Add specs for new/returning/previous visitors.

2014-03-02 20:50:10 -06:00 · 2014-03-02 20:50:10 -06:00 · 894d16af80
parent b458b8ad63
commit 894d16af80
2 changed files with 80 additions and 9 deletions
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@ -264,7 +264,7 @@ module Msf
    #
    # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
    #
-    def retrieve_tag(request)
+    def retrieve_tag(cli, request)
      cookie = CGI::Cookie.parse(request.headers['Cookie'].to_s)
      tag = cookie.has_key?(cookie_name) && cookie[cookie_name].first

@ -289,7 +289,7 @@ module Msf
    # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
    #
    def process_browser_info(source, cli, request)
-      tag = retrieve_tag(request)
+      tag = retrieve_tag(cli, request)
      target_info = get_profile(tag)
      init_profile(tag)

@ -415,7 +415,7 @@ module Msf
        #
        # This is the information gathering stage
        #
-        if get_profile(retrieve_tag(request))
+        if get_profile(retrieve_tag(cli, request))
          send_redirect(cli, "#{get_resource.chomp("/")}/#{@exploit_receiver_page}")
          return
        end
@ -424,14 +424,14 @@ module Msf
        tag = Rex::Text.rand_text_alpha(rand(20) + 5)
        ua = request.headers['User-Agent']
        init_profile(tag)
-        html = get_detection_html(ua)
+        html = get_detection_html(ua) || ''
        send_response(cli, html, {'Set-Cookie' => "#{cookie_name}=#{tag}"})

      when /#{@info_receiver_page}/
        #
        # The detection code will hit this if Javascript is enabled
        #
-        process_browser_info(source=:script, cli, request)
+        process_browser_info(:script, cli, request)
        send_redirect(cli, "#{get_resource.chomp("/")}/#{@exploit_receiver_page}")

      when /#{@noscript_receiver_page}/
@ -439,7 +439,7 @@ module Msf
        # The detection code will hit this instead of Javascript is disabled
        # Should only be triggered by the img src in <noscript>
        #
-        process_browser_info(source=:headers, cli, request)
+        process_browser_info(:headers, cli, request)
        send_not_found(cli)

      when /#{@exploit_receiver_page}/
--- a/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
+++ b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
@ -15,7 +15,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
    service = double("service")
    service.stub(:server_name=)
    service.stub(:add_resource)
-
    service
  end

@ -31,6 +30,10 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
    "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
  end

+  let(:exploit_page) do
+    server.instance_variable_get(:@exploit_receiver_page)
+  end
+
  let(:expected_profile) do
    {
      :source=>"script",
@ -57,9 +60,8 @@ describe Msf::Exploit::Remote::BrowserExploitServer do

  describe ".get_module_resource" do
    it "should give me a URI to access the exploit page" do
-      ivar_exploit_page = server.instance_variable_get(:@exploit_receiver_page)
      module_resource = server.get_module_resource
-      module_resource.should match(ivar_exploit_page)
+      module_resource.should match(exploit_page)
    end
  end

@ -221,4 +223,73 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
    end
  end

+  describe '.on_request_uri' do
+    let(:cli)     { double(:peerhost => '0.0.0.0') }
+    let(:cookie)  { '' }
+    let(:headers) { {'Cookie' => cookie, 'User-Agent' => ''} }
+    let(:body)    { '' }
+    let(:cookie_name) { Msf::Exploit::Remote::BrowserExploitServer::DEFAULT_COOKIE_NAME }
+    let(:request) do
+      double(:body => body, :headers => headers, :uri => server.get_resource )
+    end
+
+    before do
+      server.stub(:send_redirect)
+      server.stub(:send_response)
+      server.stub(:send_not_found)
+    end
+
+    context 'when a new visitor requests the exploit' do
+      it 'calls send_response once' do
+        server.should_receive(:send_response).once
+        server.on_request_uri(cli, request)
+      end
+
+      it 'serves the os.js detection script' do
+        server.should_receive(:send_response) do |cli, html, headers|
+          expect(html).to include('window.os_detect')
+        end
+        server.on_request_uri(cli, request)
+      end
+    end
+
+    context 'when a returning visitor requests the exploit' do
+      let(:body) { '' }
+      let(:tag) { 'joe' }
+      let(:cookie) { "#{cookie_name}=#{tag}" }
+
+      before { server.init_profile(tag) }
+
+      it 'calls send_redirect once' do
+        server.should_receive(:send_redirect).once
+        server.on_request_uri(cli, request)
+      end
+
+      it 'redirects to the exploit URL' do
+        server.should_receive(:send_redirect) do |cli, url|
+          expect(url).to end_with(exploit_page)
+        end
+        server.on_request_uri(cli, request)
+      end
+    end
+
+    context 'when a returning visitor from a previous msf run requests the exploit' do
+      let(:body) { '' }
+      let(:tag) { 'joe' }
+      let(:cookie) { "#{cookie_name}=#{tag}" }
+
+      it 'calls send_response once' do
+        server.should_receive(:send_response).once
+        server.on_request_uri(cli, request)
+      end
+
+      it 'serves the os.js detection script' do
+        server.should_receive(:send_response) do |cli, html, headers|
+          expect(html).to include('window.os_detect')
+        end
+        server.on_request_uri(cli, request)
+      end
+    end
+  end
+
 end