Rapid7 Vulnerability & Exploit Database

Firefox MCallGetProperty Write Side Effects Use After Free Exploit

Back to Search

Firefox MCallGetProperty Write Side Effects Use After Free Exploit



This modules exploits CVE-2020-26950, a use after free exploit in Firefox. The MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This exploit uses a somewhat novel technique of spraying ArgumentsData structures in order to construct primitives. The shellcode is forced into executable memory via the JIT compiler, and executed by writing to the JIT region pointer. This exploit does not contain a sandbox escape, so firefox must be run with the MOZ_DISABLE_CONTENT_SANDBOX environment variable set, in order for the shellcode to run successfully. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2, however only Firefox <= 79 is supported as a target. Additional work may be needed to support other versions such as Firefox 82.0.1.


  • 360 ESG Vulnerability Research Institute
  • maxpl0it
  • timwr






Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/browser/firefox_jit_use_after_free
msf exploit(firefox_jit_use_after_free) > show targets
msf exploit(firefox_jit_use_after_free) > set TARGET < target-id >
msf exploit(firefox_jit_use_after_free) > show options
    ...show and set options...
msf exploit(firefox_jit_use_after_free) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security