Skip to content

Instantly share code, notes, and snippets.

@pcorey

pcorey/README.md

Last active November 20, 2015 00:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pcorey/30bce0ad8f154f1ae0f5 to your computer and use it in GitHub Desktop.
Save pcorey/30bce0ad8f154f1ae0f5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md

Is there any version of input that can be used to run arbitrary code in the vm context?

The unicode line and paragraph separators (\u2028 and \u2029) can be used to break the VM interpreter, but as far as I know, it's not possible to exploit this to run arbitrary code:

evalmachine.<anonymous>:1
var test = "foo
           ^^^^

SyntaxError: Unexpected token ILLEGAL
    at Object.exports.runInThisContext (vm.js:53:16)
    at Object.<anonymous> (/home/pcorey/spiderable-exploit/index.js:3:15)
    at Module._compile (module.js:435:26)
    at Object.Module._extensions..js (module.js:442:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:311:12)
    at Function.Module.runMain (module.js:467:10)
    at startup (node.js:134:18)
    at node.js:961:3

More info:

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON

http://timelessrepo.com/json-isnt-a-javascript-subset

https://code.google.com/p/v8/issues/detail?id=1907

Raw
breakme.js
var input = "foo\u2028bar";
var script = "var test = " + JSON.stringify(input) + ";";
require("vm").runInThisContext(script);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment