Metasploit modules that can be used to exploit Mozilla products
-
Mozilla Firefox Array.reduceRight() Integer Overflow
Disclosure Date: 2011-06-21First seen: 2020-04-26exploit/windows/browser/mozilla_reducerightThis module exploits a vulnerability found in Mozilla Firefox 3.6. When an array object is configured with a large length value, the reduceRight() method may cause an invalid index being used, allowing arbitrary remote code execution. Please note that the exploit requires a longer amount of time (compare to a typical browser exploit) in order to gain control of the machine. Authors: - Chris Rohlf - Yan Ivnitskiy - Matteo Memelli - dookie2000ca - sinn3r <sinn3r@metasploit.com> - mr_me <steventhomasseeley@gmail.com> - TecR0c <roccogiovannicalvi@gmail.com> -
Mozilla Firefox 3.6.16 mChannel Use-After-Free
Disclosure Date: 2011-05-10First seen: 2020-04-26exploit/osx/browser/mozilla_mchannelThis module exploits a use-after-free vulnerability in Mozilla Firefox 3.6.16. An OBJECT element, mChannel, can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. This module has been tested on Mac OS X 10.6.6, 10.6.7, 10.6.8, 10.7.2 and 10.7.3. Authors: - regenrecht - Rh0 - argp <argp@census-labs.com> -
Mozilla Firefox 3.6.16 mChannel Use-After-Free Vulnerability
Disclosure Date: 2011-05-10First seen: 2020-04-26exploit/windows/browser/mozilla_mchannelThis module exploits a use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3. Additionlay, a windows 7 target was provided using JAVA 6 and below to avoid aslr. Authors: - regenrecht - Rh0 - mr_me <steventhomasseeley@gmail.com> -
Mozilla Firefox "nsTreeRange" Dangling Pointer Vulnerability
Disclosure Date: 2011-02-02First seen: 2020-04-26exploit/windows/browser/mozilla_nstreerangeThis module exploits a code execution vulnerability in Mozilla Firefox 3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection. By overwriting a subfunction of invalidateSelection it is possible to free the nsTreeRange object that the function currently operates on. Any further operations on the freed object can result in remote code execution. Utilizing the call setup the function provides it's possible to bypass DEP without the need for a ROP. Sadly this exploit is still either dependent on Java or bound by ASLR because Firefox doesn't employ any ASLR-free modules anymore. Authors: - regenrecht - xero -
Mozilla Firefox Interleaved document.write/appendChild Memory Corruption
Disclosure Date: 2010-10-25First seen: 2020-04-26exploit/windows/browser/mozilla_interleaved_writeThis module exploits a code execution vulnerability in Mozilla Firefox caused by interleaved calls to document.write and appendChild. This module was written based on a live exploit found in the wild. Authors: - unknown - scriptjunkie -
Firefox 3.5 escape() Return Value Memory Corruption
Disclosure Date: 2009-07-13First seen: 2020-04-26exploit/multi/browser/firefox_escape_retvalThis module exploits a memory corruption vulnerability in the Mozilla Firefox browser. This flaw occurs when a bug in the javascript interpreter fails to preserve the return value of the escape() function and results in uninitialized memory being used instead. This module has only been tested on Windows, but should work on other platforms as well with the current targets. Authors: - Simon Berry-Byrne <x00050876@itnet.ie> - hdm <x@hdm.io> -
Mozilla Suite/Firefox Navigator Object Code Execution
Disclosure Date: 2006-07-25First seen: 2020-04-26exploit/multi/browser/mozilla_navigatorjavaThis module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit requires the Java plugin to be installed. Authors: - hdm <x@hdm.io> -
Firefox location.QueryInterface() Code Execution
Disclosure Date: 2006-02-02First seen: 2020-04-26exploit/multi/browser/firefox_queryinterfaceThis module exploits a code execution vulnerability in the Mozilla Firefox browser. To reliably exploit this vulnerability, we need to fill almost a gigabyte of memory with our nop sled and payload. This module has been tested on OS X 10.3 with the stock Firefox 1.5.0 package. Authors: - hdm <x@hdm.io> -
Mozilla Suite/Firefox compareTo() Code Execution
Disclosure Date: 2005-07-13First seen: 2020-04-26exploit/multi/browser/mozilla_comparetoThis module exploits a code execution vulnerability in the Mozilla Suite, Mozilla Firefox, and Mozilla Thunderbird applications. This exploit module is a direct port of Aviv Raff's HTML PoC. Authors: - hdm <x@hdm.io> - Aviv Raff <avivra@gmail.com> -
Firefox PDF.js Browser File Theft
First seen: 2020-04-26auxiliary/gather/firefox_pdfjs_file_theftThis module abuses an XSS vulnerability in versions prior to Firefox 39.0.3, Firefox ESR 38.1.1, and Firefox OS 2.2 that allows arbitrary files to be stolen. The vulnerability occurs in the PDF.js component, which uses Javascript to render a PDF inside a frame with privileges to read local files. The in-the-wild malicious payloads searched for sensitive files on Windows, Linux, and OSX. Android versions are reported to be unaffected, as they do not use the Mozilla PDF viewer. Authors: - Unknown - fukusa - Unknown
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details