WebKitGTK 2.1.2 (Ubuntu 14.04) - Heap based Buffer Overflow

2017-08-19T00:00:00
ID EDB-ID:44204
Type exploitdb
Reporter Exploit-DB
Modified 2017-08-19T00:00:00

Description

WebKitGTK 2.1.2 (Ubuntu 14.04) - Heap based Buffer Overflow. CVE-2014-1303. Local exploit for Linux platform

                                        
                                            # CVE-2014-1303 PoC for Linux
CVE-2014-1303 (WebKit Heap based BOF) proof of concept for Linux.  
This repository demonstrates the WebKit heap based buffer overflow vulnerability (CVE-2014-1303) on **Linux**.  

**NOTE:** Original exploit is written for Mac OS X and PS4 (PlayStation4).  

I've ported and tested work on Ubuntu 14.04, [WebKitGTK 2.1.2](https://webkitgtk.org/releases/)  

## Usage
Firstly you need to run simple web server,  
```
$ python server.py
```  
then  
```
$ cd /path/to/webkitgtk2.1.2/
$ ./Programs/GtkLauncher http://localhost
```
You can run several tests like,  
- Crash ROP (Jump to invalid address like 0xdeadbeefdeadbeef)
- Get PID (Get current PID)
- Code Execution (Load and execute payload from outer network)  
- File System Dump (Dump "/dev" entries)  

## Description
**exploit.html**           .....  trigger vulnerability and jump to ROP chain  
**scripts/roputil.js**     .....  utilities for ROP building  
**scripts/syscall.js**     .....  syscall ROP chains  
**scripts/code.js**        .....  hard coded remote loader  
**loader/**                .....  simple remote loader (written in C)  
**loader/bin2js**          .....  convert binary to js variables (for loader)  

## Purpose
I've created this WebKit PoC for education in my course.    
I couldn't, of course, use actual PS4 console in my lecture for legal reason :(  

## Reference
CVE 2014-1303 Proof Of Concept for PS4  
(https://github.com/Fire30/PS4-2014-1303-POC)  
Liang Chen, WEBKIT EVERYWHERE: SECURE OR NOT? [BHEU14]   
(https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF)


Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44204.zip