Exploiting V8 at openECSC

from blog lyra's epic blog!, | ↗ original
Despite having 7 Chrome CVEs, I’ve never actually fully exploited a memory corruption in its V8 JavaScript engine before. Baby array.xor, a challenge at this year’s openECSC CTF, was my first time going from a V8 bug to popping a /bin/sh shell. Most V8 exploits tend to have two stages to them - figuring out a unique way to trigger some sort of a...
This is a short summary. ↗ Open original to view full content

Related

CVE-2023-6351 – Update Chrome Now!
ShavingTheYak | original ↗
Compiler Tricks to Avoid ABI-Induced Crashes
Random ASCII – tech blog of Bruce Dawson | original ↗
V8 Heap pwn and /dev/memes - WebOS Root LPE
David Buchanan's Blog | original ↗
0CTF 2018 Quals: Baby Stack - ret2dlresolve
David Buchanan's Blog | original ↗
Exploiting Directory Traversal to View Customer Credit Card Information on Yahoo's Small Business Platform
Blog | Sam Curry | original ↗
Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty
Blog | Sam Curry | original ↗
Enumerating and analyzing 40+ non-V8 JavaScript implementations
Notes on software development | original ↗
The Mechanics of Bug Injection with LAVA
Push the Red Button | original ↗
A Minimal Rust Kernel
Writing an OS in Rust | original ↗
Buffer Overflows and Stacks and Assembly, Oh My!
the website of jyn | original ↗

More from lyra's epic blog!

Using YouTube to steal your files
19 Sept 2024 | original ↗

In my security research I often come across weird quirks and behaviours that aren’t particularly useful beyond a neat party trick. It’s always a good idea to keep track of them though, perhaps one day they’ll be just the missing piece you need. Untitled presentation ...

Stealing your Telegram account in 10 seconds flat
1 May 2024 | original ↗

Say you handed me your phone, what’s the worst I could do in 10 seconds? Web.telegram.orgedited 23:51 Click that link and your browser will be logged into telegram without passwords23:52 The other day I received an interesting message with a link to Telegram’s web client. Upon clicking on the link, I found myself already logged in....