Safari Proxy Object Type Confusion

Posted by deepcore on December 15, 2018 – 2:46 am

This Metasploit module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Cisco RV110W Password Disclosure / Command Execution Facebook And Google Reviews System For Businesses 1.1 Code Execution »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Safari Proxy Object Type Confusion

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL