Exploit for a bug in TurboFan's typing of JSCall nodes for builtins kStringLastIndexOf and kStringIndexOf
Branch: master
Clone or download
j
Latest commit 5ea88e1 Jan 29, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
step0 added step 1 & 2 until arbitrary RW primitive Jan 29, 2019
step1 added step 1 & 2 until arbitrary RW primitive Jan 29, 2019
step2 added step 1 & 2 until arbitrary RW primitive Jan 29, 2019
trigger Update opt_me.js Jan 28, 2019
README.md added gif Jan 29, 2019
exploit.js added full exploit Jan 29, 2019
pwn_stringLastIndexOf.gif
wasm.js added full exploit Jan 29, 2019

README.md

[TurboFan] Incorrect typing of String.lastIndexOf JSCall nodes

JSCall nodes to builtins kStringLastIndexOf and kStringIndexOf are incorrectly typed;

This bug has been found by @_tsuro .

This repository contains a trigger with an explanation of the bug as well as a full exploit.

It is associated to a future doar-e.github.com article.

calc