Blazefox exploits for Windows 10 RS5 64-bit

December 9, 2019 ยท View on GitHub

This the repository associated with the article Introduction to SpiderMonkey exploitation.

Overview

Blazefox is an exploitation challenge written by itszn for Blaze CTF 2018. The author added a blaze method to JavaScript Arrays that sets the size of the backing buffer to 420. This gives the attacker an out-of-bounds memory primitive.

ifrit.js

Organization

  • Three exploits are documented and available in exploits,
  • A WindDbg JavaScript extension that allows to dump js::Value and JSObject objects in sm,
  • Various scripts built during the research in scripts,
  • An x64 debug build of the JavaScript shell (along private symbol information) in js-asserts, and an x64 release build in js-release,
  • The sources matching js-release private symbol information in src/js,
  • Last but not least, 7z archives of the Firefox binaries (along with xul.dll private symbol information) I compiled for Windows 64-bit in ff-bin.7z.