关联漏洞
描述
A in-the-wild V8 type confusion bug.
介绍
# CVE-2024-4947
A in-the-wild V8 type confusion bug.
This repository contains analysis and PoCs to escalate this vulnerability to have the same exploit pattern as CVE-2024-12695, Object Hash Reassign.
Analysis: [Analysis.md](Analysis.md)
## Reproduce Information
- OS: Ubuntu 24.04
- Git Commit: [12.4.254.16](https://chromium.googlesource.com/v8/v8/+/refs/tags/12.4.254.16)
## Acknowledgement
- Shoutout to [Vasily Berdnikov @vaber_b](https://twitter.com/vaber_b) and [Boris Larin @oct0xor](https://twitter.com/oct0xor) for finding the bug.
- Shoutout to [@buptsb](https://x.com/buptsb) and [@mistymntncop](https://x.com/mistymntncop) for writing a detailed analysis about this bug, which offers precious experience to facilitate research on this bug.
- Shoutout to 303f06e3 and [Dimitri Fourny @DimitriFourny](https://x.com/DimitriFourny) for revealing the brand new exploit pattern, *Object Hash Reassign*.
## References
1. https://issues.chromium.org/issues/340221135
2. https://web.archive.org/web/20250426073331/https://buptsb.github.io/blog/post/CVE-2024-4947-%20v8%20incorrect%20AccessInfo%20for%20module%20namespace%20object%20causes%20Maglev%20type%20confusion.html
3. https://issues.chromium.org/issues/383647255
4. https://bugscale.ch/blog/dissecting-cve-2024-12695-exploiting-object-assign-in-v8/
## Disclaimer
This repository is intended solely for educational purposes and must not be used for any malicious activities.
文件快照
[4.0K] /data/pocs/03fde5ced418a50b3212d555cae167b3fcf36f22
├── [3.5K] Analysis.md
├── [4.0K] images
│ └── [ 72K] PointToRelation.png
├── [4.0K] PoCs
│ ├── [4.0K] Modified
│ │ ├── [ 19] Module.mjs
│ │ ├── [1.2K] PoC1.mjs
│ │ ├── [1.2K] PoC2.mjs
│ │ └── [ 286] x64.ReleaseAssertionDebug.args.gn
│ └── [4.0K] Original
│ ├── [ 20] Module.mjs
│ └── [ 424] PoC.mjs
└── [1.4K] README.md
4 directories, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。