baby-turbofan

A v8 exploitation challenge based on an old bug.
DISCLAIMER: This challenge is intended as a pedagogical introduction for people who have no experience in browser exploitation. Therefore, it should be REALLY easy for people who have even the slightest knowledge about v8 exploitation.

Hints for Newbies

This challenge reverts two commits to v8.
first commit
second commit
The first one removes a security hardening, and the second one introduces the bug.

This challenge has the same bug with a challenge called Krautflare from 35C3 CTF (2019). However, re-using the payload will not be possible, because source code changes in v8 during the last 3 years have made the exploit infeasible. One of the major changes is pointer compression, which is a mechanism to represent v8 heap objects in 4 bytes. A good reference discussing pointer compression is here.