mistymntncop
mistymntncop
/ DWARF VM line machine notes
Last active
October 15, 2024 09:54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DWARF has a clever (too clever?) VM representation for source line to asm mapping. | |
| VM has state which represents virtual program and source line counters. | |
| The DW_LNS_advance_pc instruction advances the program counter while the DW_LNS_advance_line instruction | |
| advances the line counter. Both these instructions encode the "advance amount" value as a variably sized immediate operand. | |
| The DW_LNS_copy instructions tells us that current VM pc and source counter states correspond together | |
| both counter values can be copied to a array of line numbers and assembly addresses. When the VM reads a byte from the | |
| instruction stream it compares this value with a VM specified "opcode base" variable. If the value is below the "opcode base" | |
| then it represents an opcode for an instruction. If the value is above the "opcode base" then it represents the operand for | |
| an implicit "instruction". This special implicit "instruction" advances both the program and source line counters at once | |
| using this single byte value. But how |
mistymntncop
/ exploit.html
Last active
October 12, 2023 11:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script type="text/javascript" src="utility.js"></script> |
mistymntncop
/ exploit-1104608.js
Last active
November 24, 2023 07:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // POC Exploit for v8 issue 1104608 (https://bugs.chromium.org/p/chromium/issues/detail?id=1104608) | |
| // author: @mistymntncop | |
| // bug discovered by: @r3tr0spect2019 | |
| // Exploit strategy based on @r3tr0spect2019's "Real World CTF" presentation on the bug. | |
| // https://www.youtube.com/watch?v=rSaIlBWwxsY | |
| // | |
| // Build d8 using: | |
| // a) Run once | |
| // git checkout 3505cf00eb4c59b87f4b5ec9fc702f7935fdffd0 | |
| // gclient sync --with_branch_heads |
NewerOlder