The author, in collaboration with @swapgs, discovered a bug in Zscaler’s VPN client, allowing them to execute arbitrary JavaScript. They noted the outdated version of SpiderMonkey being used by pacparser but did not exploit it at that time. Fast forward to the present, the author revisited the bug and successfully utilized it to execute arbitrary bytecode and achieve memory corruption. By chaining POP2 instructions, they manipulated the stack pointer and memory operations. They built a primitive to reveal memory addresses and leaked binary, libc, and system function addresses. Eventually, they obtained a shell through a careful manipulation of function pointers. This process involved detailed memory analysis and creative exploitation methods, leading to their successful penetration of the system.
https://blog.pspaul.de/posts/ancient-monkey-pwning-a-17-year-old-version-of-spidermonkey/