/exploits

This repository contains multiple exploits I have written for various CVEs and CTFs

Primary LanguageJavaScript

Exploits

This repository contains some exploits I have written for various bugs (some of these exploits are ancient and vanilla, they are indexed here regardless).

Typically, moving forward, my exploits will predominantly aim to be those pertaining to browser and (maybe) iOS and Android exploitation (with exception). Alongside my own written exploits that corroborate with identified bugs that are actively being exploited in the wild. For more information on the latter, refer to CISAs Known Exploited Vulnerabilities Catalogue.

CVE ID Description Target OS Arch
CVE-2024-0517 The vulnerability resides in the VisitFindNonDefaultConstructorOrConstructMaglev function where the Maglev compiler performs an allocation folding optimisation. The bug is leveraged by initiating a garbage collection event over this folded allocation, resulting in a second-order out-of-bounds write on a free space object. This allows for type confusion upon attaining the desired memory shape, leading to arbitrary code execution. The exploit is chained with a heap sandbox (ubercage) escape via tiering budgets (i.e. WasmInstanceObject's tiering_budget_array was allocated on the system heap and referenced from the (on-heap) WasmInstanceObject through a raw pointer) Linux x64
CVE-2023-3079 Type confusion as a result of a logic issue in Chrome's V8 Inline Cache subsystem, procedure KeyedStorelC::StoreElementHandler. Windows, Linux, MacOS (x64) x64
CVE-2020-16040 Chrome's V8 JIT compiler's Simplified Lowering VisitSpeculativeIntegerAdditiveOp was setting Signed32 as restriction type, even when relying on a Word32 truncation, skipping an overflow check. To summarise, the problem was due to a mistyping of nodes despite the value wrapping/overflowing. Which allowed for a typer hardening bypass to achieve out-of-bounds r/w primitives, leading to arbitrary remote code execution within the renderer's process. Windows, Linux, MacOS x64, ARM64
CVE-2018-6537 Structure Exception Handling (SEH) overflow in the control protocol Windows 10 Pro x86
CVE-2017-14980 Vanilla Stack Overflow via /login parameter Windows 10 Pro x86
CVE-2012-5002 Vanilla Stack Overflow Ricoh DC DL-10-FTP-Server SR10 Windows Server 2003 (0SP) x86
CVE-2002-1120 Savant Web Server =< 3.1 Buffer Overflow (Egghunter employed due to buffer restrictions) Windows 10 Pro x86