# Title: Mozilla Firefox Array.reduceRight() Integer Overflow Exploit # Date: 12 Oct 2011 # Author: Matteo Memelli ryujin -AT- offensive-security.com # CVE-2011-2371 # Full exploit package: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17974.zip ff-i-<3-u

Title: Mozilla Firefox Array.reduceRight() Integer Overflow Exploit
Date: 12 Oct 2011
Author: Matteo Memelli ryujin -AT- offensive-security.com
CVE-2011-2371
Full exploit package:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17974.zip

Thx to dookie for helping ;)
Vulnerability discovered by Chris Rohlf and Yan Ivnitskiy of Matasano Security
http://www.mozilla.org/security/announce/2011/mfsa2011-22.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2371
DEP / ASLR bypassing through JAVA MSVCR71 sayonara rop chain
Tested on Windows 7 Ultimate / firefox 3.6.16 and 3.6.17

You need a Java-enabled browser to pwn this.