Skip to content

Instantly share code, notes, and snippets.

@wizche
wizche / exploit.js
Created March 22, 2021 13:45 — forked from eboda/exploit.js
Exploit for Chakrazy challenge from PlaidCTF 2017 - ChakraCore exploit
////////////////////////////////////////////////////////////////////////////
//
// The vulnerability was that the following line of code could change the type of the
// underlying Array from JavascriptNativeIntArray to JavascriptArray:
//
// spreadableCheckedAndTrue = JavascriptOperators::IsConcatSpreadable(aItem) != FALSE;
//
// As can be seen in the provided .diff, the check for whether the type of the pDestArray has changed
// was removed. If the aItem then is not a JavascriptArray, the following code path is taken:
// else
___ ____ ______ __
/ | / __ \/ ___/ | / /
/ /| |/ / / /\__ \| | / /
/ ___ / /_/ /___/ /| |/ /
/_/__||||||_//____/ |___/__ _____ __ _ __
/ ____/ /_ ___ _____/ /_/ ___// /_ (_) /_
/ / / __ \/ _ \/ ___/ __/\__ \/ __ \/ / __/
/ /___/ / / / __/ /__/ /_ ___/ / / / / / /_
\____/_/ /_/\___/\___/\__//____/_/ /_/_/\__/