ρ


program analysis, reversing & exploit writing

The Return of the JIT (Part 1)

TL;DR: This is the story about ASM.JS JIT-Spray in Mozilla Firefox (x86 32-bit) on Windows tracked as CVE-2017-5375 and CVE-2017-5400. It allows to fully bypass DEP and ASLR.

I always liked the idea of JIT-Spray since the first time I saw it being used for Flash in 2010. Just to name a few, JIT-Spray has been used to exploit bugs in Apple Safari, create info leak gadgets in Flash, attack various other client software, and has even been abusing Microsoft’s WARP Shader JIT Engine

Fun With Info-Leaks

This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it’s quite nice what can be done with the bug.

Reading this article requires some familiarity with WinDbg, heap spray , and info-leaks.

Hope you enjoy it.