Given a relative rw from an array's contents in v8 (I patched v8 to let me to do this) , I turned that into an arbitrary rw. And given the address of the rwx page I created, I can pop calc. Still trying to figure out how to leak the rwx page address.
-
-
Yep. I was trying the blaze patch. Got an arbitrary rw, but I prefer the rwx page in v8 versus building a ROP chain in spidermonkey. I tried overwriting a malloc hook (with a one gadget) but couldn't find how to trigger a libc malloc or free.
-
I think
@0vercl0k ‘s kaisen.js and ifrit.js may interest you :)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.