Demo Firefox 46.0.1 – ASM.JS JIT-Spray Remote Code Execution

<!--
 
    FULL ASLR AND DEP BYPASS USING ASM.JS JIT SPRAY (CVE-2017-5375)
    *PoC* Exploit against Firefox 46.0.1 (CVE-2016-2819)
    ASM.JS float constant pool JIT-Spray special shown at OffensiveCon 2018
 
    Tested on:
    Firefox 46.0.1 32-bit - Windows 10 1709
    https://ftp.mozilla.org/pub/firefox/releases/46.0.1/win32/en-US/Firefox%20Setup%2046.0.1.exe
 
    Howto:
    1) serve PoC over network and open it in Firefox 46.0.1 32-bit
    2) A successfull exploit attempt should pop calc.exe
 
    Mozilla Bug Report:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1270381
 
 
    Writeup: 
    https://rh0dev.github.io/blog/2018/more-on-asm-dot-js-payloads-and-exploitation/
 
 
    - For research purposes only -
     
    (C) Rh0
 
    Mar. 13, 2018
 

Reference :
Firefox 46.0.1 – ASM.JS JIT-Spray Remote Code Execution
https://www.exploit-db.com/exploits/44293/
shellcode2asmjs: Generate arbitrary ASM.JS JIT-Spray payloads
https://github.com/rh0dev/shellcode2asmjs

Got some luck today(MS17-010)

read the news about US officially blame NK for WannaCry’s damage
so i was wondering if I can still find some machines that are vulnerable to MS17-010 in clients network
Just trying to see if I could got some luck for “old” exploit/vulnerability
I did found some machines are still not patched. and reported the problem to clients 🙂

using namap script to scan for possible/vulnerable targets

1. nmap -p445 --script smb-vuln-ms17-010 

2. nmap -p445 --script vuln 

found some possible target

nmapms17-010

Show option for MS17-010 in Metasploit
showoptionms17-010

Successfully get remote shell

ms17-010shell