Given a relative rw from an array's contents in v8 (I patched v8 to let me to do this) , I turned that into an arbitrary rw. And given the address of the rwx page I created, I can pop calc. Still trying to figure out how to leak the rwx page address.
-
-
Replying to @silviocesare
Hey :) I described it on the
@doar_e blog here if you’re interested :) https://doar-e.github.io/blog/2019/01/28/introduction-to-turbofan/#step-4-overwriting-wasm-rwx-memory …1 reply 0 retweets 3 likes -
Ah thank you! Btw, I've been reading one of the other doar_e blog posts for my experimentation with spidermonkey exploitation :)
2 replies 0 retweets 0 likes
Replying to @silviocesare @doar_e
Awesome! @0vercl0k also wrote a cool one on ion monkey’s alias analysis :)
2:49 PM - 2 Jan 2020
0 replies
0 retweets
2 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.