Browser Exploitation

Video series about getting started with memory corruptions in WebKit

New Series: Getting Into Browser Exploitation

The start of a new series. We will try to learn some basics about Browser Exploitation.

Setup and Debug JavaScriptCore / WebKit

We are going to try out Linus's exploit and setup a vulnerable WebKit version including debug symbols.

The Butterfly of JSObject

Let's have a look at how JavaScriptCore implements JavaScript Objects and values like integers and floats. We can use lldb to look into the memory.

Just-in-time Compiler in JavaScriptCore

Looking at the WebKit JIT compiler - the part that converts JavaScript bytecode to machine code.

WebKit RegExp Exploit addrof() walk-through

We finally look at the actual exploit code! We start with the addrof() primitive, which can leak the address of a JavaScript object in memory.

The fakeobj() Primitive: Turning an Address Leak into a Memory Corruption

In this video we turn the bug used in addrof() to corrupt the memory of internal JavaScriptCore Objects which can help us to compromise the engine.

Revisiting JavaScriptCore Internals: boxed vs. unboxed

We go over the boxed vs. unboxed values, how to convert addresses to doubles and why our bug is a memory corruption.

Preparing for Stage 2 of a WebKit Exploit

Setting the foundation for an arbitrary read/write (and re-implementing addrof and fakeobj).

Arbitrary Read and Write in WebKit Exploit

We achieve arbitrary read/write in the JavaScriptCore of WebKit.

Support LiveOverflow?

You can support the free educational IT security content through various means. Find out more here.

You've successfully subscribed to LiveOverflow
Great! Next, complete checkout for full access to LiveOverflow
Welcome back! You've successfully signed in.
Unable to sign you in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.