This is a guide and tutorial on how to use the Mozilla Firefox Array.reduceRight() Intefer Overflow to exploit a Windows 7 Ultimate machine. This will show you how the DEP / ASLR bypassing through JAVA MSVCR71 sayonara rop chain works.
This was tested on Windows 7 Ultimate using Firefox 3.6.16 and 3.6.17 browsers. Note that Java-enabled browser is needed.
1. Apache web server (this is already included in Backtrack 5 R1, a penetration testing Linux distribution)
2. Netcat/Telnet (this is already included in Backtrack 5 R1, a penetration testing Linux distribution)
3. Firefox Exploit Script :
Credits for ryujin -At- offensive-security.com and for dookie for this exploit.
Attacker Summary Details:
O.S.: Backtrack 5 R1 (Penetration Testing Distribution)
IP address: 192.168.117.131
Victim Summary Details:
O.S.: Windows 7 Ultimate Edition
IP address: 192.168.117.130
Steps to Pawn Windows 7 Ultimate Using Mozilla Firefox Array.reduceRight() Integer Overflow Exploit
1. First download the Firefox exploit script and place it in your webserver. Note that for this demo I’m using Backtrack 5 R1 with default installation so my website directory is in /var/www/ folder. I created a folder named “wiztechie” in the /var/www/ folder and placed the exploit files inside the folder.
2. Start your Apache webserver by executing “/etc/init.d/apache2 start” in the terminal.
3. Make the victim computer access the web site that we have prepared. For this demo, the exploit files can be accessed by typing http://192.168.117.131/wiztechie/wiztechie.html in your Firefox browser.
4. When victim successfully open the malicious webpage that contains the exploit, the victim computer port 4444 will be opened and is ready to receive connections.
5. So for this this demo I’ll be using Netcat and Telnet to access the exploited computer.
Firefox Vulnerability Exploit - Using Netcat
Firefox Vulnerability Exploit - Using Telnet
PWNAGE! See that I’ve successfully exploited the victim computer, and from the command line, I can enter commands for more uber pawnage!
So how to prevent this?
In order to prevent the Mozilla Firefox Array.reduceRight() Integer Overflow Exploit, you should:
1. Update your Mozilla Firefox browser to the latest version as it is more secure.
2. Use a firewall so that you’ll be notified and you’ll be able to detect inbound and outbound connection in your computer.
Hope this guide has been informative and helpful!