Microsoft Edge Chakra JIT - Scope Parsing Type Confusion Exploit

Exploit for windows platform in category dos / poc // PoC: async function triggera = class b await 1 let spray = ; for let i = 0; i 0016 SetHomeObj R13 R14 001b NewScObjectSimple R9 001d ProfiledStFld R9.value = R2 1 0021 ProfiledStFld R9.done = R4 2 0025 Yield R9 R9...

Microsoft Edge Chakra JIT - Parameter Scope Parsing Type Confusion

Microsoft Edge Chakra JIT - Parameter Scope Parsing Type Confusion // PoC: async function triggera = class b await 1 let spray = ; for let i = 0; i 0016 SetHomeObj R13 R14 001b NewScObjectSimple R9 001d ProfiledStFld R9.value = R2 1 0021 ProfiledStFld R9.done = R4 2 0025 Yield R9 R9...

Microsoft Edge Chakra JIT - Parameter Scope Parsing Type Confusion

// PoC: async function triggera = class b await 1 let spray = ; for let i = 0; i 0016 SetHomeObj R13 R14 001b NewScObjectSimple R9 001d ProfiledStFld R9.value = R2 1 0021 ProfiledStFld R9.done = R4 2 0025 Yield R9 R9 ----------------------------------------------- 0028 ResumeYield R15 R9 002b...

Microsoft Edge Chakra JavascriptFunction::ReparseAsmJsModule Parsing Issue

Microsoft Edge: Chakra: JavascriptFunction::ReparseAsmJsModule incorrectly re-parses CVE-2017-8755 This is similar to the issue 1271 . Here's the method used to re-parse asmjs modules. void JavascriptFunction::ReparseAsmJsModuleScriptFunction functionRef ParseableFunctionInfo functionInfo =...

Microsoft Edge Chakra Heap Buffer Overflow

IsCoroutine ... else InterpreterStackFrame::Setup setupfunction, args; sizet varAllocCount = setup.GetAllocationVarCount; //printf"varAllocCount: %d%X\r\n", varAllocCount, varAllocCount; sizet varSizeInBytes = varAllocCount sizeofVar; // // Allocate a new InterpreterStackFrame instance on the...

Microsoft Edge Chakra - Heap Buffer Overflow

Microsoft Edge Chakra - Heap Buffer Overflow IsCoroutine ... else InterpreterStackFrame::Setup setupfunction, args; sizet varAllocCount = setup.GetAllocationVarCount; //printf"varAllocCount: %d%X\r\n", varAllocCount, varAllocCount; sizet varSizeInBytes = varAllocCount sizeofVar; // // Allocate a...

Microsoft Edge Chakra - 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule' Incorrectly Re-parses

GetOriginalEntryPoint : nullptr; if this-pCurrentFunction && this-pCurrentFunction-IsFunctionParsed Assertthis-pCurrentFunction-StartInDocument == pnode-ichMin; pCurrentFunction" is the consturctor, but "pnode" refers to the method "f". PoC: -- class MyClass fa printa; constructor 'use asm';...

Microsoft Edge: Chakra: Incorrect usage of PushPopFrameHelper in InterpreterStackFrame::ProcessLinkFailedAsmJsModule(CVE-2017-8646)

PushPopFrameHelper is a class that pushes the current stack frame object in its constructor and pops it in the destructor. So it should be used like "PushPopFrameHelper holder...", but InterpreterStackFrame::ProcessLinkFailedAsmJsModule uses it like a function. Var...

Microsoft Edge Chakra PushPopFrameHelper Incorrect Usage Exploit

Microsoft Edge Chakra suffers from an incorrect usage of PushPopFrameHelper in InterpreterStackFrame::ProcessLinkFailedAsmJsModule. Microsoft Edge: Chakra: Incorrect usage of PushPopFrameHelper in InterpreterStackFrame::ProcessLinkFailedAsmJsModule CVE-2017-8646 PushPopFrameHelper is a class that...

Microsoft Edge Chakra - 'InterpreterStackFrame::ProcessLinkFailedAsmJsModule' Incorrect Usage of 'PushPopFrameHelper' (Denial of Service)

GetScriptContext-GetThreadContext-GetLeafInterpreterFrame; GetLoopHeaderinterpreterFrame-GetCurrentLoopNum; GetCurrentLoopNum == -1 ... PoC: -- function asmModule 'use asm'; let a = 1, 2, 3, 4; for let i = 0; i 0x100000; i++ // JIT a0 = 1; if i === 0x30000 a0 = ; // the array type changed,...

Microsoft Edge Chakra - Heap Buffer Overflow

IsCoroutine ... else InterpreterStackFrame::Setup setupfunction, args; sizet varAllocCount = setup.GetAllocationVarCount; //printf"varAllocCount: %d%X\r\n", varAllocCount, varAllocCount; sizet varSizeInBytes = varAllocCount sizeofVar; // // Allocate a new InterpreterStackFrame instance on the...

Microsoft Edge Chakra PushPopFrameHelper Incorrect Usage

Microsoft Edge: Chakra: Incorrect usage of PushPopFrameHelper in InterpreterStackFrame::ProcessLinkFailedAsmJsModule CVE-2017-8646 PushPopFrameHelper is a class that pushes the current stack frame object in its constructor and pops it in the destructor. So it should be used like "PushPopFrameHelp...