$hell on Earth
shell-on-earth
shell-on-earth
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Exploitati<strong>on</strong> of CVE-2016-1859<br />
To exploit this vulnerability, an initial heap spray is performed to establish optimal heap c<strong>on</strong>diti<strong>on</strong>s. The<br />
vulnerability is triggered and the 0x100-byte-sized GraphicsC<strong>on</strong>text object is reclaimed. After reclaiming the<br />
object, the write exploit primitive comes from the following code within WebCore::GraphicsC<strong>on</strong>text::save()<br />
functi<strong>on</strong> in Safari.<br />
memcpy((void *)(v3 + v4 + 16), (char *)this + 20, 0x4Du);<br />
A sec<strong>on</strong>d heap spray is performed, which c<strong>on</strong>sists of strings followed by frame elements, that looks like<br />
this:<br />
[String][Frame] [String][Frame] [String][Frame] [String][Frame]<br />
They utilize the write primitive to enlarge the string object’s length allowing the leak of a frame object’s<br />
vtable. Again, they use this write primitive to change the string buffer pointer to achieve arbitrary memory<br />
read.<br />
To achieve code executi<strong>on</strong>, they modify a vtable pointer of a frame object with the same write primitive.<br />
Finally, they set up their ROP chain and divert executi<strong>on</strong> to it.<br />
CVE-2016-1859 Patch<br />
To patch this vulnerability, Apple modified the code to grab width and height properties to ensure that<br />
JavaScript code cannot delete the owner element.<br />
10 | <str<strong>on</strong>g>$hell</str<strong>on</strong>g> <strong>on</strong> <strong>Earth</strong>: From Browser to System Compromise