saelo / cve-2018-4233

Exploit for CVE-2018-4233, a WebKit JIT optimization bug used during Pwn2Own 2018

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2018-4233

Exploit for CVE-2018-4233, a bug in the JIT compiler of WebKit. Tested on Safari 11.0.3 on macOS 10.13.3.

For more details see https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf

The exploit gains arbitrary memory read/write by constructing the addrof and fakeobj primitives and subsequently faking a typed array as described in http://www.phrack.org/papers/attacking_javascript_engines.html. Afterwards it locates the JIT page and writes the stage1 shellcode there. That in turn writes a .dylib (contained in stage2.js) to disk and loads it into the renderer process to perform a sandbox escape. Stage 2 uses a separate vulnerability to break out of the Safari sandbox and will be published at a later point.

About

Exploit for CVE-2018-4233, a WebKit JIT optimization bug used during Pwn2Own 2018


Languages

Language:JavaScript 82.7%Language:Assembly 8.1%Language:Python 4.5%Language:HTML 3.1%Language:C 0.9%Language:Makefile 0.7%