Firefox MCallGetProperty Write Side Effects Use After Free Exploit
Description
This modules exploits CVE-2020-26950, a use after free exploit in Firefox. The MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This exploit uses a somewhat novel technique of spraying ArgumentsData structures in order to construct primitives. The shellcode is forced into executable memory via the JIT compiler, and executed by writing to the JIT region pointer. This exploit does not contain a sandbox escape, so firefox must be run with the MOZ_DISABLE_CONTENT_SANDBOX environment variable set, in order for the shellcode to run successfully. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2, however only Firefox <= 79 is supported as a target. Additional work may be needed to support other versions such as Firefox 82.0.1.
Author(s)
- 360 ESG Vulnerability Research Institute
- maxpl0it
- timwr
Platform
Linux,Windows
Architectures
x64
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/browser/firefox_jit_use_after_free
msf exploit(firefox_jit_use_after_free) > show targets
...targets...
msf exploit(firefox_jit_use_after_free) > set TARGET < target-id >
msf exploit(firefox_jit_use_after_free) > show options
...show and set options...
msf exploit(firefox_jit_use_after_free) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security