Metasploit modules that can be used to exploit Mozilla » Thunderbird » 0.8
-
Firefox MCallGetProperty Write Side Effects Use After Free Exploit
Disclosure Date: 2020-11-18First seen: 2022-12-23exploit/multi/browser/firefox_jit_use_after_freeThis modules exploits CVE-2020-26950, a use after free exploit in Firefox. The MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This exploit uses a somewhat novel technique of spraying ArgumentsData structures in order to construct primitives. The shellcode is forced into executable memory via the JIT compiler, and executed by writing to the JIT region pointer. This exploit does not contain a sandbox escape, so firefox must be run with the MOZ_DISABLE_CONTENT_SANDBOX environment variable set, in order for the shellcode to run successfully. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2, however only Firefox <= 79 is supported as a target. Additional work may be needed to support other versions such as Firefox 82.0.1. Authors: - 360 ESG Vulnerability Research Institute - maxpl0it - timwr -
Firefox nsSMILTimeContainer::NotifyTimeChange() RCE
Disclosure Date: 2016-11-30First seen: 2020-04-26exploit/windows/browser/firefox_smil_uafThis module exploits an out-of-bounds indexing/use-after-free condition present in nsSMILTimeContainer::NotifyTimeChange() across numerous versions of Mozilla Firefox on Microsoft Windows. Authors: - Anonymous Gaijin - William Webb <william_webb@rapid7.com> -
Firefox PDF.js Privileged Javascript Injection
Disclosure Date: 2015-03-31First seen: 2020-04-26exploit/multi/browser/firefox_pdfjs_privilege_escalationThis module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability. Authors: - Unknown - Marius Mlynski - joev <joev@metasploit.com> -
SSL/TLS Version Detection
Disclosure Date: 2014-10-14First seen: 2022-12-23auxiliary/scanner/ssl/ssl_versionCheck if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST. Authors: - todb <todb@metasploit.com> - et <et@metasploit.com> - Chris John Riley - Veit Hailperin <hailperv@gmail.com> - h00die -
Firefox WebIDL Privileged Javascript Injection
Disclosure Date: 2014-03-17First seen: 2020-04-26exploit/multi/browser/firefox_webidl_injectionThis exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs. Authors: - Marius Mlynski - joev <joev@metasploit.com> -
Firefox WebIDL Privileged Javascript Injection
Disclosure Date: 2014-03-17First seen: 2020-04-26exploit/multi/browser/firefox_webidl_injectionThis exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs. Authors: - Marius Mlynski - joev <joev@metasploit.com> -
Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
Disclosure Date: 2013-08-06First seen: 2020-04-26exploit/multi/browser/firefox_proto_crmfrequestOn versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an __exposedProps__ property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be overridden with a function that gets called from chrome-privileged context. From here, another vulnerability in the crypto.generateCRMFRequest function is used to "peek" into the context's private scope. Since the window does not have a chrome:// URL, the insecure parts of Components.classes are not available, so instead the AddonManager API is invoked to silently install a malicious plugin. Authors: - Mariusz Mlynski - moz_bug_r_a4 - joev <joev@metasploit.com> -
Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
Disclosure Date: 2013-08-06First seen: 2020-04-26exploit/multi/browser/firefox_proto_crmfrequestOn versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an __exposedProps__ property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be overridden with a function that gets called from chrome-privileged context. From here, another vulnerability in the crypto.generateCRMFRequest function is used to "peek" into the context's private scope. Since the window does not have a chrome:// URL, the insecure parts of Components.classes are not available, so instead the AddonManager API is invoked to silently install a malicious plugin. Authors: - Mariusz Mlynski - moz_bug_r_a4 - joev <joev@metasploit.com> -
Firefox onreadystatechange Event DocumentViewerImpl Use After Free
Disclosure Date: 2013-06-25First seen: 2020-04-26exploit/windows/browser/mozilla_firefox_onreadystatechangeThis module exploits a vulnerability found on Firefox 17.0.6, specifically a use after free of a DocumentViewerImpl object, triggered via a specially crafted web page using onreadystatechange events and the window.stop() API, as exploited in the wild on 2013 August to target Tor Browser users. Authors: - Nils - Unknown - w3bd3vil - sinn3r <sinn3r@metasploit.com> - juan vazquez <juan.vazquez@metasploit.com> -
Firefox toString console.time Privileged Javascript Injection
Disclosure Date: 2013-05-14First seen: 2020-04-26exploit/multi/browser/firefox_tostring_console_injectionThis exploit gains remote code execution on Firefox 15-22 by abusing two separate Javascript-related vulnerabilities to ultimately inject malicious Javascript code into a context running with chrome:// privileges. Authors: - moz_bug_r_a4 - Cody Crews - joev <joev@metasploit.com> -
Firefox XMLSerializer Use After Free
Disclosure Date: 2013-01-08First seen: 2020-04-26exploit/windows/browser/mozilla_firefox_xmlserializerThis module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically a use-after-free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3. Authors: - regenrecht - juan vazquez <juan.vazquez@metasploit.com> -
Firefox 17.0.1 Flash Privileged Code Injection
Disclosure Date: 2013-01-08First seen: 2020-04-26exploit/multi/browser/firefox_svg_pluginThis exploit gains remote code execution on Firefox 17 and 17.0.1, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG "use" element in the <body> (CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame's window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it. Authors: - Marius Mlynski - joev <joev@metasploit.com> - sinn3r <sinn3r@metasploit.com> -
Firefox 17.0.1 Flash Privileged Code Injection
Disclosure Date: 2013-01-08First seen: 2020-04-26exploit/multi/browser/firefox_svg_pluginThis exploit gains remote code execution on Firefox 17 and 17.0.1, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG "use" element in the <body> (CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame's window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it. Authors: - Marius Mlynski - joev <joev@metasploit.com> - sinn3r <sinn3r@metasploit.com> -
Firefox 8/9 AttributeChildRemoved() Use-After-Free
Disclosure Date: 2011-12-06First seen: 2020-04-26exploit/windows/browser/mozilla_attribchildremovedThis module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1. Removal of child nodes from the nsDOMAttribute can allow for a child to still be accessible after removal due to a premature notification of AttributeChildRemoved. Since mFirstChild is not set to NULL until after this call is made, this means the removed child will be accessible after it has been removed. By carefully manipulating the memory layout, this can lead to arbitrary code execution. Authors: - regenrecht - Lincoln <lincoln@corelan.be> - corelanc0d3r <peter.ve@corelan.be> -
Mozilla Firefox Array.reduceRight() Integer Overflow
Disclosure Date: 2011-06-21First seen: 2020-04-26exploit/windows/browser/mozilla_reducerightThis module exploits a vulnerability found in Mozilla Firefox 3.6. When an array object is configured with a large length value, the reduceRight() method may cause an invalid index being used, allowing arbitrary remote code execution. Please note that the exploit requires a longer amount of time (compare to a typical browser exploit) in order to gain control of the machine. Authors: - Chris Rohlf - Yan Ivnitskiy - Matteo Memelli - dookie2000ca - sinn3r <sinn3r@metasploit.com> - mr_me <steventhomasseeley@gmail.com> - TecR0c <roccogiovannicalvi@gmail.com>
15 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details