Besides using arithmetic calculations and array elements, another interesting technique to spray payloads is to use float values. Using these values as payload bytes has the advantage that an attacker’s shellcode resides continuous in memory at run time, because the float values are next to each other located in a constant pool. As the payload bytes are not interrupted by disturbing opcodes emitted by the ASM.JS compiler, all eight bytes of a double float constant are usable as payload.
If you are into (over)hyping and naming vulnerabilities you can call it: ConstantDesaster
So finally, I release the remaining code including our shellcode2asmjs (sc2asmjs.py) tool and exploits for CVE-2016-2819 and CVE-2016-1960. An exploit for CVE-2016-9079 is already available for some time. Most likely, sc2asmjs.py won’t be maintained anymore, however, you can still generate ASM.JS JIT-Spray payloads of different kinds and insert your favorite assembly or binary Metasploit payload to exploit vulnerable Mozilla Firefox versions.
Some last words on CVE-2016-2819 and CVE-2016-1960: There is a very detailed public exploit for CVE-2016-1960, which uses a bruteforce approach (see explanation). However, after a bit of diving into the vulnerable code and patches for both bugs, it was possible to change the inital crashing testcase to reach an easier to exploit code path. The goal is to reach line 1102 where we get EIP control when node->release() is called in nsHtml5TreeBuilder::pop():
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
The code is equivalent for firefox-46.0.1/parser/html/nsHtml5TreeBuilder.cpp. As group is a constant on line 1096, we only need one exploit attempt to reach line 1102. This can be achieved when changing the last element from style to dd (see modification). And, as we only need EIP control when using ASM.JS JIT-Spray, exploitation becomes even more comfortable and easier. For more information take a look at the OffensiveCon 2018 slides.
Enjoy! Let me know if you find any mistakes, feedback is welcome!