Novel Points: Exploit the Heap Overflow Bug *CTF 2019 oob-v8

Read the original article: Novel Points: Exploit the Heap Overflow Bug *CTF 2019 oob-v8

1. Contents

2. Many Heap Overflow Bugs Can Be Exploited in a Similar Way

I have introduced a v8 heap overflow bug before: V8 Array Overflow Exploitation: 2019 KCTF Problem 5 小虎还乡 – Pwn By Kenny. This is another one: *CTF 2019 oob-v8. The interesting things I’m going to show you in this post are: 1) This bug only allows you to read or overwrite specific 8 bytes. But you can use it to achieve arbitrary reads and writes. 2) This is a different heap overflow bug. But you can exploit it in a very similar way to the 2019 KCTF Problem 5. In fact, many heap overflow bugs can all be exploited in such a similar way. To show you this, I will use the same headings as the 2019 KCTF Problem 5 post. Feel free to compare the two posts!

3. PoC of the V8 Heap Overflow Vulnerability – *CTF 2019 oob-v8

PoC code is what triggers a bug. For this *CTF 2019 oob-v8 bug, we are able to read out-of-bounds with “JSArray.oob();”, and write out-of-bounds with “JSArray.oob(value);”. JSArray is a v8 object used to represent an array. For example, if you write code like “var arr = [1.1];”, you will have a JSArray object in the memory. And “arr.oob();” allows you to read the next 8 bytes beyond the array’s element area. “arr.oob(2.2);” allows you to overwrite the 8 bytes with 2.2. For more information about JSArray, please visit V8 Objects and Their Structures – Pwn By Kenny

Become a supporter of IT Security News and help us remove the ads.