browser pwn, main work now.
-
browser_pwn_basic_knowledge
description: some basic knowledge and scripts of browser pwn.
related link: None
finished date: 2019
-
starctf2019-oob
description: d8 basic pwn game, with oob vuln.
writeup: None
related link: None
-
数字经济-final-browser
description: callback of Object::ToNumber to form uaf and oob write.
writeup: None
related link: None
finished date: 2019
-
plaidctf2018-roll_a_d8
description: oob vuln in array.form
writeup: None
related link: chromium commit
finished date: 2019
-
array_prototype_map_oob_write
description: a oob write vuln in array.prototype.map function, with abusing use of Symbol.species
writeup: None
official link: chromium commit
finished date: 2019
-
cve-2018-17463
description: ObjectCreate's side effect annotation
writeup: None
official link: chromium commit
finished date: 2020
-
34c3ctf-v9
description: exp for v9 in 34c3ctf, bug in redundancy-elimination
writeup: None
official link: v9
finished date: 2020
-
35c3ctf-krautflare
description: exp for krautflare in 34c3ctf, bug in type optimization
writeup: None
official link: Issue 1710: Chrome: V8: incorrect type information on Math.expm1
finished date: 2020
-
google-ctf2018-final-just-in-time
description: exp for just in time game in google ctf 2018 final, bug in type optimization, with the characteristic of Number.MAX_SAFE_INTEGER.
writeup: None
official link: pwn-just-in-time
finished date: 2020
-
qwb2019-final-groupupjs
description: exp for qwb 2019 final groupupjs, oob bug in kUint32LessThan.
writeup: None
official link: None
finished date: 2020
-
cve-2016-5168
description: invalidate stable map assumption for globals on creankshaft, exploit with
null Stringobjectwriteup: None
official link: Fix
finished date: 2020
-
cve-2017-5070
description: invalid side effection judge for global value.
writeup: None
official link: issue
finished date: 2020
-
cve-2020-6418
description: JSCreate can have side effects, bug in receiver maps inference.
writeup: browser-pwn cve-2020-6418漏洞分析
official link: commit
finished date: 2020
-
Issue 762874
description: The Typer put the wrong type on String.indexOf and String.lastIndexOf builtins, with an off by one on the upper bound. exploit it on version 6.3 and 7.4
writeup: None
official link: commit-762874
commit-7bb6dc0e06fa158df508bc8997f0fce4e33512a5
finished date: 2020
-
Issue 913296
description: wrong typing of SpeculativeSafeIntegerSubtract, just a poc, failed to build exploit.
writeup: None
official link: commit-913296
finished date: 2020
-
cve-2019-5782
description: wrong typing of ArgumentsLength, easy to exploit.
writeup: None
official link: commit-8e4588915ba7a9d9d744075781cea114d49f0c7b
finished date: 2020
-
issue-944062
description: missing map checks in the reducer of
array.indexOfandarray.includes.writeup: None
official link: commit-e80082bf549aa26d6e30f114a23a05df9c510849
finished date: 2020
-
issue-746946
description: error generate elements kind transitions from stable maps..
writeup: None
official link: commit-ea55b873f2ed8336604540a532cbd460eeb66430
finished date: 2020
-
rwctf2019-Accessible
description: deleting the FieldTypeDependency of property access cuases the vuln
writeup: None
official link: None
finished date: 2020
-
wctf2019-Independence_Day
description: patch compilation dependancy and no expose wasm problem
writeup: None
official link: Independence Day (win)
finished date: 2020
-
issue-941743
description: Array.prototype.map wrong ElementsKind for output array.
writeup: None
official link: commit
finished date: 2020
-
issue-799263
description: missing Kill transition-kind source map in load elimination.
writeup: None
official link: commit
finished date: 2020