Be more browser specific with Javascript generation
sinn3r
parent
844daf0e00
commit
5f2d8358c0
|
|
@ -1,5 +1,43 @@
|
|||
window.addons_detect = { };
|
||||
|
||||
/**
|
||||
* Returns true if this ActiveX is available, otherwise false.
|
||||
* Grabbed this directly from browser_autopwn.rb
|
||||
**/
|
||||
window.addons_detect.hasActiveX = function (axo_name, method) {
|
||||
var axobj = null;
|
||||
if (axo_name.substring(0,1) == String.fromCharCode(123)) {
|
||||
axobj = document.createElement("object");
|
||||
axobj.setAttribute("classid", "clsid:" + axo_name);
|
||||
axobj.setAttribute("id", axo_name);
|
||||
axobj.setAttribute("style", "visibility: hidden");
|
||||
axobj.setAttribute("width", "0px");
|
||||
axobj.setAttribute("height", "0px");
|
||||
document.body.appendChild(axobj);
|
||||
if (typeof(axobj[method]) == 'undefined') {
|
||||
var attributes = 'id="' + axo_name + '"';
|
||||
attributes += ' classid="clsid:' + axo_name + '"';
|
||||
attributes += ' style="visibility: hidden"';
|
||||
attributes += ' width="0px" height="0px"';
|
||||
document.body.innerHTML += "<object " + attributes + "></object>";
|
||||
axobj = document.getElementById(axo_name);
|
||||
}
|
||||
} else {
|
||||
try {
|
||||
axobj = new ActiveXObject(axo_name);
|
||||
} catch(e) {
|
||||
// If we can't build it with an object tag and we can't build it
|
||||
// with ActiveXObject, it can't be built.
|
||||
return false;
|
||||
};
|
||||
}
|
||||
if (typeof(axobj[method]) != 'undefined') {
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
};
|
||||
|
||||
/**
|
||||
* Returns the version of Microsoft Office. If not found, returns null.
|
||||
**/
|
||||
|
|
@ -255,14 +255,19 @@ module Msf
|
|||
#
|
||||
# Returns the code for client-side detection
|
||||
#
|
||||
# @param [String] Returns the HTML for detection
|
||||
# @param user_agent [String] The user-agent of the browser
|
||||
# @return [String] Returns the HTML for detection
|
||||
#
|
||||
def get_detection_html
|
||||
def get_detection_html(user_agent)
|
||||
ua_info = fingerprint_user_agent(user_agent)
|
||||
os = ua_info[:os_name]
|
||||
client = ua_info[:ua_name]
|
||||
|
||||
js = ::Rex::Exploitation::JSObfu.new %Q|
|
||||
#{js_base64}
|
||||
#{js_os_detect}
|
||||
#{js_addons_detect}
|
||||
#{js_ajax_post}
|
||||
#{js_ie_addons_detect if os == OperatingSystems::WINDOWS and client == HttpClients::IE}
|
||||
|
||||
function objToQuery(obj) {
|
||||
var q = [];
|
||||
|
|
@ -279,9 +284,15 @@ module Msf
|
|||
"os_flavor" : osInfo.os_flavor,
|
||||
"ua_name" : osInfo.ua_name,
|
||||
"ua_ver" : osInfo.ua_version,
|
||||
"arch" : osInfo.arch,
|
||||
"office" : window.addons_detect.getMsOfficeVersion()
|
||||
"arch" : osInfo.arch
|
||||
};
|
||||
|
||||
#{
|
||||
if os == OperatingSystems::WINDOWS and client == HttpClients::IE
|
||||
"d['office'] = window.addons_detect.getMsOfficeVersion();"
|
||||
end
|
||||
}
|
||||
|
||||
var query = objToQuery(d);
|
||||
postInfo("#{get_resource}/#{@info_receiver_page}/", query);
|
||||
window.location = "#{get_resource}/#{@exploit_receiver_page}/";
|
||||
|
|
@ -320,8 +331,9 @@ module Msf
|
|||
|
||||
print_status("Gathering target information.")
|
||||
tag = Rex::Text.rand_text_alpha(rand(20) + 5)
|
||||
ua = request.headers['User-Agent']
|
||||
init_profile(tag)
|
||||
html = get_detection_html
|
||||
html = get_detection_html(ua)
|
||||
send_response(cli, html, {'Set-Cookie' => tag})
|
||||
|
||||
when /#{@info_receiver_page}/
|
||||
|
|
|
|||
|
|
@ -678,16 +678,6 @@ protected
|
|||
OptEnum.new('HTML::base64', [false, 'Enable HTML obfuscation via an embeded base64 html object (IE not supported)', 'none', ['none', 'plain', 'single_pad', 'double_pad', 'random_space_injection']]),
|
||||
OptInt.new('HTML::javascript::escape', [false, 'Enable HTML obfuscation via HTML escaping (number of iterations)', 0]),
|
||||
], Exploit::Remote::HttpServer::HTML)
|
||||
|
||||
# Cache Javascript
|
||||
@cache_base64 = nil
|
||||
@cache_ajax_download = nil
|
||||
@cache_ajax_post = nil
|
||||
@cache_mstime_malloc = nil
|
||||
@cache_property_spray = nil
|
||||
@cache_heap_spray = nil
|
||||
@cache_os_detect = nil
|
||||
@cache_os_addons = nil
|
||||
end
|
||||
|
||||
#
|
||||
|
|
@ -823,8 +813,8 @@ protected
|
|||
@cache_os_detect ||= ::Rex::Exploitation::Js::Detect.os
|
||||
end
|
||||
|
||||
def js_addons_detect
|
||||
@cache_addons_detect ||= ::Rex::Exploitation::Js::Detect.addons
|
||||
def js_ie_addons_detect
|
||||
@cache_ie_addons_detect ||= ::Rex::Exploitation::Js::Detect.ie_addons
|
||||
end
|
||||
|
||||
# Transmits a html response to the supplied client
|
||||
|
|
|
|||
|
|
@ -43,9 +43,9 @@ class Detect
|
|||
#
|
||||
# getMsOfficeVersion(): Returns the version for Microsoft Office
|
||||
#
|
||||
def self.addons(custom_js = '')
|
||||
def self.ie_addons(custom_js = '')
|
||||
js = custom_js
|
||||
js << ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "addons.js"))
|
||||
js << ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "ie_addons.js"))
|
||||
|
||||
Rex::Exploitation::JSObfu.new(js)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -27,6 +27,10 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
|
|||
"linux"
|
||||
end
|
||||
|
||||
let(:expected_user_agent) do
|
||||
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
|
||||
end
|
||||
|
||||
before do
|
||||
Rex::ServiceManager.stub(:start => service_double)
|
||||
end
|
||||
|
|
@ -128,7 +132,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
|
|||
|
||||
describe ".get_detection_html" do
|
||||
it "should return the detection code that the client will get" do
|
||||
html = server.get_detection_html
|
||||
html = server.get_detection_html(expected_user_agent)
|
||||
html.should_not eq('')
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue