At OffensiveCon 2018 I presented my already a bit dated ASM.JS JIT-Spray research. You can find more information in previous blogposts.

Besides using arithmetic calculations and array elements, another interesting technique to spray payloads is to use float values. Using these values as payload bytes has the advantage that an attacker’s shellcode resides continuous in memory at run time, because the float values are next to each other located in a constant pool. As the payload bytes are not interrupted by disturbing opcodes emitted by the ASM.JS compiler, all eight bytes of a double float constant are usable as payload.

If you are into (over)hyping and naming vulnerabilities you can call it: ConstantDesaster

In part 1 I disclosed details about ASM.JS JIT-Spray in Mozilla Firefox <51 (32-bit) on Windows (CVE-2017-5375). Before going into details of the patch and its bypass resulting in CVE-2017-5400, here are two more (maybe known) methods of hiding x86 code in ASM.JS constants in Firefox.

TL;DR: This is the story about ASM.JS JIT-Spray in Mozilla Firefox (x86 32-bit) on Windows tracked as CVE-2017-5375 and CVE-2017-5400. It allows to fully bypass DEP and ASLR.

I always liked the idea of JIT-Spray since the first time I saw it being used for Flash in 2010. Just to name a few, JIT-Spray has been used to exploit bugs in Apple Safari, create info leak gadgets in Flash, attack various other client software, and has even been abusing Microsoft’s WARP Shader JIT Engine

This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it’s quite nice what can be done with the bug.

Reading this article requires some familiarity with WinDbg, heap spray , and info-leaks.

Hope you enjoy it.