Apple WebKit - JSC::SymbolTableEntry::isWatchable Heap Buffer Overflow Exploit

Exploit for multiple platform in category dos / poc function x = 0 var a; function arguments function b var g = 1; a5; f; g; ; , unsigned int, unsigned int webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore+...

WebKit: heap-buffer-overflow in JSC::SymbolTableEntry::isWatchable (CVE-2017-2469)

I confirmed the PoC crashes the release version of Safari 10.0.312602.4.8. It might need to refresh the page several times. PoC: function x = 0 var a; function arguments function b var g = 1; a5; f; g; ; Asan Log: ==55079==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0000c8e88 at...

Apple Webkit - JSCallbackData Universal Cross-Site Scripting

Apple Webkit - JSCallbackData Universal Cross-Site Scripting globalObject-vm, callback JSC::JSObject callback return mcallback.get; JSDOMGlobalObject globalObject return JSC::jsCastmcallback-globalObject; JSC::JSValue invokeCallbackJSC::MarkedArgumentBuffer& args, CallbackType callbackType,...

Apple Webkit: UXSS with JSCallbackData(CVE-2017-2442)

Here is the definition of |JSCallbackData| class. This class is used to call a javascript function from a DOM object. class JSCallbackDataStrong : public JSCallbackData public: JSCallbackDataStrongJSC::JSObject callback, void : mcallbackcallback-globalObject-vm, callback JSC::JSObject callback...