Around the start of the year, I was pretty burnt out on CTF problems and was interested in writing an exploit for something more complicated and practical. I settled on writing a WebKit exploit for a few reasons:
- It is code that is broadly used in the real world
- Browsers seemed like a cool target in an area I had little familiarity (both C++ and interpreter exploitation.)
- WebKit is (supposedly) the softest of the major browser targets.
- There were good existing resources on WebKit exploitation, namely saelo’s Phrack article, as well as a variety of public console exploits.
With this in mind, I got a recommendation for an interesting looking bug that has not previously been publicly exploited: @natashenka’s CVE-2017-2446 from the project zero bugtracker. The bug report had a PoC which crashed in
memcpy() with some partially controlled registers, which is always a promising start.
Finally, the goal of doing this initially and now writing it up was and is to learn as much as possible. There is clearly a lot more for me to learn in this area, so if you read something that is incorrect, inefficient, unstable, a bad idea, or just have some thoughts to share, I’d love to hear from you.more ...