• Firefox MCallGetProperty Write Side Effects Use After Free Exploit
    Disclosure Date: 2020-11-18
    First seen: 2022-12-23
    exploit/multi/browser/firefox_jit_use_after_free
    This modules exploits CVE-2020-26950, a use after free exploit in Firefox. The MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This exploit uses a somewhat novel technique of spraying ArgumentsData structures in order to construct primitives. The shellcode is forced into executable memory via the JIT compiler, and executed by writing to the JIT region pointer. This exploit does not contain a sandbox escape, so firefox must be run with the MOZ_DISABLE_CONTENT_SANDBOX environment variable set, in order for the shellcode to run successfully. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2, however only Firefox <= 79 is supported as a target. Additional work may be needed to support other versions such as Firefox 82.0.1. Authors: - 360 ESG Vulnerability Research Institute - maxpl0it - timwr
  • Firefox nsSMILTimeContainer::NotifyTimeChange() RCE
    Disclosure Date: 2016-11-30
    First seen: 2020-04-26
    exploit/windows/browser/firefox_smil_uaf
    This module exploits an out-of-bounds indexing/use-after-free condition present in nsSMILTimeContainer::NotifyTimeChange() across numerous versions of Mozilla Firefox on Microsoft Windows. Authors: - Anonymous Gaijin - William Webb <william_webb@rapid7.com>
  • Firefox PDF.js Privileged Javascript Injection
    Disclosure Date: 2015-03-31
    First seen: 2020-04-26
    exploit/multi/browser/firefox_pdfjs_privilege_escalation
    This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability. Authors: - Unknown - Marius Mlynski - joev <joev@metasploit.com>
  • Firefox PDF.js Privileged Javascript Injection
    Disclosure Date: 2015-03-31
    First seen: 2020-04-26
    exploit/multi/browser/firefox_pdfjs_privilege_escalation
    This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability. Authors: - Unknown - Marius Mlynski - joev <joev@metasploit.com>
  • SSL/TLS Version Detection
    Disclosure Date: 2014-10-14
    First seen: 2022-12-23
    auxiliary/scanner/ssl/ssl_version
    Check if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST. Authors: - todb <todb@metasploit.com> - et <et@metasploit.com> - Chris John Riley - Veit Hailperin <hailperv@gmail.com> - h00die
  • SSL/TLS Version Detection
    Disclosure Date: 2014-10-14
    First seen: 2022-12-23
    auxiliary/scanner/ssl/ssl_version
    Check if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST. Authors: - todb <todb@metasploit.com> - et <et@metasploit.com> - Chris John Riley - Veit Hailperin <hailperv@gmail.com> - h00die
  • SSL/TLS Version Detection
    Disclosure Date: 2014-10-14
    First seen: 2022-12-23
    auxiliary/scanner/ssl/ssl_version
    Check if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST. Authors: - todb <todb@metasploit.com> - et <et@metasploit.com> - Chris John Riley - Veit Hailperin <hailperv@gmail.com> - h00die
  • Firefox WebIDL Privileged Javascript Injection
    Disclosure Date: 2014-03-17
    First seen: 2020-04-26
    exploit/multi/browser/firefox_webidl_injection
    This exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs. Authors: - Marius Mlynski - joev <joev@metasploit.com>
  • Firefox WebIDL Privileged Javascript Injection
    Disclosure Date: 2014-03-17
    First seen: 2020-04-26
    exploit/multi/browser/firefox_webidl_injection
    This exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs. Authors: - Marius Mlynski - joev <joev@metasploit.com>
  • Firefox Proxy Prototype Privileged Javascript Injection
    Disclosure Date: 2014-01-20
    First seen: 2020-04-26
    exploit/multi/browser/firefox_proxy_prototype
    This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect component and gaining a reference to the privileged chrome:// window. This exploit requires the user to click anywhere on the page to trigger the vulnerability. Authors: - joev <joev@metasploit.com>
  • Firefox Proxy Prototype Privileged Javascript Injection
    Disclosure Date: 2014-01-20
    First seen: 2020-04-26
    exploit/multi/browser/firefox_proxy_prototype
    This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect component and gaining a reference to the privileged chrome:// window. This exploit requires the user to click anywhere on the page to trigger the vulnerability. Authors: - joev <joev@metasploit.com>
  • Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
    Disclosure Date: 2013-08-06
    First seen: 2020-04-26
    exploit/multi/browser/firefox_proto_crmfrequest
    On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an __exposedProps__ property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be overridden with a function that gets called from chrome-privileged context. From here, another vulnerability in the crypto.generateCRMFRequest function is used to "peek" into the context's private scope. Since the window does not have a chrome:// URL, the insecure parts of Components.classes are not available, so instead the AddonManager API is invoked to silently install a malicious plugin. Authors: - Mariusz Mlynski - moz_bug_r_a4 - joev <joev@metasploit.com>
  • Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
    Disclosure Date: 2013-08-06
    First seen: 2020-04-26
    exploit/multi/browser/firefox_proto_crmfrequest
    On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an __exposedProps__ property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be overridden with a function that gets called from chrome-privileged context. From here, another vulnerability in the crypto.generateCRMFRequest function is used to "peek" into the context's private scope. Since the window does not have a chrome:// URL, the insecure parts of Components.classes are not available, so instead the AddonManager API is invoked to silently install a malicious plugin. Authors: - Mariusz Mlynski - moz_bug_r_a4 - joev <joev@metasploit.com>
  • Firefox onreadystatechange Event DocumentViewerImpl Use After Free
    Disclosure Date: 2013-06-25
    First seen: 2020-04-26
    exploit/windows/browser/mozilla_firefox_onreadystatechange
    This module exploits a vulnerability found on Firefox 17.0.6, specifically a use after free of a DocumentViewerImpl object, triggered via a specially crafted web page using onreadystatechange events and the window.stop() API, as exploited in the wild on 2013 August to target Tor Browser users. Authors: - Nils - Unknown - w3bd3vil - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com>
  • Firefox toString console.time Privileged Javascript Injection
    Disclosure Date: 2013-05-14
    First seen: 2020-04-26
    exploit/multi/browser/firefox_tostring_console_injection
    This exploit gains remote code execution on Firefox 15-22 by abusing two separate Javascript-related vulnerabilities to ultimately inject malicious Javascript code into a context running with chrome:// privileges. Authors: - moz_bug_r_a4 - Cody Crews - joev <joev@metasploit.com>
  • Firefox 17.0.1 Flash Privileged Code Injection
    Disclosure Date: 2013-01-08
    First seen: 2020-04-26
    exploit/multi/browser/firefox_svg_plugin
    This exploit gains remote code execution on Firefox 17 and 17.0.1, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG "use" element in the <body> (CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame's window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it. Authors: - Marius Mlynski - joev <joev@metasploit.com> - sinn3r <sinn3r@metasploit.com>
  • Firefox 17.0.1 Flash Privileged Code Injection
    Disclosure Date: 2013-01-08
    First seen: 2020-04-26
    exploit/multi/browser/firefox_svg_plugin
    This exploit gains remote code execution on Firefox 17 and 17.0.1, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG "use" element in the <body> (CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame's window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it. Authors: - Marius Mlynski - joev <joev@metasploit.com> - sinn3r <sinn3r@metasploit.com>
  • Firefox XMLSerializer Use After Free
    Disclosure Date: 2013-01-08
    First seen: 2020-04-26
    exploit/windows/browser/mozilla_firefox_xmlserializer
    This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically a use-after-free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3. Authors: - regenrecht - juan vazquez <juan.vazquez@metasploit.com>
  • Firefox 8/9 AttributeChildRemoved() Use-After-Free
    Disclosure Date: 2011-12-06
    First seen: 2020-04-26
    exploit/windows/browser/mozilla_attribchildremoved
    This module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1. Removal of child nodes from the nsDOMAttribute can allow for a child to still be accessible after removal due to a premature notification of AttributeChildRemoved. Since mFirstChild is not set to NULL until after this call is made, this means the removed child will be accessible after it has been removed. By carefully manipulating the memory layout, this can lead to arbitrary code execution. Authors: - regenrecht - Lincoln <lincoln@corelan.be> - corelanc0d3r <peter.ve@corelan.be>
  • Firefox nsSVGValue Out-of-Bounds Access Vulnerability
    Disclosure Date: 2011-12-06
    First seen: 2020-04-26
    exploit/windows/browser/mozilla_nssvgvalue
    This module exploits an out-of-bounds access flaw in Firefox 7 and 8 (<= 8.0.1). The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y) uses a loop which can result in an out-of-bounds access to attacker-controlled memory. The mObserver ElementAt() function (which picks up pointers), does not validate if a given index is out of bound. If a custom observer of nsSVGValue is created, which removes elements from the original observer, and memory layout is manipulated properly, the ElementAt() function might pick up an attacker provided pointer, which can be leveraged to gain remote arbitrary code execution. Authors: - regenrecht - Lincoln <lincoln@corelan.be> - corelanc0d3r <peter.ve@corelan.be>
30 metasploit modules found
1 2
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!