module
Mozilla Firefox 3.6.16 mChannel Use-After-Free
| Disclosed | Created |
|---|---|
| 2011-05-10 | 2018-05-30 |
Disclosed
2011-05-10
Created
2018-05-30
Description
This module exploits a use-after-free vulnerability in Mozilla
Firefox 3.6.16. An OBJECT element, mChannel, can be freed via the
OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
becomes a dangling pointer and can be reused when setting the OBJECTs
data attribute. This module has been tested on Mac OS X 10.6.6, 10.6.7,
10.6.8, 10.7.2 and 10.7.3.
Firefox 3.6.16. An OBJECT element, mChannel, can be freed via the
OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
becomes a dangling pointer and can be reused when setting the OBJECTs
data attribute. This module has been tested on Mac OS X 10.6.6, 10.6.7,
10.6.8, 10.7.2 and 10.7.3.
Authors
regenrecht
Rh0
argp argp@census-labs.com
Rh0
argp argp@census-labs.com
Platform
OSX
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.