explore weird machines...
We achieve arbitrary read/write in the JavaScriptCore of WebKit
Setting the foundation for an arbitrary read/write (and re-implementing addrof and fakeobj).
Simple buffer overflow speedrun challenge, exploited with a ROP chain generated by Ropper. And analyse the timeline.
We go over the boxed vs. unboxed values, how to convert addresses to doubles and why our bug is a memory corruption.
In this video we turn the bug used in addrof() to corrupt the memory of internal JavaScriptCore Objects which can help us to compromise the engine.
We finally look at the actual exploit code! We start with the addrof() primitive, which can leak the address of a JavaScript object in memory.
Looking at the WebKit JIT compiler - the part that converts JavaScript bytecode to machine code.
Let's have a look at how JavaScriptCore implements JavaScript Objects and values like integers and floats. We can use lldb to look into the memory.
We are going to try out Linus's exploit and setup a vulnerable WebKit version including debug symbols.
