test.js
var arr = new Array(1.1, 2.2, 3.3);
function test(obj) {
arr[0] = obj;
}
test({});Print bytecode of test function:
mistymntncop
mistymntncop
/ 339736513.js
Last active
June 4, 2024 12:09
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| d8.file.execute("wasm-module-builder.js"); | |
| let builder = new WasmModuleBuilder(); | |
| let array_type = builder.addArray(kWasmI32, true); | |
| builder.addFunction('create_array', makeSig([kWasmI32], [wasmRefType(array_type)])) | |
| .addBody([ | |
| kExprLocalGet, 0, | |
| kGCPrefix, kExprArrayNewDefault, array_type, | |
| ]) |
mistymntncop
/ CVE-2024-4761.js
Last active
May 6, 2025 03:44
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Build d8 using: | |
| // a) Run once | |
| // git checkout 6f98fbe86a0d11e6c902e2ee50f609db046daf71 | |
| // gclient sync | |
| // gn gen ./out/x64.debug | |
| // gn gen ./out/x64.release | |
| // | |
| // b) | |
| // Debug Build: | |
| // ninja -C ./out/x64.debug d8 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdbool.h> | |
| #include <windows.h> | |
| #include "nt_crap.h" | |
| #define ArrayCount(arr) (sizeof(arr)/sizeof(arr[0])) | |
| #define assert(expr) if(!(expr)) { *(char*)0 = 0; } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php header("Status: 204"); ?> |
mistymntncop
/ v8sbx.js
Created
November 25, 2023 10:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //v8 version 11.4.183.19 | |
| //git checkout 56e5481171da3eacd3cb83db2be3b2d2b96b4abb | |
| //MODIFY BUILD.gn in the root v8 folder to enable the memory corruption api | |
| //v8_expose_memory_corruption_api = true | |
| //ninja -C ./out/x64.debug d8 | |
| //ninja -C ./out/x64.release d8 | |
| const addr_of = (o) => { | |
| return Sandbox.getAddressOf(o); |
mistymntncop
/ notes 4 Alex Chapman.md
Last active
November 5, 2023 01:21
mistymntncop
/ DWARF VM line machine notes
Last active
October 15, 2024 09:54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DWARF has a clever (too clever?) VM representation for source line to asm mapping. | |
| VM has state which represents virtual program and source line counters. | |
| The DW_LNS_advance_pc instruction advances the program counter while the DW_LNS_advance_line instruction | |
| advances the line counter. Both these instructions encode the "advance amount" value as a variably sized immediate operand. | |
| The DW_LNS_copy instructions tells us that current VM pc and source counter states correspond together | |
| both counter values can be copied to a array of line numbers and assembly addresses. When the VM reads a byte from the | |
| instruction stream it compares this value with a VM specified "opcode base" variable. If the value is below the "opcode base" | |
| then it represents an opcode for an instruction. If the value is above the "opcode base" then it represents the operand for | |
| an implicit "instruction". This special implicit "instruction" advances both the program and source line counters at once | |
| using this single byte value. But how |
mistymntncop
/ exploit.html
Last active
October 12, 2023 11:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script type="text/javascript" src="utility.js"></script> |
mistymntncop
/ exploit-1104608.js
Last active
July 22, 2025 11:25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // POC Exploit for v8 issue 1104608 (https://bugs.chromium.org/p/chromium/issues/detail?id=1104608) | |
| // author: @mistymntncop | |
| // bug discovered by: @r3tr0spect2019 | |
| // Exploit strategy based on @r3tr0spect2019's "Real World CTF" presentation on the bug. | |
| // https://www.youtube.com/watch?v=rSaIlBWwxsY | |
| // | |
| // Build d8 using: | |
| // a) Run once | |
| // git checkout 3505cf00eb4c59b87f4b5ec9fc702f7935fdffd0 | |
| // gclient sync --with_branch_heads |
NewerOlder