Safari 5.0.5 SVG Remote Code Execution Exploit (DEP bypass)

2011-07-27 / 2011-07-28

Credit: Abysssec

Risk: High

Local: No

Remote: Yes

CVE: CVE-2011-0222

CWE: CWE-119

CVSS Base Score: 9.3/10

Impact Subscore: 10/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

Abysssec Public Advisory
apple killed one of our 0day no point to keep it private anymore :(
there is another version of exploit using POPup and thats more
reliable but as you know safari block pop up by default so we found a
cool way to bypass it and stand alone module .
this exploiting using ROP to bypass permanent DEP.
note : Change spray range if not work on your machine.
CVE-2011-0222 :
WebKit, as used in Apple Safari before 5.0.6, allows remote attackers
to execute arbitrary code or cause a denial of service (memory
corruption and application crash)
via a crafted web site a different vulnerability than other WebKit
CVEs listed in APPLE-SA-2011-07-20-1.
Tested on windows XP SP3 and safari 5.0.5
feel free to contact us at : info [at] abysssec.com
and follow @abysssec for updates
http://www.abysssec.com/files/CVE-2011-0222_WinXP_Exploit.zip
http://www.exploit-db.com/sploits/CVE-2011-0222_WinXP_Exploit.zip

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Safari 5.0.5 SVG Remote Code Execution Exploit (DEP bypass)

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.