Blazefox exploits for Windows 10 RS5 64-bit
December 9, 2019 ยท View on GitHub
This the repository associated with the article Introduction to SpiderMonkey exploitation.
Overview
Blazefox is an exploitation challenge written by itszn for Blaze CTF 2018. The author added a blaze method to JavaScript Arrays that sets the size of the backing buffer to 420. This gives the attacker an out-of-bounds memory primitive.

Organization
- Three exploits are documented and available in exploits,
- A WindDbg JavaScript extension that allows to dump
js::ValueandJSObjectobjects in sm, - Various scripts built during the research in scripts,
- An x64 debug build of the JavaScript shell (along private symbol information) in js-asserts, and an x64 release build in js-release,
- The sources matching js-release private symbol information in src/js,
- Last but not least, 7z archives of the Firefox binaries (along with
xul.dllprivate symbol information) I compiled for Windows 64-bit in ff-bin.7z.