Safari 4.0.5 - parent.close() Memory Corruption Exploit (ASLR and DEP bypass)



Download:

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/12614.zip (safari_parent_close_sintsov.zip)

Unzip and run START.htm

This exploit use JIT-SPRAY for DEP and ASLR bypass.
jit-shellcode: system("notepad")

0day.html - use 0x09090101 address for CALL JITed shellcode.


START.htm -> iff.htm -> if1.htm -> 0day.html
| |
| |
JIT-SPRAY parent.close();
0x09090101 - JITed * ESI=0x09090101
shellcode * CALL ESI

By Alexey Sintsov
from
Digital Security Research Group

[www.dsecrg.com]