May 8, 2013
This week I take a look at the research blog post by @vupen Advanced Exploitation of Mozilla Firefox Use-after-free CVE-2012-0469 . It is one year old vulnerability, but thanks to it, simple idea come into my mind…
Exploitation of this vulnerability presented at vupen’s blogs, was not easy, because it have into arsenal just controlled OR for certain location, and it uses nothing more – which is quite interesting ! Because of that, exploitation grows complexity, and the first step was logical expanding length of string object, for memory leak. As the next move was performed OR at one tag-object targeting its VTable, which ends to arbitrary code execution.
but … in generation of HTML5 and its new features, more easier and more general method could be used for this exploitation
var FREE_OBJECT_PUPET = "\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA\uAAAA" +