Attackers welcomed JIT compilers in their own way and started to abuse the possibility to emit native machine code derived from controlled script constants. By filling predictable address regions with hidden assembly instructions, the JIT-Spray technique was born. Since then, many client-side JIT-Spray primitives were developed to ease the exploitation of various memory errors, which we’ll revisit in the beginning of this talk. Afterwards, we go a step further and analyze flaws we found in ASM.JS of Mozilla Firefox, tracked as CVE-2017-5375 and CVE-2017-5400, allowing an attacker to jump to “JIT” sprayed executable code. Furthermore, we’ll dive into three different Firefox CVEs and demonstrate alternative exploitation with ASM.JS JIT-Spray. On the way to remote code execution, we show how arbitrary ASM.JS payloads are crafted and transformed automatically, providing you with the ability to run your favorite code implant on vulnerable Firefox versions.