There's all kinds of bizarre silliness in the "exploit". They're passing URL-encoded x86 assembly to unescape() in a void context, as if that'll somehow execute the code in the result. (This technique is sometimes useful in heap sprays, but they aren't using it in a way that would work for that -- in particular, they aren't creating NOP slides or saving the result anywhere, so the resulting code would be almost impossible to hit.) They're claiming to have a "microcode VM" with a "scrambler + dynamic encoder + multi-pass obfuscator", but no such thing is in evidence. There's sillier things still, but I'll leave it for now.
Source: Author's twitter: http://twitter.com/sanjar_satsura
You'd need to overcome address space randomization but apparently there are reflection techniques that allow that to some extent.
The memory access part is definitely doable from JS. Multiple threads is harder -- you might be able to do it by using web workers. Targeting memory access to a JIT-compiled function, however, would be the hard part; I don't see any way of doing that, short of executing the function (which would probably not have the desired effect).
No clue if this is the case.
Where are your pointers, ASM registers in js? The claim you could inject arbitrary code from JS into your memory and make it executable from user space (not talking of the cross platform issue (BSD,linux, windows, MACOSX) would just be the end of JS.
How can you even accept the claim that it can be doable. Be real. This news is like an april's fool in july.
Use your brain.
> The claim you could inject arbitrary code from JS into your memory and make it executable from user space
One of the dozens of ways that you would go about this is documented in some detail here: http://stackoverflow.com/questions/381171/help-me-understand...
Why God these stupid Larry Wall, GvR, MS, Sun, Google, linus torvalds lost their time trying to achieve what a JS code can do in less than 1000 lines?
How can I believe a code I can read and that is obviously a fraud would through the sheer power of obfuscated unused strings become such a revolution in the world of CS?
Plus, I have no demonstration nor readable documents to back up the claims of this so called genius.
Science is accepting what you can understand and reproduce. Not being impressed by obfuscated crap.
I have no doubt this is a mystification, and I don't trust blindly what is written on the internet. I still have a brain.
The exploit described in stackoverflow, works only for IE and a version of windows where the memory addresses are not randomized (which most modern OS do have (http://en.wikipedia.org/wiki/Address_space_layout_randomizat...) , and where calc.exe is installed (so windows + IE probably).
Hint MOV + JMP are made @ fixed address.
If the code showed is not an hoax (which I highly doubt) it would imply :
1) a specific browser (to break the gate of OS control on memory/permission by using a buffer overflow) and I don't see at first glance a buffer overflow (but let's imagine it exists),
2) a specific old OS (windows 98 or XP maybe) (for having a predictable address to which to inject the shell code)(I can't imagine an ASM code doing base of registry scanning in less than 4k to get an address of a peculiar exec/lib);
3) since it is based on specific 64bits alignment problem and since there are 32bits legacy application) it would target only the 64bits version
This makes the threat looks more like ripples in a glass of water than the tsunami that was announced.
Basically this (if it is not the hoax I think it is) would be just an exploit of a specific browser in 64bits version on a specific OS. It is not a JS exploit, it is a very specific browser name on OS name exploit in 64bits. So to say ... the whole day life in the world of software.
> How can you even accept the claim that it can be doable.
Isn't exactly this how most/all heap spray js exploits work?
I wouldn't be so quick to dismiss the concept of this bug, even though the "poc" presented here is bogus.
But this case does raise an issue for NaCl (which I hope will become reality one day) where you have the granularity to mess with cache hits.