Microsoft edge chakra jit stacktoheap copy (incomplete fix) (1) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2018-04-03 |
Type : dos |
Platform : windows
This exploit / vulnerability Microsoft edge chakra jit stacktoheap copy (incomplete fix) (1) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
/*
Here's a snippet of JavascriptArray::BoxStackInstance. To fix issue 1420 , "deepCopy" was introduced. But it only deep-copies the array when "instance->head" is on the stack. So simply by adding a single line of code that allocates "head" to the heap, we can bypass the fix.
template <typename T>
T * JavascriptArray::BoxStackInstance(T * instance, bool deepCopy)
{
Assert(ThreadContext::IsOnStack(instance));
// On the stack, the we reserved a pointer before the object as to store the boxed value
T ** boxedInstanceRef = ((T **)instance) - 1;
T * boxedInstance = *boxedInstanceRef;
if (boxedInstance)
{
return boxedInstance;
}