Safari 4.0.5 parent.close() Memory Corruption exploit (w/ASLR and DEP bypass)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Safari 4.0.5 parent.close() Memory Corruption exploit (w/ASLR and DEP bypass)
# Published : 2010-05-15
# Author : Alexey Sintsov
# Previous Title : KDE <= 4.4.1 Ksysguard RCE via Cross Application Scripting
# Next Title : WFTPD Server 3.30 Multiple remote vulnerabilities(0day)

Download:
http://www.exploit-db.com/sploits/safari_parent_close_sintsov.zip

Unzip and run START.htm

This exploit use JIT-SPRAY for DEP and ASLR bypass.
jit-shellcode: system("notepad")

0day.html - use 0x09090101 address for CALL JITed shellcode.


START.htm -> iff.htm -> if1.htm -> 0day.html
| |
| |
JIT-SPRAY parent.close();
0x09090101 - JITed * ESI=0x09090101
shellcode * CALL ESI

By Alexey Sintsov
from
Digital Security Research Group

[www.dsecrg.com]