New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firefox nsSMILTimeContainer::NotifyTimeChange() rce (CVE 2016-9079) #7852
Conversation
Hi @wwebb-r7, excellent work! What version of FF did you test it on during development? Thanks. |
38.0 in particular, but I have a lot more installations. I'll try to get a list together of each version I've verified it on. |
Thanks. I will test this on 38.0. |
Confirmed working on my end: 38.0 39.0 40.0 41.0. I didn't test any minor releases in between those. 42.0+ will be soon. |
This woks for me:
I tested 10 times. And it was 50% successful:
Sometimes it would hang, I'm not sure if was because I didn't wait long enough or it was just a hit and miss type of thing. |
Release NotesThe firefox_smil_uaf module exploits a vulnerability found in Mozilla Firefox. It exploits an out of bounds indexing/use-after-free condition in nsSMILTimeContainer::NotifyTimeChange(), which allows arbitrary code execution under the context of the user. |
A hang of a few seconds will occur on some runs. I'm getting much better reliability with smaller payloads that aren't as busy as meterpreter, and a few ideas as to why that might be. I'll look into it. |
This exploits the use after free condition targeted by the leaked Tor Browser Bundle exploit originally located here. This module was created by reversing and porting the leaked exploit to target vanilla Firefox on Windows, which uses jemalloc and can be more reliably exploited than TBB with it's current allocator.
The module currently supports Firefox releases from approximately 38-41. I intend to add support for more releases in the future (other people are welcome to contribute) but I just wanted to get it out there for now. I'm also fine with changing the module ranking if need be, since it's sort of confusing as to what category it'd fall in.
It must be said that this wouldn't have been completed in any reasonable amount of time without the support from and hard work of a certain individual. You deserve all the credit.
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/windows/browser/firefox_smil_uaf
set payload [PREFERRED PAYLOAD]
set [PAYLOAD OPTIONS]
set UsePostHTML true
see note at bottomrun
100% reliability is not possible, though it should be close. If it doesn't work, rinse and repeat.