saelo/cve-2018-4233 saelo/cve-2018-4233

  • Stars
    star
    174
  • Rank 212,600 (Top 5 %)
  • Language
    JavaScript
  • Created almost 6 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
saelo/cve-2018-4233
github

saelo

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Exploit for CVE-2018-4233, a WebKit JIT optimization bug used during Pwn2Own 2018

CVE-2018-4233

Exploit for CVE-2018-4233, a bug in the JIT compiler of WebKit. Tested on Safari 11.0.3 on macOS 10.13.3.

For more details see https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf

The exploit gains arbitrary memory read/write by constructing the addrof and fakeobj primitives and subsequently faking a typed array as described in http://www.phrack.org/papers/attacking_javascript_engines.html. Afterwards it locates the JIT page and writes the stage1 shellcode there. That in turn writes a .dylib (contained in stage2.js) to disk and loads it into the renderer process to perform a sandbox escape. Stage 2 uses a separate vulnerability to break out of the Safari sandbox and will be published at a later point.

More Repositories

1

pwn2own2018

A Pwn2Own exploit chain
C
752
star
2

armpwn

Repository to train/learn memory corruption on the ARM platform.
Python
352
star
3

cve-2014-0038

Linux local root exploit for CVE-2014-0038
C
190
star
4

ios-kern-utils

iOS Kernel utilities
C
156
star
5

35c3ctf

Source code and exploits for some 35c3ctf challenges.
C
136
star
6

jscpwn

PoC exploit for CVE-2016-4622
JavaScript
104
star
7

v9

Files for the "v9" challenge of 34C3 CTF. See the greeting message in server.go for more information about the challenge
JavaScript
84
star
8

foxpwn

Exploit code for CVE-2016-9066
JavaScript
42
star
9

ida_scripts

Collection of IDA scripts
Python
40
star
10

feuerfuchs

Files for the "feuerfuchs" challenge of 33C3 CTF. See the greeting message in server.py for more information about the challenge
JavaScript
37
star
11

33c3ctf-repl

Code and exploit for the "read-eval-pwn loop" challenge of 33C3 CTF
Python
33
star
12

iCrashalyzer

Tool to analyze iOS crash reports
Python
28
star
13

dnsrebinder

Go tool to perform DNS rebinding
Go
26
star
14

ctfcode

Dumping CTF related code here
Python
16
star
15

deeplearn

OpenCL deep learning toolkit
C++
15
star
16

saelo.github.io

GitHub Pages
SCSS
12
star
17

algopy

Python implementation of various (graph) algorithms
Python
10
star
18

game-of-life

Simple Game of Life implementation using C++ and openGL
C++
6
star
19

splaytree

Splay Tree Animations
JavaScript
5
star
20

capman

Simple Investment tool based on Interactive Brokers' API.
Swift
5
star
21

hash-tools

Some simple scripts for hash recovery
Python
3
star
22

dotfiles

Various dotfiles
Shell
3
star
23

smarttrim.vim

Vim plugin to remove newly created trailing whitespace
Vim Script
2
star
24

weesleep

WeeChat plugin to disconnect weechat when the system is being suspended
C
1
star