Created
August 22, 2025 22:57
-
-
Save UniDyne/f72fe89b0957495961b8737f9339b9ca to your computer and use it in GitHub Desktop.
JScript Runtime - Global Scope
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <package> | |
| <job id="Test"> | |
| <script language="JScript"><![CDATA[ | |
| !function(global) { | |
| global.testMe = function() { | |
| // this never executes | |
| WScript.StdOut.WriteLine("Got here."); | |
| return "test"; | |
| }; | |
| }(this); | |
| function main() { | |
| // outputs 'function' | |
| WScript.StdOut.WriteLine(typeof testMe); | |
| // does nothing | |
| var x = testMe(); | |
| WScript.StdOut.WriteLine(x); | |
| } | |
| main(); | |
| testMe(); | |
| ]]></script> | |
| </job> | |
| </package> |
On Windows 11, calling the function testMe() just returns the function itself without ever calling it... If you do this, you will get the source for the function instead of the return string:
WScript.StdOut.WriteLine( testMe() );
Faulting application name: cscript.exe, version: 5.812.10240.16384, time stamp: 0xafcfb588
Faulting module name: scrobj.dll, version: 5.812.10240.16384, time stamp: 0x729e69b6
Exception code: 0xc0000005
Fault offset: 0x000000000001a3f0
Faulting process id: 0x34A0
Faulting application start time: 0x1DC13BAC4F392A9
Faulting application path: C:\WINDOWS\system32\cscript.exe
Faulting module path: C:\Windows\System32\scrobj.dll
Report Id: 4b25611c-47f2-4294-8f53-bef49f12cd90
Faulting package full name:
Faulting package-relative application ID:
Even if it doesn't say so... it's crashing.
0xc0000005 is a memory access violation. Is it exploitable?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The above code will either crash Windows Script Host or cause it to temporarily hang. Something is going on with the global scope... There may be a memory issue here.