CVE-2013-0757: Firefox 17.0.1 Flash Privileged Code Injection

Exploitation Summary

EIP tracks 3 public exploits for CVE-2013-0757. PoCs published by Marius Mlynski, joev, sinn3r, including Metasploit module exploits/multi/browser/firefox_svg_plugin.

AI-analyzed exploit summary This Metasploit module exploits CVE-2014-9390 in Git and Mercurial clients on case-insensitive file systems by crafting a malicious repository that overwrites sensitive configuration files in the .git directory, leading to arbitrary code execution.

Description

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not prevent modifications to the prototype of an object, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by referencing Object.prototype.__proto__ in a crafted HTML document.

Exploits (3)

exploitdb WORKING POC

rubyremotemultiple

https://www.exploit-db.com/exploits/41684

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-9390 in Git and Mercurial clients on case-insensitive file systems by crafting a malicious repository that overwrites sensitive configuration files in the .git directory, leading to arbitrary code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Git (versions < 1.8.5.6, 1.9.5, 2.0.5, 2.1.4, 2.2.1) and Mercurial (versions < 3.2.3)

No auth needed

Prerequisites: Vulnerable Git or Mercurial client on a case-insensitive file system (e.g., Windows, OS X) · Victim must interact with the malicious repository

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

exploitdb WORKING POC

rubylocalmultiple

https://www.exploit-db.com/exploits/41683

View Code ZIP pw:eip

This Metasploit module exploits CVE-2013-0757 and CVE-2013-0758 to achieve remote code execution on Firefox 17.0.1 by leveraging Flash to navigate a frame to a chrome:// URL and bypassing the Chrome Object Wrapper.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Firefox 17.0.1 with Flash installed

No auth needed

Prerequisites: Firefox 17.0.1 · Flash plugin installed · User interaction to visit malicious page

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Marius Mlynski, joev, sinn3r · rubypocfirefox

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/firefox_svg_plugin.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2013-0757 and CVE-2013-0758 to achieve remote code execution on Firefox 17.0.1 by leveraging Flash to navigate a frame to a chrome:// URL and bypassing the Chrome Object Wrapper.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Firefox 17.0.1 with Flash installed

No auth needed

Prerequisites: Firefox 17.0.1 · Flash plugin installed · User interaction to visit malicious page

MITRE ATT&CK