Zhuowei Zhang on Nostr: Still trying to find a V8 sandbox bypass to chain to exodus/bnovkebin's CVE-2024-0517 ...
Still trying to find a V8 sandbox bypass to chain to exodus/bnovkebin's CVE-2024-0517 exploit.
I'm extremely amused that on Chrome 118, there's like seven ways to break out of the v8 sandbox and get PC control... but no way to write any shellcode on arm64.
All the Sandbox bypasses take advantage of x86's mov instruction, which encodes immediates directly. You can just encode your shellcode as an immediate and jump inside the `mov` instruction.
Arm doesn't do that, so there's nothing I can jump to...
I'm extremely amused that on Chrome 118, there's like seven ways to break out of the v8 sandbox and get PC control... but no way to write any shellcode on arm64.
All the Sandbox bypasses take advantage of x86's mov instruction, which encodes immediates directly. You can just encode your shellcode as an immediate and jump inside the `mov` instruction.
Arm doesn't do that, so there's nothing I can jump to...