Add support for Silverlight

Add support for Silverlight exploitation. [SeeRM #8705]

data/js/detect/misc_addons.js

@@ -1,5 +1,51 @@
 window.misc_addons_detect = { };
 
+
+/**
+ * Detects whether the browser supports Silverlight or not
+ **/
+window.misc_addons_detect.hasSilverlight = function () {
+	var found = false;
+
+	//
+	// When on IE, we can use AgControl.AgControl to actually detect the version too.
+	// But this ability is specific to IE, so we fall back to just true/false response
+	//
+	try {
+		var ax = new ActiveXObject('AgControl.AgControl');
+		found = true;
+	} catch(e) {}
+
+	//
+	// ActiveX didn't get anything, try looking in MIMEs
+	//
+	if (!found) {
+		var mimes = window.navigator.mimeTypes;
+		for (var i=0; i < mimes.length; i++) {
+			if (/x\-silverlight/.test(mimes[i].type)) {
+				found = true;
+				break;
+			}
+		}
+	}
+
+	//
+	// MIMEs didn't work either. Try navigator.
+	//
+	if (!found) {
+		var count = navigator.plugins.length;
+		for (var i=0; i < count; i++) {
+			var pluginName = navigator.plugins[i].name;
+			if (/Silverlight Plug\-In/.test(pluginName)) {
+				found = true;
+				break;
+			}
+		}
+	}
+
+	return found;
+}
+
 /**
  * Returns the Java version
  **/

lib/msf/core/exploit/remote/browser_exploit_server.rb

@@ -45,6 +45,7 @@ module Msf
       :language    => 'language',    # Example: en-us
       :arch        => 'arch',        # Example: x86
       :proxy       => 'proxy',       # 'true' or 'false'
+      :silverlight => 'silverlight', # 'true' or 'false'
       :office      => 'office',      # Example: "2007", "2010"
       :java        => 'java',        # Example: 1.6, 1.6.0.0
       :clsid       => 'clsid',       # ActiveX clsid. Also requires the :method key
@@ -350,7 +351,8 @@ module Msf
           "<%=REQUIREMENT_KEY_SET[:ua_name]%>"     : osInfo.ua_name,
           "<%=REQUIREMENT_KEY_SET[:ua_ver]%>"      : osInfo.ua_version,
           "<%=REQUIREMENT_KEY_SET[:arch]%>"        : osInfo.arch,
-          "<%=REQUIREMENT_KEY_SET[:java]%>"      : window.misc_addons_detect.getJavaVersion()
+          "<%=REQUIREMENT_KEY_SET[:java]%>"        : window.misc_addons_detect.getJavaVersion(),
+          "<%=REQUIREMENT_KEY_SET[:silverlight]%>" : window.misc_addons_detect.hasSilverlight()
         };
 
         <% if  os == OperatingSystems::WINDOWS and client == HttpClients::IE %>

lib/rex/exploitation/js/detect.rb

@@ -54,6 +54,7 @@ class Detect
   # Provides javascript functions that work for all browsers to determine addon information
   #
   # getJavaVersion(): Returns the Java version
+  # hasSilverlight(): Returns whether Silverlight is enabled or not
   #
   def self.misc_addons(custom_js = '')
     js  = custom_js

modules/exploits/windows/browser/ms13_022_silverlight_script_object.rb

@@ -60,7 +60,8 @@ class Metasploit3 < Msf::Exploit::Remote
         {
           :source      => /script|headers/i,
           :os_name     => Msf::OperatingSystems::WINDOWS,
-          :ua_name => Msf::HttpClients::IE
+          :ua_name     => Msf::HttpClients::IE,
+          :silverlight => "true"
         },
       'Targets'        =>
         [

test/modules/exploits/test/browserexploitserver.rb

@@ -96,7 +96,8 @@ class Metasploit3 < Msf::Exploit::Remote
     UA name: #{target_info[:ua_name]}<br>
     UA version: #{target_info[:ua_ver]}<br>
     Java version: #{target_info[:java]}<br>
-    Office version: #{target_info[:office]}
+    Office version: #{target_info[:office]}<br>
+    Silverlight enabled: #{target_info[:silverlight]}
     |
 
     return template, binding()
@@ -116,7 +117,8 @@ class Metasploit3 < Msf::Exploit::Remote
     UA name: #{target_info[:ua_name]}<br>
     UA version: #{target_info[:ua_ver]}<br>
     Java version: #{target_info[:java]}<br>
-    Office version: #{target_info[:office]}
+    Office version: #{target_info[:office]}<br>
+    Silverlight enabled: #{target_info[:silverlight]}
     |
   end