Apple Safari 4.0.5 - 'parent.close()' Memory Corruption (ASLR + DEP Bypass)

Author: Alexey Sintsov
type: remote
platform: windows
port: 
date_added: 2010-05-14 
date_updated: 2016-10-27 
verified: 1 
codes: CVE-2010-1939;OSVDB-64482 
tags: 
aliases: safari_parent_close_sintsov.zip 
screenshot_url:  
application_url: http://www.exploit-db.comSafariSetup4.0.5.exe

Download:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/12614.zip (safari_parent_close_sintsov.zip)

Unzip and run START.htm

This exploit use JIT-SPRAY for DEP and ASLR bypass.
jit-shellcode: system("notepad")

0day.html - use 0x09090101 address for CALL JITed shellcode.


START.htm -> iff.htm -> if1.htm -> 0day.html
| |
| |
JIT-SPRAY parent.close();
0x09090101 - JITed * ESI=0x09090101
shellcode * CALL ESI

By Alexey Sintsov
from
Digital Security Research Group

[www.dsecrg.com]