This repository contains some exploits I have written for various bugs (some of these exploits are ancient and vanilla, they are indexed here regardless).
Typically, moving forward, my exploits will predominantly aim to be those pertaining to browser and (maybe) iOS and Android exploitation (with exception). Alongside my own written exploits that corroborate with identified bugs that are actively being exploited in the wild. For more information on the latter, refer to CISAs Known Exploited Vulnerabilities Catalogue.
CVE ID | Description | Target OS | Arch |
---|---|---|---|
CVE-2024-0517 | The vulnerability resides in the VisitFindNonDefaultConstructorOrConstructMaglev function where the Maglev compiler performs an allocation folding optimisation. The bug is leveraged by initiating a garbage collection event over this folded allocation, resulting in a second-order out-of-bounds write on a free space object. This allows for type confusion upon attaining the desired memory shape, leading to arbitrary code execution. The exploit is chained with a heap sandbox (ubercage) escape via tiering budgets (i.e. WasmInstanceObject's tiering_budget_array was allocated on the system heap and referenced from the (on-heap) WasmInstanceObject through a raw pointer) |
Linux | x64 |
CVE-2023-3079 | Type confusion as a result of a logic issue in Chrome's V8 Inline Cache subsystem, procedure KeyedStorelC::StoreElementHandler . |
Windows, Linux, MacOS (x64) | x64 |
CVE-2020-16040 | Chrome's V8 JIT compiler's Simplified Lowering VisitSpeculativeIntegerAdditiveOp was setting Signed32 as restriction type, even when relying on a Word32 truncation, skipping an overflow check. To summarise, the problem was due to a mistyping of nodes despite the value wrapping/overflowing. Which allowed for a typer hardening bypass to achieve out-of-bounds r/w primitives, leading to arbitrary remote code execution within the renderer's process. |
Windows, Linux, MacOS | x64, ARM64 |
CVE-2018-6537 | Structure Exception Handling (SEH) overflow in the control protocol | Windows 10 Pro | x86 |
CVE-2017-14980 | Vanilla Stack Overflow via /login parameter |
Windows 10 Pro | x86 |
CVE-2012-5002 | Vanilla Stack Overflow Ricoh DC DL-10-FTP-Server SR10 | Windows Server 2003 (0SP) | x86 |
CVE-2002-1120 | Savant Web Server =< 3.1 Buffer Overflow (Egghunter employed due to buffer restrictions) | Windows 10 Pro | x86 |