26 lines
No EOL
1 KiB
Text
26 lines
No EOL
1 KiB
Text
Advisory :
|
|
|
|
|
|
Abysssec Public Exploit :
|
|
|
|
This module exploits a code execution vulnerability in Mozilla
|
|
Firefox <= 3.6.16 caused by nsTreeSelection element. The specific flaw
|
|
exists within the way Firefox handles user defined functions of
|
|
a nsTreeSelection element. When executing the function
|
|
invalidateSelection it is possible to free the nsTreeSelection object
|
|
that the function operates on. Any further operations on the freed
|
|
object can result in remote code execution.this exploit module is only
|
|
tested on win7 and used a Another JAVA ROPto defeat DEP/ASLR (due to
|
|
there is no more non-aslr module in Firefox) and in my tests works
|
|
reliably on Windows7.
|
|
|
|
there is two version of this exploit XP and 7 and both use different
|
|
method that used in MSF Exploit bounty !
|
|
|
|
XP Version: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17419-1.zip (nsTreeRange_XP.zip)
|
|
Win7 Version: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17419-2.zip (nsTreeRange_7.zip)
|
|
|
|
|
|
|
|
|
|
questions / comments : Info [at] abysssec.com |