Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
}<br />
to_overwrite();<br />
The address <str<strong>on</strong>g>of</str<strong>on</strong>g> this JSFuncti<strong>on</strong> object can <str<strong>on</strong>g>the</str<strong>on</strong>g>n be leaked and <str<strong>on</strong>g>the</str<strong>on</strong>g> various members can be<br />
read to acquire <str<strong>on</strong>g>the</str<strong>on</strong>g> address <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> RWX mapping. The JITed versi<strong>on</strong> <str<strong>on</strong>g>of</str<strong>on</strong>g> <str<strong>on</strong>g>the</str<strong>on</strong>g> try/catch blocks are<br />
<str<strong>on</strong>g>the</str<strong>on</strong>g>n overwritten with shellcode, and <str<strong>on</strong>g>the</str<strong>on</strong>g> to_overwrite() functi<strong>on</strong> can simply be called to achieve<br />
arbitrary code executi<strong>on</strong>.<br />
Evading detecti<strong>on</strong><br />
When exploitati<strong>on</strong> fails, <str<strong>on</strong>g>the</str<strong>on</strong>g> <str<strong>on</strong>g>Pegasus</str<strong>on</strong>g> exploit c<strong>on</strong>tains a bailout code path, presumably to ensure<br />
that crash dumps do not expose <str<strong>on</strong>g>the</str<strong>on</strong>g> exploitable vulnerability. This bailout code triggers a crash<br />
<strong>on</strong> a clean NULL dereference. Most likely, an analyst analyzing such a crash dump would<br />
quickly identify <str<strong>on</strong>g>the</str<strong>on</strong>g> bug as a n<strong>on</strong>-exploitable NULL pointer dereference and not suspect anything<br />
more sinister. The following code is used to trigger this “clean” crash.<br />
window.__proto__.__proto__ = null;<br />
x = new String("a");<br />
x.__proto__.__proto__.__proto__ = window;<br />
x.Audio;<br />
Page 10