|
|
WebKit JavaScriptCore integer truncation vulnerability | ||
| Reported by cevans@google.com, Jul 24 2014 | Back to list | ||
This bug represents the externally visible report for a previously filed and fixed bug, https://code.google.com/p/google-security-research/issues/detail?id=6 We're filing a new bug because the exploit has been re-written to work against a specific, downloadable old nightly build of WebKit. The exploit uses an identical strategy, it just has updated offsets, ROP payload offsets, etc. We've done it this way because it's not clear how to download the old, vulnerable Safari. But an effectively equivalent WebKit nightly can be referenced trivially by URL.
,
Jul 24 2014
Grab this old nightly build of webkit: http://builds.nightly.webkit.org/files/trunk/mac/WebKit-SVN-r161944.dmg Compile the payload: $ clang -o simple_speak_payload.dylib simple_speak_payload.c -framework ApplicationServices -F/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks -dynamiclib Convert the payload to a javascript string: $ python file_to_jsstr.py simple_speak_payload.dylib simple_speak_payload.js Serve the files: $ python -m SimpleHTTPServer 8080 . Navigate to localhost:8080/webkit-nightly-r161944.html
,
Jul 25 2014
,
Jul 25 2014
|
|||
| ► Sign in to add a comment | |||
Status: Duplicate