Skip to content
Exploit for CVE-2018-4233, a WebKit JIT optimization bug used during Pwn2Own 2018
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
stage1 Added stage1 and a dummy stage2 Aug 17, 2018
stage2 Added stage1 and a dummy stage2 Aug 17, 2018
README.md Added stage1 and a dummy stage2 Aug 17, 2018
index.html Initial commit Aug 10, 2018
int64.js Initial commit Aug 10, 2018
logging.js Initial commit Aug 10, 2018
offsets.js Initial commit Aug 10, 2018
pwn.html Initial commit Aug 10, 2018
pwn.js Initial commit Aug 10, 2018
ready.js Initial commit Aug 10, 2018
shell.js Initial commit Aug 10, 2018
stage1.js Added stage1 and a dummy stage2 Aug 17, 2018
stage2.js Added stage1 and a dummy stage2 Aug 17, 2018
utils.js Initial commit Aug 10, 2018

README.md

CVE-2018-4233

Exploit for CVE-2018-4233, a bug in the JIT compiler of WebKit. Tested on Safari 11.0.3 on macOS 10.13.3.

For more details see https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf

The exploit gains arbitrary memory read/write by constructing the addrof and fakeobj primitives and subsequently faking a typed array as described in http://www.phrack.org/papers/attacking_javascript_engines.html. Afterwards it locates the JIT page and writes the stage1 shellcode there. That in turn writes a .dylib (contained in stage2.js) to disk and loads it into the renderer process to perform a sandbox escape. Stage 2 uses a separate vulnerability to break out of the Safari sandbox and will be published at a later point.

You can’t perform that action at this time.