This Metasploit modules exploits CVE-2020-26950, a use-after-free exploit in Firefox. The MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This exploit uses a somewhat novel technique of spraying ArgumentsData structures in order to construct primitives. The shellcode is forced into executable memory via the JIT compiler, and executed by writing to the JIT region pointer. This exploit does not contain a sandbox escape, so firefox must be run with the MOZ_DISABLE_CONTENT_SANDBOX environment variable set, in order for the shellcode to run successfully. This vulnerability affects Firefox versions prior to 82.0.3, Firefox ESR versions prior to 78.4.1, and Thunderbird versions prior to 78.4.2, however only Firefox versions up to 79 are supported as a target. Additional work may be needed to support other versions such as Firefox 82.0.1.
c5497acbfe1516edccf2f8747d261489391c42dfa92ad82028efc92b075df944
Microsoft Internet Explorer 11 use-after free exploit that triggers when Array.sort() is called with a comparator function. The two arguments are untracked by the garbage collector.
b856df963c2e5a28bdae4d1fcd184f26ef11dc132bc8c3968f8124b28ded68ce
Proof of concept denial of service exploit for the SIGRed vulnerability in Microsoft Windows DNS.
eba3ff09c3866930772b422c95d78138af6485996de36f20c82bb8f455eee6d1