WebKit RegExp Exploit addrof() walk-through

preview_player
Показать описание
Part 4: We finally look at the actual exploit code. We start by understanding the addrof() primitive used to leak the address of a JavaScript object in memory.

-=[ 🕴️Advertisement ]=-

-=[ ❤️ Support ]=-

-=[ 🔴 Stuff I use ]=-

-=[ 🐕 Social ]=-

-=[ 📄 P.S. ]=-

All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.

#browserexploitation
  1. LiveOverflow
  2. Live Overflow
  3. liveoverflow
  4. hacking tutorial
  5. how to hack
  6. exploit tutorial
Рекомендации по теме
WebKit RegExp Exploit 0:13:31

WebKit RegExp Exploit addrof() walk-through

Arbitrary Read and 0:09:40

Arbitrary Read and Write in WebKit Exploit

Burp + regex 0:06:17

Burp + regex = vuln||error

Preparing for Stage 0:14:33

Preparing for Stage 2 of a WebKit exploit

Hacking Browsers - 0:11:36

Hacking Browsers - Setup and Debug JavaScriptCore / WebKit

Safari (java script 0:00:22

Safari (java script core) javascript engine exploit poc

The fakeobj() Primitive: 0:15:59

The fakeobj() Primitive: Turning an Address Leak into a Memory Corruption

Unauth'd RCE, 'Regexploits', 0:28:43

Unauth'd RCE, 'Regexploits', Post-Spectre Web, & SigStore Signing - ASW #143

101 - Big 0:38:11

101 - Big Bounties by Exploiting WebKit's CSP & Concrete CMS Bugs [Bounty Hunting Podcast]

Recent Tor 6.06 0:01:23

Recent Tor 6.06 Browser Exploit vs EMET, then with an IAT Parsing Payload

Just-in-time Compiler in 0:09:50

Just-in-time Compiler in JavaScriptCore (WebKit)

New Series: Getting 0:09:46

New Series: Getting Into Browser Exploitation - browser 0x00

CSS Webkit//Webkit Text 0:00:57

CSS Webkit//Webkit Text Css. #html #htmlcss #css #short #shortvideo #shorts #programming #coding

Browser update Exploit 0:09:29

Browser update Exploit

Revisiting JavaScriptCore Internals: 0:08:59

Revisiting JavaScriptCore Internals: boxed vs. unboxed

Exploit Fails? Debug 0:10:01

Exploit Fails? Debug Your Shellcode - bin 0x2B

Simple Use After 0:28:51

Simple Use After Free Exploitation [Hackvent 2022 - Day 21]

What do Nintendo 0:18:44

What do Nintendo Switch and iOS 9.3 have in common? CVE-2016-4657 walk-through

I made every 0:14:29

I made every video I ever wanted to make

New Hackbar modified 0:02:52

New Hackbar modified by Ph.Hitachi + LiveHTTPHeader & TamperData

Browser hacking: Fixing 0:34:22

Browser hacking: Fixing error propagation in LibWeb

Live Hacking - 0:16:56

Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80

Attacking Client-Side JIT 0:42:34

Attacking Client-Side JIT Compilers

The Butterfly of 0:10:56

The Butterfly of JSObject

Комментарии
Автор

It's awesome that you not just show the exploit but also show the real issue of the compiler and optimize the exploit.

christian
Автор

That "well known" killed me 😂

bennesp
Автор

Really great video. I love your way of making these scripts even more efficient.

onkz
Автор

Well-known Symbols: In addition to user-defined symbols, JavaScript has some built-in symbols. These represent internal language behaviors which were not exposed to developers in <ES5>.

kevinjohansson
Автор

Missed a golden opportunity to make the video 6 seconds longer...

tsoer
Автор

This channel s so informative. You are really a great teacher.

bigmistqke
Автор

I'm learning so much more about JS through these videos. (I'm kinda scared of languages with pointers)

thatanimeweirdo
Автор

How can someone even think of that? Did he take a look at the slow and fast functions by mistake and noticed the lack of checks?
It's fascinating how random discoveries can be.

AxelMontini
Автор

Its amazing how they managed to make JavaScript fast.

victornpb
Автор

2:06 You don't have to leave your JavaScript interpreter to convert from float to hex. You can do it in one line of js:

new Uint32Array(new

pereJobs
Автор

That's awesome! Thanks for looking into it. Really interesting stuff there. I wonder how many other bugs are hidden in those optimizations. One can't think of every edge-case, right?

EinTypOhneHandle
Автор


It doesn't mean "well known by programmers" 😅

pereJobs
Автор

Being able to pass arbitrary objects into internal execution engine code is simply not acceptable, but you're telling me that this huge vulnerability can be patched with a simple type check? If only we had a language feature that would help us find these mistakes. Wait. It actually exists (but not in js lol) and it's called strong typing.

BALAGE
Автор

The video should have been 6 seconds longer...

MrTare
Автор

Huh, so... Why does the regex implementation not bail when `.lastIndex` isn't a number? Seems like a stupid use of oven gloves...

Asdayasman
Автор

Neat, so they didn't really fix it.

japrogramer
Автор

Dynamically typed languages are so annoying...

gabiold
Автор

JS. the. world's. leading. prg. language.

bandie
Автор

The technical details of exploit

/ \
___/ Me

sontapaajokulainen
Автор

So, even after it is patched if you are able to take the faster router you can still perform the exploit. Fascinating.

capkenway