header-logo
Suggest Exploit
vendor:
N/A
by:
Alexey Sintsov
8,8
CVSS
HIGH
JIT-SPRAY parent.close() Exploit
N/A
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
Unknown

JIT-SPRAY parent.close() Exploit

This exploit uses JIT-SPRAY for DEP and ASLR bypass. The exploit uses 0x09090101 address for CALL JITed shellcode and the shellcode is system("notepad"). The exploit is triggered by navigating from START.htm to iff.htm to if1.htm and finally to 0day.html.

Mitigation:

N/A
Source

Exploit-DB raw data:

Download:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/12614.zip (safari_parent_close_sintsov.zip)

Unzip and run START.htm

This exploit use JIT-SPRAY for DEP and ASLR bypass.
jit-shellcode: system("notepad")

0day.html - use 0x09090101 address for CALL JITed shellcode.


START.htm -> iff.htm -> if1.htm -> 0day.html
| |
| |
JIT-SPRAY parent.close();
0x09090101 - JITed * ESI=0x09090101
shellcode * CALL ESI

By Alexey Sintsov
from
Digital Security Research Group

[www.dsecrg.com]

Navigation

Suggest Exploit

Services By CQR