infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

* add <object> base64 encoded objects, with 1 byte pad, 2 byte pad, and random space injection. Works fine on ie 4, firefox, and safari. 

git-svn-id: file:///home/svn/incoming/trunk@3522 4d416f70-5f16-0410-b530-b9f4589650da
unstable
bmc 2006-02-10 15:45:37 +00:00
parent 524c0a3f74
commit 1c51681efe
1 changed files with 21 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
lib/msf/core/exploit/http.rb
View File

@ -462,7 +462,7 @@ protected
register_evasion_options(
[
OptEnum.new('HTML::unicode', [false, 'Enable HTTP obfuscation via unicode', 'none', ['none','little', 'big']]),
OptInt.new('HTML::javascript::base64', [false, 'Enable HTML obfuscation via base64 (number of iterations)', 0]),
OptEnum.new('HTML::base64', [false, 'Enable HTML obfuscation via an embeded base64 html object', 'none', ['none', 'plain', 'single_pad', 'double_pad', 'random_space_injection']]),
OptInt.new('HTML::javascript::escape', [false, 'Enable HTML obfuscation via HTML escaping (number of iterations)', 0]),
], Exploit::Remote::HttpServer::Html
)
@ -472,41 +472,26 @@ protected
#
# HTML evasions are implemented here.
def send_response(cli, body, headers = {})
if datastore['HTML::base64'] != 'none'
case datastore['HTML::base64']
when 'plain'
body = Rex::Text.encode_base64(body)
when 'single_pad'
body = Rex::Text.encode_base64(' ' + body)
when 'double_pad'
body = Rex::Text.encode_base64(' ' + body)
when 'random_space_injection'
body = Rex::Text.encode_base64(body)
new = ''
while (body.size > 0)
new += body.slice!(0, rand(3) + 1) + Rex::Text.rand_text(rand(5) + 1, '', " \n")
end
body = new
end
if datastore['HTML::javascript::base64'] > 0
datastore['HTML::javascript::base64'].times {
body = '<script>document.write(d("' + Rex::Text.encode_base64(body).gsub(/\r?\n/smi,'') + '"))</script>'
}
body = '<script>
var k = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" + "=";
function d(x) {
var o = "";
var c1, c2, c3, e1, e2, e3, e4 = "";
var i = 0;
do {
e1 = k.indexOf(x.charAt(i++));
e2 = k.indexOf(x.charAt(i++));
e3 = k.indexOf(x.charAt(i++));
e4 = k.indexOf(x.charAt(i++));
c1 = (e1 << 2) | (e2 >> 4);
c2 = ((e2 & 15) << 4) | (e3 >> 2);
c3 = ((e3 & 3) << 6) | e4;
o = o + String.fromCharCode(c1);
if (e3 != 64) {
o = o + String.fromCharCode(c2);
}
if (e4 != 64) {
o = o + String.fromCharCode(c3);
}
c1 = c2 = c3 = e1 = e2 = e3 = e4 = "";
} while (i < x.length);
return o;
}</script>'.gsub(/[\s\r\n]{2,}/smi,'') + body
body = '<HTML><BODY><OBJECT ID="' + Rex::Text.rand_text_alpha(rand(10)+5) + '" ' +
'HEIGHT="100%" WIDTH="100%" TYPE="text/html" DATA="data:text/html;base64,' +
body + '">Could not render object</OBJECT></BODY></HTML>'
end
if datastore['HTML::javascript::escape'] > 0
@ -514,7 +499,7 @@ protected
body = '<script>document.write(unescape("' + Rex::Text.to_hex(body, '%') + '"))</script>'
}
end
# body = "<html><body>#{body}</body></html>"
if datastore['HTML::unicode'] == 'little'
body = Rex::Text.to_unicode(body)
elsif datastore['HTML::unicode'] == 'big'