About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Floating-Poison Math in Chakra- 89

Simon Zuckerbraun - ZDIPosted 6 Years Ago
  • The JIT (Just-in-time) compiler allows for JavaScript code, within the web browser, to produce high-performance code. Chakra, the JavaScript engine, makes assumptions all over the place when trying to make optimizations, that can exploitable features.
  • By abusing assumptions made on optimizations, the code has now became exploitable.
  • The assumption: an array cannot change types just from being accessed.
    Reality: If a floating point value contains the same internal representation as 'undefined' ( 0x8000000280000002) then the array is converted into a JavaScriptArray class.
  • Because of the assumption being made, a floating-point value can be put into JavaScriptArray and avoids the JIT type check... Accessing a[0] will then crash the browser, if accessed.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed