This directory contains a proof of concept exploit for a remote code execution vulnerability in ChakraCore, the Javascript engine for Microsoft Edge. The vulnerability was caused by this pull request, which was a botched fix for CVE-2016-7202. Semmle reported the vulnerability to Microsoft on 2016-12-19. Microsoft assigned it CVE-2017-0141 and released a fix on 2017-03-14.
First you need to build the version of ChakraCore with the vulnerability. On Windows, in a VS2015 developer command prompt, run these commands to download and build the vulnerable revision:
git clone https://github.com/Microsoft/ChakraCore.git
cd ChakraCore
git checkout eecf271764ce0ee8ea58c2ec9c22bc2dd69861e7 &:: Version with "fix" for CVE-2016-7202
msbuild /t:rebuild /m /p:Platform=x64 /p:Configuration=Release Build\Chakra.Core.slnNote: this revision of ChakraCore is too old to build with VS2017. You need VS2015 or earlier.
If the build was successful, then you can run the exploit like this:
Build\VcBuild\bin\x64_release\ch.exe cve-2017-0141.jsThis causes ChakraCore to crash with the following error message:
FATAL ERROR: ch.exe failed due to exception code c0000005