[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80201":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":8,"htmlUrl":8,"language":9,"languages":8,"totalLinesOfCode":8,"stars":10,"forks":11,"watchers":12,"openIssues":13,"contributorsCount":13,"subscribersCount":13,"size":13,"stars1d":13,"stars7d":13,"stars30d":14,"stars90d":13,"forks30d":13,"starsTrendScore":13,"compositeScore":15,"rankGlobal":8,"rankLanguage":8,"license":8,"archived":16,"fork":16,"defaultBranch":17,"hasWiki":16,"hasPages":16,"topics":18,"createdAt":8,"pushedAt":8,"updatedAt":19,"readmeContent":20,"aiSummary":21,"trendingCount":13,"starSnapshotCount":13,"syncStatus":14,"lastSyncTime":22,"discoverSource":23},80201,"ffffirefox","kiddo-pwn\u002Fffffirefox","kiddo-pwn",null,"JavaScript",76,15,74,0,2,37.81,false,"main",[],"2026-06-12 04:01:27","# FFFFirefox - A One-Day Wonder Renderer Exploit\n\n## Backstory\n\nI built this for Pwn2Own Berlin 2026 as a renderer RCE entry against Firefox 150. The bug interestingly survived Mozilla's 423 (!) April security patch, but finally got killed in 150.0.3 as a last-minute fix.\n\nThis is tracked as CVE-2026-8390 and original report goes to OpenAI Preparedness, Bill Demirkapi. Publishing this just to show-off and give the exploit a proper goodbye.\n\nhttps:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F0dda5879-16b3-4fe5-b13b-b177ad2f86cd\n\n## The bug\n\nThe interaction between Ion's `array.copy` lowering and the OOL storage path of wasm-GC arrays results in a use-after-free.\n\nIon caches the source `data_` pointer across a runtime call into `WasmArrayRefsMove` while dropping the source array object from the frame.\n\nSo a minor GC inside that window frees the OOL block and the spray reclaims freed memory as `AnyRef` values.\n\nWith `addrof` and `fakeobj` primitives, the remaining parts are straightforward and well covered online. Build AAR \u002F AAW, then pivot to JIT shellcode execution.\n\n## Repro\n\n1. Run a webserver serve the given index.html file (e.g. `python3 -m http.server 8000`)\n\n2. Start Firefox with `set MOZ_DISABLE_CONTENT_SANDBOX=1`\n\n3. Browse to `http:\u002F\u002F\u003Cattacker-ip>:8000`\n\nResult should be launching `calc.exe` as a result of shellcode execution.\n\n## Bottom line\n\nRIP for all 6 firefox entries! I hear many teams ended up on the same patch. \n\nIt held up reliably on my setup, and hope it does for you too. Writeup may follow, but no technical support either way.\n\nCheers to all folks from Berlin!\n\n\\-- kiddo kiddo.pwn@gmail.com\n","FFFFirefox 是一个针对 Firefox 150 渲染器的远程代码执行（RCE）漏洞利用项目。该项目通过利用 Ion 的 `array.copy` 优化与 wasm-GC 数组的 OOL 存储路径之间的交互，导致使用已释放内存的问题。核心功能在于通过控制释放后的内存，并结合 `addrof` 和 `fakeobj` 技术实现任意地址读写和 JIT 壳代码执行。适用于安全研究人员、漏洞挖掘者在受控环境中测试和验证 Firefox 渲染器的安全性。","2026-06-11 03:59:37","CREATED_QUERY"]