Apple Safari 4.0.5 - 'parent.close()' Memory Corruption (ASLR + DEP Bypass)

EDB-ID:

12614


Platform:

Windows

Published:

2010-05-15

Download:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/12614.zip (safari_parent_close_sintsov.zip)

Unzip and run START.htm

This exploit use JIT-SPRAY for DEP and ASLR bypass.
jit-shellcode: system("notepad")

0day.html - use 0x09090101 address for CALL JITed shellcode.


START.htm -> iff.htm -> if1.htm -> 0day.html
| |
| |
JIT-SPRAY parent.close();
0x09090101 - JITed * ESI=0x09090101
shellcode * CALL ESI

By Alexey Sintsov
from
Digital Security Research Group

[www.dsecrg.com]