Given a relative rw from an array's contents in v8 (I patched v8 to let me to do this) , I turned that into an arbitrary rw. And given the address of the rwx page I created, I can pop calc. Still trying to figure out how to leak the rwx page address.
-
-
Replying to @silviocesare
Hey :) I described it on the
@doar_e blog here if you’re interested :) https://doar-e.github.io/blog/2019/01/28/introduction-to-turbofan/#step-4-overwriting-wasm-rwx-memory …1 reply 0 retweets 3 likes -
Ah thank you! Btw, I've been reading one of the other doar_e blog posts for my experimentation with spidermonkey exploitation :)
2 replies 0 retweets 0 likes -
Replying to @silviocesare @doar_e
But the blaze is an interesting challenge :)
1 reply 0 retweets 0 likes -
Yep. I was trying the blaze patch. Got an arbitrary rw, but I prefer the rwx page in v8 versus building a ROP chain in spidermonkey. I tried overwriting a malloc hook (with a one gadget) but couldn't find how to trigger a libc malloc or free.
1 reply 0 retweets 0 likes
I think @0vercl0k ‘s kaisen.js and ifrit.js may interest you :)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.