Google Chrome 81.0.4044 V8 - Remote Code Execution Exploit

Exploit Title: Google Chrome 81.0.4044 V8 - Remote Code Execution Exploit Author: Tobias Marcotto Tested on: Kali Linux x64 Version: 83.0.4103.106 Description: Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a...

Google Chrome 81.0.4044 V8 Remote Code Execution

Exploit Title: Google Chrome prior 83.0.4103.106 V8 - Remote Code Execution Date: 06/04/2021 Exploit Author: Tobias Marcotto Tested on: Kali Linux x64 Version: 83.0.4103.106 Description: Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially...

Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack Exploit

// Axel '0vercl0k' Souchet - November 19 2019 // EDB Note: Download https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47752.zip // 0:000 ? xul!sAutomationPrefIsSet - xul // Evaluate expression: 85724947 = 00000000051c0f13 const XulsAutomationPrefIsSet = 0x051c0f13...

Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes Exploit

Exploit for windows platform in category dos / poc / It seems that this issue is similar to the issue 1429 MSRC 42111. It might need to refresh the page several times to observe a crash. PoC: / let arr = new Uint32Array1000; for let i = 0; i 0x1000000; i++ for let j = 0; j 1; j++ i--; i++; arri =...

WebKit JSC - BytecodeGenerator::emitGetByVal Incorrect Optimization (1)

WebKit JSC - BytecodeGenerator::emitGetByVal Incorrect Optimization 1 Let's start with JS code. let o = ; for let i in xx: 0 oi; 0; i-- ForInContext& context = mforInContextStacki - 1.get; if context.local != property continue; if !context.isValid break; if context.type ==...

WebKit JSC - 'BytecodeGenerator::emitGetByVal' Incorrect Optimization (1)

Let's start with JS code. let o = ; for let i in xx: 0 oi; 0; i-- ForInContext& context = mforInContextStacki - 1.get; if context.local != property continue; if !context.isValid break; if context.type == ForInContext::IndexedForInContextType property = staticcastcontext.index; break;...

Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter #2

Microsoft Edge Chakra - Incorrect JIT Optimization with TypedArray Setter 2 a0 = ; return 0; ; a0.toString; main; I just changed "var b = new Uint32Array100;" to "var b = new Uint32Array0;", and it worked well. PoC: -- 'use strict'; function funca, b, c a0 = 1.2; b0 = c; a1 = 2.2; a0 = 2.3023e-32...

Google Chrome 60.0.3080.5 V8 JavaScript Engine - Out-of-Bounds Write

Google Chrome 60.0.3080.5 V8 JavaScript Engine - Out-of-Bounds Write // Source: https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/ // // v8 exploit for https://crbug.com/716044 var oobrw = null; var leak = null; var arbrw = null; var code = function return 1; code; class BuggyArray extend...

X360 VideoPlayer ActiveX Control 2.6 - Full ASLR & DEP Bypass Exploit

Exploit for windows platform in category remote exploits !-- Exploit Title: X360 VideoPlayer ActiveX Control RCE Full ASLR & DEP Bypass Author: Rh0 Date: Jan 30 2015 Affected Software: X360 VideoPlayer ActiveX Control 2.6 VideoPlayer.ocx Vulnerability: Buffer Overflow in Data Section Tested on:...

Integer overflow

Multiple integer overflows in Opera 11.60 and earlier allow remote attackers to cause a denial of service application crash via a large integer argument to the 1 Int32Array, 2 Float32Array, 3 Float64Array, 4 Uint32Array, 5 Int16Array, or 6 ArrayBuffer function. NOTE: the vendor reportedly...