A Pwn2Own SpiderMonkey JIT Bug: From Integer Range Inconsistency to Bound Check Elimination then RCE.
This repository contains PoC, Exploit and Analysis Slides for CVE-2024-29943.
- Github Git Commit: afbdf6822c9e9f9b6d44b9ea6904cb10878126b1
- Operating System: Ubuntu 22.04
- Architecture: amd64
- Command Line Arguments:
./js --ion-offthread-compile=off --spectre-mitigations=off PoC.js
- Patch for JitSpew Debug: JitSpew.patch
- Shoutout to Manfred Paul for finding the bug.
- Shoutout to @maxpl0it for giving the integer range inconsistent PoC.
- https://hg.mozilla.org/mozilla-central/rev/45d29e78c0d8f9501e198a512610a519e0605458
- https://github.com/mozilla/gecko-dev/commit/81806e7ccec7dde41e37c9891592a6e39ce46380
- https://doar-e.github.io/blog/2018/11/19/introduction-to-spidermonkey-exploitation/
- https://starlabs.sg/blog/2020/04-tianfu-cup-2019-adobe-reader-exploitation/