPACE_CONTAINER /// See bits/stl_deque.h's _Deque_base for an explanation. template < typename
Read more

Pointer Compression in V8

Image
Syed Faraz Abrar @farazsth98   Summary In this blog post, I will provide some details on how the Chromium developers implemented pointer compression in V8. I will also talk about what this means from an exploit development perspective. Introduction I’ve been an intern at InfoSect for the past couple of weeks now, and in this time, I’ve had to do a bunch of security related research into both V8 and Spidermonkey. One of the things that I spent a short amount of my time on was pointer compression in V8. I hadn’t heard of the term at all until Bruno Keith ( @bkth_ ) mentioned it on twitter some time in December last year. The V8 developers also made a blog post to celebrate V8 v8.0 where they mentioned that implementing pointer compression had allowed them to save up to 40% in usage of heap memory! That’s a big improvement, so let’s take a look at what pointer compression is and what it means from an exploit developer’s perspective. Disclaimer This is not intended to
Read more

Linux Kernel Stack Smashing

Dr Silvio Cesare @silviocesare   Summary In this blog post I’ll discuss how to exploit the Linux kernel via a stack smashing attack. I’ll be attacking the latest kernel version. I’ll also introduce a vulnerable device driver that I wrote so that I can focus on the exploitation development and not the vulnerability research.  A number of mitigations were introduced in recent years, such as Kernel Page Table Isolation and control register pinning, which makes some previous techniques obsolete. Techniques like ret2usr no longer work. But regardless, I am able to privesc and gain a rootshell. An overview of the attack The attack can be split up into a number of stages: ·         Defeat KASLR ·         Leak the stack canary ·         Stack smash and overwrite the canary and return address to trigger a ROP chain ·         ROP to change the current creds to UID 0 ·         ROP into the code that returns from a system call and continues execution i
Read more