infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update description.

unstable
Joe Vennix 2013-05-15 23:52:51 -05:00
parent 178a43a772
commit 1a5c747bb9
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
modules/exploits/multi/browser/firefox_svg_plugin.rb
View File

@ -29,10 +29,10 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Firefox Plug-in Privileged Javascript Code Execution',
'Name' => 'Firefox 17.0.1 + Flash Privileged Code Injection',
'Description' => %q{
This exploit gains code execution on Firefox 17.0.1 and all previous versions,
provided the user has installed Flash. No memory corruption is used.
This exploit gains remote code execution on Firefox 17.0.1 and all previous
versions, provided the user has installed Flash. No memory corruption is used.
First, a Flash object is cloned into the anonymous content of the SVG
"use" element in the <body> (CVE-2013-0758). From there, the Flash object
@ -41,6 +41,9 @@ class Metasploit3 < Msf::Exploit::Remote
Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper
around the child frame's window reference and inject code into the chrome://
context.
Once we have injection into the chrome execution context, we can write our
payload to disk, chmod it (if posix), and then execute.
Note: Flash is used here to trigger the exploit but any Firefox plugin
with script access should be able to trigger it.