Closed paulhx closed 9 years ago
Can you test the firefox_webidl_injection module against a firefox version less than 22? The module has another bug i.e. instead of :ua_minver, it is using :ua_maxver twice which would make it fire against firefox versions that are not actually vulnerable. https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/firefox_webidl_injection.rb#L18-L19
I stopped all services, fixed the ua_maxver issue, started all services and tested the exploit again. Still only working with the shell payload (TARGET 0), and not with meterpreter (TARGET 1).
I also tested with a firefox version less than 22, namely the version 16, and the console says that the target doesn't meet the requirement of: ua_ver.
@void-in good catch, that is definitely a bug. I have fixed the issue in #4454. The vulnerability is not present on any versions before 22.
@paulhx For now, you can use sessions -U
to upgrade to meterpreter, or use the exploits/firefox/local/exec_shellcode.rb
local exploit to exec a meterpreter payload from your js shell session.
Note: don't close this when #4454 lands, it's unrelated to the underlying issue here.
@paulhx I've sorted out the issue, looks like a //
-style comment was causing a syntax error when newlines were removed (the fix was to delete line 80 of lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
)
After patching firefox_webidl_injection.rb and firefox_privilege_escalation.rb, the exploit is working with meterpreter payload as well, so I consider it fixed! Thank you very much.
But another Firefox exploit for versions 5.0 - 15.0.1, firefox_proto_crmfrequest.rb, is not working (tried with meterpreter).
This is what the console says:
Gathering target information. Sending response HTML. Sending HTML
And it stops there. No session is opened. Tested on FF 6 and 13.
I thought it was better to ask here than open a new issue for the simple reason that maybe it's related to the firefox_privilege_escalation.rb fix above that other people still don't have. Or maybe it's a problem with the exploit module itself. In one way or another, it's not working.
http://www.rapid7.com/db/modules/exploit/multi/browser/firefox_webidl_injection
The rapid7 website and the exploit payload options inform us that Native Payload (TARGET 1) is available for this exploit, but I have tested setting a meterpreter payload and the session never opens. Only TARGET 0 (shell) works correctly.
No Native Payload (TARGET 1) that I have tested so far, have worked.
This exploit is for Firefox 22-27.
Meanwhile, another Firefox exploit for versions 15-22, firefox_tostring_console_injection, works normally with Native Payload (TARGET 1), namely a meterpreter payload.
Why would the developers make Native Payload (TARGET 1) available without they working? It doesn't make sense, so I think there's a bug with the firefox_webidl_injection code.