ommadawn46/chakra-type-confusions

Chakra Type Confusions - PoCs of Edge's legacy JS engine vulnerabilities that inject code into the JIT process

Chakra Type Confusions

This repository contains PoCs for type confusion vulnerabilities in the ChakraCore engine used by Microsoft Edge (EdgeHTML version, not Chromium-based Edge).

The PoCs inject dummy code (specifically an int 3 followed by nop) into a Just-In-Time (JIT) compilation process.

To verify the PoCs, attach a debugger to a JIT compilation process (one of the MicrosoftEdgeCP.exe processes) and execute the PoCs.

Tested Environment

• Windows 10 Version 1703 (OS Build 15063.0)

Type Confusion Vulnerabilities

• CVE-2019-0567
  • InitProto
  • NewScObjectNoCtor
• CVE-2019-0539
• CVE-2018-8617

References

• Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability
• CVE-2019-0539 to Remote Code Execution (RCE)
• Bypassing Mitigations by Attacking JIT Server in Microsoft Edge