{"id":4132,"date":"2016-06-21T15:56:50","date_gmt":"2016-06-21T07:56:50","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4132"},"modified":"2016-06-21T15:57:01","modified_gmt":"2016-06-21T07:57:01","slug":"shadow-firefox-heap-exploitation-tool-jemalloc","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2016\/06\/shadow-firefox-heap-exploitation-tool-jemalloc\/","title":{"rendered":"shadow – Firefox Heap Exploitation Tool (jemalloc)"},"content":{"rendered":"
shadow is a new, extended (and renamed version) of a Firefox heap exploitation tool, which is quite a swiss army knife for Firefox\/jemalloc heap exploitation.<\/p>\n
<\/p>\n
If you want to dive in really deep to this tool, and the technicalities behind it check this out – OR’LYEH? The Shadow over Firefox<\/a> [PDF]<\/p>\n shadow has been tested with the following:<\/p>\n When you issue a jemalloc-specific command for the first time, shadow parses all jemalloc metadata it knows about and saves them to a Python pickle file. Subsequent commands use this pickle file instead of parsing the metadata from memory again in order to be faster.<\/p>\n When you know that the state of jemalloc metadata has changed (for example when you have made some allocations or have triggered a garbage collection), use the jeparse command to re-parse the The symbol command allows you to search for SpiderMonkey and DOM classes (and structures) of specific sizes. This is useful when you’re trying to exploit use-after-free bugs, or when you want to position interesting victim objects to overwrite\/corrupt.<\/p>\n In the “auxiliary” directory you can find a small PDB parsing utility named symhex. Run it on “xul.pdb” to generate the Python pickle file that shadow expects in the “pdb” directory (as “pdb\/xul-VERSION.pdb.pkl”). Before running symhex make sure you have registered “msdia90.dll”.<\/p>\n You can download shadow here:<\/p>\nSupport<\/h3>\n
\n
Usage<\/h3>\n
\nmetadata and re-create the pickle file.<\/p>\nSymbol Support<\/h3>\n