/* Here's a snippet of the method. ASSIGN_RETURN_FAILURE_ON_EXCEPTION( isolate, captures_length_obj, Object::ToLength(isolate, captures_length_obj)); const int captures_length = PositiveNumberToUint32(*captures_length_obj); ... if (functional_replace
/* LdThis instructions' value type is assumed to be Object. Since this can be other objects like an array, it has to be assumed to be LikelyObject, otherwise, operations to this will not be checked properly. PoC: */ function opt(arr) { arr[0] = 1.1;
/* This is similar to the previous issues 1457, 1459 (MSRC 42551, MSRC 42552). If a JavaScript function is used as a consturctor, it sets the new object's __proto__ to its prototype. The JIT compiler uses NewScObjectNoCtor instructions to perform it
/* This is simillar to the previous issue 1457. But this time, we use Array.prototype.reverse. Array.prototype.reverse can be inlined and may invoke EnsureNonNativeArray to convert the prototype of this to a Var array. Call flow: JavascriptArray::En
/* If a native array is used as a prototype, it is converted to a Var array by the Js::JavascriptNativeFloatArray::SetIsPrototype method. In the JIT compiler, it uses InitProto instructions to set object literals' prototype. But when optimizing thos
/* Here's a snippet of ExecuteImplicitCall which is responsible for updating the ImplicitCallFlags flag. template class Fn inline Js::Var ExecuteImplicitCall(Js::RecyclableObject * function, Js::ImplicitCallFlags flags, Fn implicitCall) { ... Js::Im
/* Let's consider the following example code. function opt() { let arr = []; return arr['x']; } // Optimize the opt function. for (let i = 0; i 100; i++) { opt(); } Array.prototype.__defineGetter__('x', function () { }); opt(); Once the opt function
It seems this is the patch for the bug. https://github.com/Microsoft/ChakraCore/pull/4226/commits/874551dd00ff6f404e593c7e0162efb54b953f5a The following two cases will bypass the fix. 1: function opt() { let obj = new Number(2.3023e-320); for (let i
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Exploit
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Exploit
# Exploit Author: Juan Sacco jsacco@exploitpack.com # Vulnerability found using Exploit Pack v10 - http://exploitpack.com # # Impact: # An attacker could exploit this vulnerability to execute arbitrary code in the # context of the application. Faile
By default, utorrent create an HTTP RPC server on port 10000 (uTorrent classic) or 19575 (uTorrent web). There are numerous problems with these RPC servers that can be exploited by any website using XMLHTTPRequest(). To be clear, visiting *any* webs
