From bb5b05976cca94b12786581acc973f46cfb0e82a Mon Sep 17 00:00:00 2001
From: dsk <dhiru.kholia@gmail.com>
Date: Thu, 22 Mar 2012 20:43:08 +0530
Subject: [PATCH] PoC cracker for Mozilla Firefox and Thunderbird passwords.

---
 run/mozilla2john.py    |   28 ++++++++
 src/Makefile           |    4 +-
 src/mozilla_fmt_plug.c |  162 ++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 192 insertions(+), 2 deletions(-)
 create mode 100755 run/mozilla2john.py
 create mode 100644 src/mozilla_fmt_plug.c

diff --git a/run/mozilla2john.py b/run/mozilla2john.py
new file mode 100755
index 0000000..ffecc67
--- /dev/null
+++ b/run/mozilla2john.py
@@ -0,0 +1,28 @@
+#!/usr/bin/env python
+
+import os
+import sys
+
+
+"""mozilla2john.py processes input Mozilla profile paths
+into a format suitable for use with JtR."""
+
+import sys
+
+def process_file(path):
+    assert(os.path.exists(path) and os.path.isdir(path))
+    assert(os.path.exists(os.path.join(path, "cert8.db")))
+    assert(os.path.exists(os.path.join(path, "key3.db")))
+    assert(os.path.exists(os.path.join(path, "signons.sqlite")))
+
+    print "%s:$mozilla$*%s" % (path, path)
+
+if __name__ == "__main__":
+    if len(sys.argv) < 2:
+        print >>sys.stderr, "Usage: %s <Mozilla profile path>" % sys.argv[0]
+        sys.exit(-1)
+
+    for i in range(1, len(sys.argv)):
+        process_file(sys.argv[i])
+
+
diff --git a/src/Makefile b/src/Makefile
index 0cbf68b..75159fd 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -37,12 +37,12 @@ OMPFLAGS =
 # icc with OpenMP (for make target linux-x86-64-icc)
 #ICCOMPFLAGS = -openmp
 
-CFLAGS = -c -Wall -O2 -fomit-frame-pointer -I/usr/local/include $(OMPFLAGS) $(JOHN_CFLAGS)
+CFLAGS = -c -Wall -O2 -fomit-frame-pointer -I/usr/local/include $(OMPFLAGS) $(JOHN_CFLAGS) `pkg-config --cflags nss`
 # -DHAVE_SKEY
 # CFLAGS for use on the main john.c file only
 CFLAGS_MAIN = $(CFLAGS)
 ASFLAGS = -c $(JOHN_CFLAGS) $(OMPFLAGS)
-LDFLAGS = -s -L/usr/local/lib -L/usr/local/ssl/lib -lssl -lcrypto -lm -lz $(JOHN_CFLAGS) $(OMPFLAGS)
+LDFLAGS = -s -L/usr/local/lib -L/usr/local/ssl/lib -lssl -lcrypto -lm -lz $(JOHN_CFLAGS) $(OMPFLAGS) `pkg-config --libs nss`
 # -lskey
 LDFLAGS_SOLARIS = -lrt -lnsl -lsocket -lm -lz -lcrypto -lssl
 LDFLAGS_MKV = -s -lm
diff --git a/src/mozilla_fmt_plug.c b/src/mozilla_fmt_plug.c
new file mode 100644
index 0000000..733c94e
--- /dev/null
+++ b/src/mozilla_fmt_plug.c
@@ -0,0 +1,162 @@
+/* Mozilla cracker patch for JtR. Hacked together during March of 2012 by
+ * Dhiru Kholia <dhiru.kholia at gmail.com> */
+
+#include <string.h>
+#include <assert.h>
+#include <errno.h>
+#include "arch.h"
+#include "misc.h"
+#include "common.h"
+#include "formats.h"
+#include "params.h"
+#include "options.h"
+#include <nss.h>
+#include <pk11pub.h>
+#include <nssb64.h>
+#include <pk11sdr.h>
+#include <prinit.h>
+
+#define FORMAT_LABEL		"mozilla"
+#define FORMAT_NAME		"Mozilla"
+#define ALGORITHM_NAME		"32/" ARCH_BITS_STR
+#define BENCHMARK_COMMENT	""
+#define BENCHMARK_LENGTH	-1
+#define PLAINTEXT_LENGTH	8
+#define BINARY_SIZE		16
+#define SALT_SIZE		512
+#define MIN_KEYS_PER_CRYPT	1
+#define MAX_KEYS_PER_CRYPT	1
+
+static struct fmt_tests mozilla_tests[] = {
+	{"$mozilla$*dummy", "dummy"},
+	{NULL}
+};
+
+static char path[4096];
+static char saved_key[PLAINTEXT_LENGTH + 1];
+static unsigned char cracked;
+static unsigned char cleanup_required = 0;
+
+static void init(struct fmt_main *pFmt)
+{
+
+}
+
+static int valid(char *ciphertext, struct fmt_main *pFmt)
+{
+	return !strncmp(ciphertext, "$mozilla$", 9);
+}
+
+static void *get_salt(char *ciphertext)
+{
+	return ciphertext;
+}
+
+
+static void set_salt(void *salt)
+{
+	char *saltcopy = strdup(salt);
+	char *keeptr = saltcopy;
+	saltcopy += 9;	/* skip over "$mozilla$*" */
+	char *p = strtok(saltcopy, "*");
+	strcpy(path, p);
+	if(cleanup_required) {
+		NSS_Shutdown();
+		PL_ArenaFinish();
+		PR_Cleanup();
+	}
+	if(strcmp(path, "dummy") && NSS_Init(path) != SECSuccess) {
+		fprintf(stderr, "NSS_Init fails\r\n");
+	}
+	cleanup_required = 1;
+	cracked = 0;
+	free(keeptr);
+}
+
+static void crypt_all(int count)
+{
+	void *keySlot;
+	if(!strcmp(path, "dummy") && !strcmp(saved_key, "dummy")) {
+		cracked = 1;
+		return;
+	}
+	if((keySlot = PK11_GetInternalKeySlot()) == NULL) {
+		fprintf(stderr, "PK11_GetInternalKeySlot fails\r\n");
+		fflush(stderr);
+	}
+
+	if (PK11_CheckUserPassword(keySlot, saved_key) == SECSuccess) {
+		cracked = 1;
+	}
+	PK11_FreeSlot(keySlot);
+}
+
+static int cmp_all(void *binary, int count)
+{
+	return cracked;
+}
+
+static int cmp_one(void *binary, int index)
+{
+	return cracked;
+}
+
+static int cmp_exact(char *source, int index)
+{
+    return 1;
+}
+
+static void mozilla_set_key(char *key, int index)
+{
+	int saved_key_length = strlen(key);
+	if (saved_key_length > PLAINTEXT_LENGTH)
+		saved_key_length = PLAINTEXT_LENGTH;
+	memcpy(saved_key, key, saved_key_length);
+	saved_key[saved_key_length] = 0;
+}
+
+static char *get_key(int index)
+{
+	return saved_key;
+}
+
+struct fmt_main mozilla_fmt = {
+	{
+		FORMAT_LABEL,
+		FORMAT_NAME,
+		ALGORITHM_NAME,
+		BENCHMARK_COMMENT,
+		BENCHMARK_LENGTH,
+		PLAINTEXT_LENGTH,
+		BINARY_SIZE,
+		SALT_SIZE,
+		MIN_KEYS_PER_CRYPT,
+		MAX_KEYS_PER_CRYPT,
+		FMT_CASE | FMT_8_BIT | FMT_OMP,
+		mozilla_tests
+	}, {
+		init,
+		fmt_default_prepare,
+		valid,
+		fmt_default_split,
+		fmt_default_binary,
+		get_salt,
+		{
+			fmt_default_binary_hash
+		},
+		fmt_default_salt_hash,
+		set_salt,
+		mozilla_set_key,
+		get_key,
+		fmt_default_clear_keys,
+		crypt_all,
+		{
+			fmt_default_get_hash
+		},
+		cmp_all,
+		cmp_one,
+		cmp_exact
+	}
+};
+
+
-- 
1.7.5.4