new operator

I was playing around with new operators when I noticed something cool and unexpected. If you return a function the new operator will not create a new object instance but instead return a function. This means that stuff like:

new new new new new new function f(){return f}

Is perfectly valid code. That made me think maybe it would cause a crash. Yep course it does on IE:
eval(Array(0xffff).join('new ')+'function f(){return f}')

ModLoad: 00000000`70af0000 00000000`70ba5000 C:\Windows\SysWOW64\MsSpellCheckingFacility.dll
ModLoad: 00000000`69a40000 00000000`69a8f000 C:\Windows\SysWOW64\Bcp47Langs.dll
ModLoad: 00000000`74cd0000 00000000`74cd3000 C:\WINDOWS\SysWOW64\Normaliz.dll
(1778.173c): C++ EH exception – code e06d7363 (first chance)
(1778.173c): Stack overflow – code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
JSCRIPT9!Scanner::Scan+0x8:
70e69742 53 push ebx

Just a stack overflow, I don’t think it’s exploitable but lets try and manipulate it further. Using unicode escapes changes the code slightly:

eval(Array(0xffff).join('\\u006e\u0065w ')+'function f(){return f}')

msvcrt!memcmp+0xc:
7506985c 56 push esi

I then thought about using different types of spaces and fuzzed them but had no success producing any form of exploitable crash, maybe you can?

Comments are closed :( too much spam. If you want to contact me about any article please email or tweet me.