Exploit for CVE-2018-4233, a WebKit JIT optimization bug used during Pwn2Own 2018# CVE-2018-4233
Exploit for CVE-2018-4233, a bug in the JIT compiler of WebKit. Tested on Safari 11.0.3 on macOS 10.13.3.
For more details see https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf
The exploit gains arbitrary memory read/write by constructing the addrof and fakeobj primitives and subsequently faking a typed array as described in http://www.phrack.org/papers/attacking_javascript_engines.html. Afterwards it locates the JIT page and writes the stage1 shellcode there. That in turn writes a .dylib (contained in stage2.js) to disk and loads it into the renderer process to perform a sandbox escape. Stage 2 uses a separate vulnerability to break out of the Safari sandbox and will be published at a later point.
[4.0K] /data/pocs/665198e03eb73868074451e78858bd2a78457125
├── [ 177] index.html
├── [4.9K] int64.js
├── [ 418] logging.js
├── [ 796] offsets.js
├── [ 582] pwn.html
├── [9.7K] pwn.js
├── [ 770] README.md
├── [ 372] ready.js
├── [ 227] shell.js
├── [4.0K] stage1
│ ├── [ 754] make.py
│ └── [1.9K] stage1.asm
├── [1.1K] stage1.js
├── [4.0K] stage2
│ ├── [ 181] Makefile
│ ├── [ 326] make.py
│ ├── [ 137] stage2.c
│ └── [ 83] tester.c
├── [ 17K] stage2.js
└── [2.1K] utils.js
2 directories, 18 files