Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time



Basic Usage

Pre-built version of the library is located at /dist/pwn.js. API documentation is available in /docs or here, and examples of complete exploits are in /examples.

If you want to implement a new Chakra exploit, you can use this basic template:

var Exploit = (function() {
    var ChakraExploit = pwnjs.ChakraExploit,
        Integer = pwnjs.Integer;

    function Exploit() {;
        // TODO: implement your exploit
        // TODO: leak any Chakra.dll address (e.g. a vtable)
    Exploit.prototype = Object.create(ChakraExploit.prototype);
    Exploit.prototype.constructor = Exploit; = function (address, size) {
        switch (size) {
            case 8:
            case 16:
            case 32:
            case 64:
                // TODO: implement memory read of address
    Exploit.prototype.write = function (address, value, size) {
        switch (size) {
            case 8:
            case 16:
            case 32:
            case 64:
                // TODO: implement memory write of value to address
    return Exploit;

Using an exploit in a payload is easier if you use the deprecated with statement:

with (new Exploit()) {
    var malloc = importFunction('msvcrt.dll', 'malloc', Uint8Ptr);
    // ...

You can also define an Exploit object (non-deprecated, but more verbose):

var e = new Exploit();
var malloc = e.importFunction('msvcrt.dll', 'malloc', Uint8Ptr);
// ...

Build Instructions

You can rebuild the library using webpack:

$ npm install
$ npm run build

You can rebuild the documentation using jsdoc:

$ npm run jsdoc

Also, you can run a small HTTP server to host the documentation and examples:

$ npm start