$hell on Earth
shell-on-earth
shell-on-earth
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GetIntegerString returns the value of aValue after casting it to a 32-bit integer:<br />
JavascriptString* ScriptC<strong>on</strong>text::GetIntegerString(Var aValue)<br />
{<br />
return this->GetIntegerString(TaggedInt::ToInt32(aValue));<br />
}<br />
Based <strong>on</strong> that informati<strong>on</strong>, the lower 32-bit of the current object’s address can be obtained through the<br />
TypeIds_Integer case.<br />
The higher 32-bit of the address can be figured out using the TypeIds_UInt64Number type, which returns<br />
a 64-bit value that is located at aValue+0x10.<br />
The DataView objects memory was freed and filled with NativeFloatArray objects. As l<strong>on</strong>g as the size<br />
of NativeFloatArray is small, elements for the array are created next to each other. Then, fake DataView<br />
objects were created to perform read/write from the process memory.<br />
In order to bypass CFG, this chain used a setjmp call to obtain the stack address and overwrite the return<br />
address.<br />
CVE-2016-0191 Patch<br />
Microsoft already had a functi<strong>on</strong> that returns undefined. Instead, the wr<strong>on</strong>g functi<strong>on</strong> was used, and that<br />
functi<strong>on</strong> can end up with an uninitialized subItem.<br />
For the fix, Microsoft basically used the right GetItem definiti<strong>on</strong>:<br />
if (JavascriptOperators::HasItem(itemObject, idxSubItem))<br />
{<br />
subItem = JavascriptOperators::GetItem(itemObject, idxSubItem,<br />
scriptC<strong>on</strong>text);<br />
if (pDestArray)<br />
{<br />
pDestArray->DirectSetItemAt(idxDest, subItem);<br />
In case GetItem fails, it will return undefined in subItem.<br />
51 | <str<strong>on</strong>g>$hell</str<strong>on</strong>g> <strong>on</strong> <strong>Earth</strong>: From Browser to System Compromise