• Close
  • Back to search

    Firefox 17.0.1 Flash Privileged Code Injection

    This exploit gains remote code execution on Firefox 17 and 17.0.1, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG "use" element in the <body> (CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame's window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it.

    Free Metasploit Download

    Get your copy of the world's leading penetration testing tool

     Download Now

    Module Name

    exploit/multi/browser/firefox_svg_plugin

    Authors

    • Marius Mlynski
    • joev <joev [at] metasploit.com>
    • sinn3r <sinn3r [at] metasploit.com>

    References

    Targets

    • Universal (Javascript XPCOM Shell)
    • Native Payload

    Platforms

    • firefox
    • java
    • linux
    • osx
    • solaris
    • windows

    Architectures

    • firefox
    • x86, x86_64, mips, mipsle, mipsbe, ppc, ppc64, cbea, cbea64, sparc, armle, armbe, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch

    Reliability

    Development

    Module Options

    To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

    msf > use exploit/multi/browser/firefox_svg_plugin msf exploit(firefox_svg_plugin) > show targets ...targets... msf exploit(firefox_svg_plugin) > set TARGET <target-id> msf exploit(firefox_svg_plugin) > show options ...show and set options... msf exploit(firefox_svg_plugin) > exploit

    Related Vulnerabilities