Reproducing CVE-2024-29943 for Windows, based on https://github.com/bjrjk/CVE-2024-29943# CVE-2024-29943
A Pwn2Own SpiderMonkey JIT Bug: From Integer Range Inconsistency to Bound Check Elimination then RCE.
Reproducing CVE-2024-29943 for Windows, based on [https://github.com/bjrjk/CVE-2024-29943](https://github.com/bjrjk/CVE-2024-29943)
## Modifications
The original exploit is written for Linux, so I attempted to reproduce it on Windows:
- Updated the pop calc shellcode for Windows and adjusted some heap feng shui parameters. (I don't fully understand how the heap on Windows works yet, so just tweaked some numbers until it was stable.)
- Used `Uint8Array` instead of `Array` to minimize the distance needed for out-of-bounds access.
- Everything else is the same.
Files:
- [Exploit_64.js](./Exploit_64.js) - Modified version using `BigUint64Array` for OOB writes. (~ 20GB)
- [Exploit_8.js](./Exploit_8.js) - Modified version using `Uint8Array` for OOB writes to reduce RAM consumption. (~ 10GB)
## Demo
[Demo.mp4](Demo.mp4)
## Reproduce Information
- Version: [FIREFOX_124_0_RELEASE](https://github.com/mozilla-firefox/firefox/tree/FIREFOX_124_0_RELEASE)
- Operating System: Windows 11 Pro (Build 26100)
- Architecture: amd64
- Command Line Arguments: `./js.exe --spectre-mitigations=off Exploit_8.js`
## Credits
Original research and exploit by [bjrjk](https://github.com/bjrjk/CVE-2024-29943)
## Disclaimer
This repository is intended solely for educational purposes and must not be used for any malicious activities.
[4.0K] /data/pocs/3bb7995af00cd71b77f27fd097fa045de54615ff
├── [1.7M] Demo.mp4
├── [ 11K] Exploit_64.js
├── [ 12K] Exploit_8.js
└── [1.4K] README.md
1 directory, 4 files