bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/linux/local/44204.md
Offensive Security 6885f2dcc7 DB: 2018-03-01 
26 changes to exploits/shellcodes

Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)
FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC)
FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)
Apple iOS 11.2.5 / watchOS 4.2.2 / tvOS 11.2.5 - 'bluetoothd' Memory Corruption

Apple iOS - '.pdf' Jailbreak
Apple iOS - '.pdf' Local Privilege Escalation / Jailbreak

Foxit Reader 4.0 - '.pdf' Jailbreak
Foxit Reader 4.0 - '.pdf' Multiple Stack Based Buffer Overflow / Jailbreak

Sony Playstation 3 (PS3) 4.31 - Save Game Preview '.SFO' File Handling Local Command Execution
Sony Playstation 3 (PS3) 4.31 - Save Game Preview '.SFO' Handling Local Command Execution

Sony Playstation 4 4.05 FW - Local Kernel Loader
Sony Playstation 4 (PS4) 4.05 - Jailbreak (WebKit / 'namedobj ' Kernel Loader)

Sony Playstation 4 4.55 FW - Local Kernel
Sony Playstation 4 (PS4) 4.07 < 4.55 - 'bpf' Local Kernel Code Execution (PoC)
Sony Playstation 4 (PS4) 3.50 < 4.07 - WebKit Code Execution (PoC)
Sony Playstation 4 (PS4) 3.15 < 3.55 - WebKit Code Execution (PoC)
Sony Playstation 3 (PS3) < 2.50 - WebKit Code Execution (PoC)
WebKitGTK 2.1.2  (Ubuntu 14.04) - Heap based Buffer Overflow
Linux Kernel - 'BadIRET' Local Privilege Escalation
Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader
Nintendo Switch - WebKit Code Execution (PoC)

Apple iTouch/iPhone 1.1.1 - '.tif' File Remote Jailbreak
Apple iTouch/iPhone 1.1.1 - '.tif' Remote Privilege Escalation / Jailbreak

Sony Playstation 4 (PS4) 4.55 - Jailbreak (WebKit 5.01 / 'bpf' Kernel Loader 4.55)

EPIC MyChart - SQL Injection
EPIC MyChart - X-Path Injection

Routers2 2.24 - Cross-Site Scripting
2018-03-01 05:01:48 +00:00

1.7 KiB
Raw Blame History

CVE-2014-1303 PoC for Linux

CVE-2014-1303 (WebKit Heap based BOF) proof of concept for Linux.
This repository demonstrates the WebKit heap based buffer overflow vulnerability (CVE-2014-1303) on Linux.

NOTE: Original exploit is written for Mac OS X and PS4 (PlayStation4).

I've ported and tested work on Ubuntu 14.04, WebKitGTK 2.1.2

Usage

Firstly you need to run simple web server,

$ python server.py

then

$ cd /path/to/webkitgtk2.1.2/
$ ./Programs/GtkLauncher http://localhost

You can run several tests like,

  • Crash ROP (Jump to invalid address like 0xdeadbeefdeadbeef)
  • Get PID (Get current PID)
  • Code Execution (Load and execute payload from outer network)
  • File System Dump (Dump "/dev" entries)

Description

exploit.html ..... trigger vulnerability and jump to ROP chain
scripts/roputil.js ..... utilities for ROP building
scripts/syscall.js ..... syscall ROP chains
scripts/code.js ..... hard coded remote loader
loader/ ..... simple remote loader (written in C)
loader/bin2js ..... convert binary to js variables (for loader)

Purpose

I've created this WebKit PoC for education in my course.
I couldn't, of course, use actual PS4 console in my lecture for legal reason :(

Reference

CVE 2014-1303 Proof Of Concept for PS4
(https://github.com/Fire30/PS4-2014-1303-POC)
Liang Chen, WEBKIT EVERYWHERE: SECURE OR NOT? [BHEU14]
(https://www.blackhat.com/docs/eu-14/materials/eu-14-Chen-WebKit-Everywhere-Secure-Or-Not.PDF)

Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44204.zip