• SSL/TLS Version Detection
    Disclosure Date: 2014-10-14
    First seen: 2022-12-23
    auxiliary/scanner/ssl/ssl_version
    Check if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST. Authors: - todb <todb@metasploit.com> - et <et@metasploit.com> - Chris John Riley - Veit Hailperin <hailperv@gmail.com> - h00die
  • Firefox WebIDL Privileged Javascript Injection
    Disclosure Date: 2014-03-17
    First seen: 2020-04-26
    exploit/multi/browser/firefox_webidl_injection
    This exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs. Authors: - Marius Mlynski - joev <joev@metasploit.com>
  • Firefox WebIDL Privileged Javascript Injection
    Disclosure Date: 2014-03-17
    First seen: 2020-04-26
    exploit/multi/browser/firefox_webidl_injection
    This exploit gains remote code execution on Firefox 22-27 by abusing two separate privilege escalation vulnerabilities in Firefox's Javascript APIs. Authors: - Marius Mlynski - joev <joev@metasploit.com>
  • Firefox Proxy Prototype Privileged Javascript Injection
    Disclosure Date: 2014-01-20
    First seen: 2020-04-26
    exploit/multi/browser/firefox_proxy_prototype
    This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect component and gaining a reference to the privileged chrome:// window. This exploit requires the user to click anywhere on the page to trigger the vulnerability. Authors: - joev <joev@metasploit.com>
  • Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
    Disclosure Date: 2013-08-06
    First seen: 2020-04-26
    exploit/multi/browser/firefox_proto_crmfrequest
    On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an __exposedProps__ property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be overridden with a function that gets called from chrome-privileged context. From here, another vulnerability in the crypto.generateCRMFRequest function is used to "peek" into the context's private scope. Since the window does not have a chrome:// URL, the insecure parts of Components.classes are not available, so instead the AddonManager API is invoked to silently install a malicious plugin. Authors: - Mariusz Mlynski - moz_bug_r_a4 - joev <joev@metasploit.com>
  • Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
    Disclosure Date: 2013-08-06
    First seen: 2020-04-26
    exploit/multi/browser/firefox_proto_crmfrequest
    On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an __exposedProps__ property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be overridden with a function that gets called from chrome-privileged context. From here, another vulnerability in the crypto.generateCRMFRequest function is used to "peek" into the context's private scope. Since the window does not have a chrome:// URL, the insecure parts of Components.classes are not available, so instead the AddonManager API is invoked to silently install a malicious plugin. Authors: - Mariusz Mlynski - moz_bug_r_a4 - joev <joev@metasploit.com>
  • Firefox toString console.time Privileged Javascript Injection
    Disclosure Date: 2013-05-14
    First seen: 2020-04-26
    exploit/multi/browser/firefox_tostring_console_injection
    This exploit gains remote code execution on Firefox 15-22 by abusing two separate Javascript-related vulnerabilities to ultimately inject malicious Javascript code into a context running with chrome:// privileges. Authors: - moz_bug_r_a4 - Cody Crews - joev <joev@metasploit.com>
  • Firefox XMLSerializer Use After Free
    Disclosure Date: 2013-01-08
    First seen: 2020-04-26
    exploit/windows/browser/mozilla_firefox_xmlserializer
    This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically a use-after-free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3. Authors: - regenrecht - juan vazquez <juan.vazquez@metasploit.com>
  • Firefox 17.0.1 Flash Privileged Code Injection
    Disclosure Date: 2013-01-08
    First seen: 2020-04-26
    exploit/multi/browser/firefox_svg_plugin
    This exploit gains remote code execution on Firefox 17 and 17.0.1, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG "use" element in the <body> (CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame's window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it. Authors: - Marius Mlynski - joev <joev@metasploit.com> - sinn3r <sinn3r@metasploit.com>
  • Firefox 17.0.1 Flash Privileged Code Injection
    Disclosure Date: 2013-01-08
    First seen: 2020-04-26
    exploit/multi/browser/firefox_svg_plugin
    This exploit gains remote code execution on Firefox 17 and 17.0.1, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG "use" element in the <body> (CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame's window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it. Authors: - Marius Mlynski - joev <joev@metasploit.com> - sinn3r <sinn3r@metasploit.com>
  • Firefox 8/9 AttributeChildRemoved() Use-After-Free
    Disclosure Date: 2011-12-06
    First seen: 2020-04-26
    exploit/windows/browser/mozilla_attribchildremoved
    This module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1. Removal of child nodes from the nsDOMAttribute can allow for a child to still be accessible after removal due to a premature notification of AttributeChildRemoved. Since mFirstChild is not set to NULL until after this call is made, this means the removed child will be accessible after it has been removed. By carefully manipulating the memory layout, this can lead to arbitrary code execution. Authors: - regenrecht - Lincoln <lincoln@corelan.be> - corelanc0d3r <peter.ve@corelan.be>
11 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers. Visit metasploit web site for more details
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!