Arbitrary Read and Write in WebKit Exploit

The memory drawings are very helpful, thanks for the great series!

samfoxman

Use this for popunders!!


make an <a> element with an onmousedown which opens a window/tab
make a new mouseEvent with 'let e = new MouseEvent("mousedown")'
than use 'addrof(e.isTrusted)' to get the address of the isTrusted var
than use 'write64(address of isTrusted, 0x07(how webkit stores true(boxed)))' to set isTrusted to True
and now to trigger the new window just get the <a> element with getElementById
and the do '<a> element.dispatchEvent(e)'
and this should not require any user action.

tbois

I wish there was more content like this on YouTube!

yaskazal

I absolutely LOVE all your videos and greatly appreciate the wonderful attention to detail you have. I have one tiny request to ask. Your English is fantastic, but sometimes when a non-native speaker speaks quickly, especially when there isn't a lot of contextual information, like when they are using technical language, it can be very difficult to piece together 100% of what you are saying. If you could possibly slow down a tiny bit in those parts of your narration it would really help make what you're saying 100% clear. Thank you so much again.

lptf

Why can't you modify the GC to think your memory region doesn't need cleaned, and/or convince the GC your object encompasses a large area where all of your structures are

gameglitcher

That was really nice and detailed about this series. I really loved to learn browser Exploitation. So can we expect some V8 and spidermonkey Exploitation....thanks in advance 🙂

kiyotaka

Hey, this is really awesome! Good job

zacksargent

This kind of thing is pretty scary. One tiny bug in a regex function and suddenly the entire programming language is insecure! -.-;;
One thing that surprises me a bit is that the JS internal fields aren't protected, i.e. kept in a separate area of memory and the language doesn't permit access to that memory from code at all. Similar to kernel-space and user-space in an OS. I guess such an approach would slow things down too much though.

almightyhydra

Qucik question how Do i get the back end code of a website to check for vulnerabilities

aminezitoun

Why did we use the .a property for read/write instead of using array indices?

unknownchasen

Maybe I'm missing something but it doesn't look like the workaround conversion of boxed to unboxed values is working. At 5:15 the value is in memory is 0x4142414142424242 which is more than the supplied value. It seems boxed to me

VatsalyaGoel

Got a little too excited at the end there friend...Should we be concerned?

singularity

33 minutes after upload where everyone?

PlatinaSB

hope for another video on how to execute shellcode, i found it's hard to debug...

keenanwang

Instructions unclear: ended up hacking Tim Cook's computer

mixk

what computer u use for make content for this channel?

suppapansuenis

Hey LiveOverflow. I just finished highschool and can’t decide between pentesting and robotics, I’m hoping that knowing more about exploits and how to make them will help me in my journey. Do you know any website where I can learn how to make exploits and learn pentesting on Kali Linux specifically?

chrisstan

Hi bro can you recover my gmail account without pass and recovery email. I forgot both and now i need it

hamimurrahman

why not use a typed array? you just make the victim's butterfly point into a uint8array and then overwrite the m_vector value thus you can make it point to wherever you want and don't have to deal with those nasty jsvalues

quantumbracket

Holy crap dont tell ad fly they will release xss ads and f*ck websites up

Preinstallable