# Firefox <= 8.0 null pointer dereference PoC exploit # Author: 0in (Maksymilian Motyl) # Tested on Firefox 8.0/4.0 on windows and Firefox 7.1 on Linux # Lets see in code: # $ cat ./mozilla-release/content/base/src/nsObjectLoadingContent.cpp NS_IMETHODIMP nsObjectLoadingContent::OnStartRequest(nsIRequest *aRequest, nsISupports *aContext) { if (aRequest != mChannel) { // our pointer is checked there, mChannel is null. I think maybe some magick in js can help there return NS_BINDING_ABORTED; } AutoNotifier notifier(this, PR_TRUE); if (!IsSuccessfulRequest(aRequest)) { // go //---------------------------------------------------------------------------------- PRBool nsObjectLoadingContent::IsSuccessfulRequest(nsIRequest* aRequest) { nsresult status; nsresult rv = aRequest->GetStatus(&status); // Code execution is here. // --------------------------------------------------------------------------------- DUMP: 014E7A28 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] 014E7A2B 8B07 MOV EAX,DWORD PTR DS:[EDI] ; access violation when reading 0x00000000 014E7A2D 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4] 014E7A30 51 PUSH ECX 014E7A31 57 PUSH EDI 014E7A32 FF50 14 CALL DWORD PTR DS:[EAX+14] EAX 0012BFC0 ECX 00080000 EDX 00080000 EBX 03A199E8 ESP 0012BF44 EBP 0012BF54 ESI 03A199C0 EDI 00000000 EIP 014E7A2B xul.014E7A2B $ cat 2011_powrot_komuny.html