new operator
Wednesday, 23 October 2013
I was playing around with new operators when I noticed something cool and unexpected. If you return a function the new operator will not create a new object instance but instead return a function. This means that stuff like:
new new new new new new function f(){return f}
Is perfectly valid code. That made me think maybe it would cause a crash. Yep course it does on IE:
eval(Array(0xffff).join('new ')+'function f(){return f}')
ModLoad: 00000000`70af0000 00000000`70ba5000 C:\Windows\SysWOW64\MsSpellCheckingFacility.dll
ModLoad: 00000000`69a40000 00000000`69a8f000 C:\Windows\SysWOW64\Bcp47Langs.dll
ModLoad: 00000000`74cd0000 00000000`74cd3000 C:\WINDOWS\SysWOW64\Normaliz.dll
(1778.173c): C++ EH exception – code e06d7363 (first chance)
(1778.173c): Stack overflow – code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
JSCRIPT9!Scanner
70e69742 53 push ebx
Just a stack overflow, I don’t think it’s exploitable but lets try and manipulate it further. Using unicode escapes changes the code slightly:
eval(Array(0xffff).join('\\u006e\u0065w ')+'function f(){return f}')
msvcrt!memcmp+0xc:
7506985c 56 push esi
I then thought about using different types of spaces and fuzzed them but had no success producing any form of exploitable crash, maybe you can?