Skip to content

Instantly share code, notes, and snippets.

@pcorey pcorey/README.md

Last active Nov 20, 2015
Embed
What would you like to do?

Is there any version of input that can be used to run arbitrary code in the vm context?

The unicode line and paragraph separators (\u2028 and \u2029) can be used to break the VM interpreter, but as far as I know, it's not possible to exploit this to run arbitrary code:

evalmachine.<anonymous>:1
var test = "foo
           ^^^^

SyntaxError: Unexpected token ILLEGAL
    at Object.exports.runInThisContext (vm.js:53:16)
    at Object.<anonymous> (/home/pcorey/spiderable-exploit/index.js:3:15)
    at Module._compile (module.js:435:26)
    at Object.Module._extensions..js (module.js:442:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:311:12)
    at Function.Module.runMain (module.js:467:10)
    at startup (node.js:134:18)
    at node.js:961:3

More info:

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON

http://timelessrepo.com/json-isnt-a-javascript-subset

https://code.google.com/p/v8/issues/detail?id=1907

var input = "foo\u2028bar";
var script = "var test = " + JSON.stringify(input) + ";";
require("vm").runInThisContext(script);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.