vendor:
Firefox
by:
Rh0
8.8
CVSS
HIGH
Full ASLR and DEP Bypass using ASM.JS JIT Spray
119
CWE
Product Name: Firefox
Affected Version From: 44.0.2
Affected Version To: 46.0.1
Patch Exists: YES
Related CWE: CVE-2016-1960
CPE: a:mozilla:firefox
Metasploit:
https://www.rapid7.com/db/vulnerabilities/ubuntu-usn-2917-3/, https://www.rapid7.com/db/vulnerabilities/ubuntu-usn-2917-2/, https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2016-1960/, https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2016-1960/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2016-1960/, https://www.rapid7.com/db/vulnerabilities/debian-cve-2016-1960/, https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp1-cve-2016-1960/, https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2016-1960/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2016-0460/, https://www.rapid7.com/db/vulnerabilities/mozilla-thunderbird-cve-2016-1960/, https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2016-1960/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2016-1960/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2016-0373/, https://www.rapid7.com/db/vulnerabilities/mfsa2016-23-cve-2016-1960/, https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2013-1960/
Other Scripts:
N/A
Platforms Tested: Windows 10 1709
2018
CVE-2016-1960 and ASM.JS JIT-Spray
This PoC exploit is against Firefox 44.0.2 and is a special ASM.JS float constant pool JIT-Spray shown at OffensiveCon 2018. It is tested on Firefox 44.0.2 32-bit - Windows 10 1709. The exploit involves serving the PoC over a network and opening it in Firefox 44.0.2 32-bit. A successful exploit attempt should pop calc.exe.
Mitigation:
Mozilla has released a patch for this vulnerability in Firefox > 46.0.1
