Type confusion in V8 in Google Chrome

This repository contains a working exploit for CVE-2018-17463, a vulnerability in the V8 JavaScript engine (used in Google Chrome). The main file, CVE-2018-17463.js, is a standalone JavaScript exploit that demonstrates how to achieve arbitrary read/write primitives and ultimately execute arbitrary code by spawning a /bin/sh shell. The exploit works by manipulating object properties to create overlapping memory regions, leveraging JIT (Just-In-Time) compilation behaviors, and constructing a ROP (Return-Oriented Programming) chain to make memory pages executable and run shellcode. The shellcode is provided as a byte array and is executed to spawn a shell, demonstrating full code execution. The README provides references to relevant research and writeups. The exploit is operational and demonstrates a full exploit chain, but is not part of a framework and is intended for research and demonstration purposes. The only fingerprintable endpoint is the use of /bin/sh in the shellcode payload.

This repository contains a working proof-of-concept exploit for CVE-2018-17463, a vulnerability in the V8 JavaScript engine used by Google Chrome prior to version 70.0.3538.64. The exploit is implemented in a single JavaScript file (CVE-2018-17463.js) and leverages a type confusion bug to achieve arbitrary memory read and write primitives. It then uses WebAssembly to allocate a RWX (read-write-execute) memory region, writes x86_64 shellcode to this region, and executes it, resulting in arbitrary code execution (demonstrated by launching calc.exe). The exploit demonstrates advanced exploitation techniques including property overlap discovery, address leaking, and memory corruption. The README provides context, references, and credits, but the main exploit logic is self-contained in the JavaScript file. No network or external endpoints are hardcoded in the exploit; it is designed to be run in a browser context where the vulnerable V8 engine is present.