Support java version detection

2013-11-07 00:54:52 -06:00 · 2013-11-07 00:54:52 -06:00 · 991240a87e
parent 3e1771aa77
commit 991240a87e
7 changed files with 42 additions and 45 deletions
--- a/data/js/detect/ie_addons.js
+++ b/data/js/detect/ie_addons.js
@ -1,10 +1,10 @@
-window.addons_detect = { };
+window.ie_addons_detect = { };

 /**
 * Returns true if this ActiveX is available, otherwise false.
 * Grabbed this directly from browser_autopwn.rb
 **/
-window.addons_detect.hasActiveX = function (axo_name, method) {
+window.ie_addons_detect.hasActiveX = function (axo_name, method) {
  var axobj = null;
  if (axo_name.substring(0,1) == String.fromCharCode(123)) {
    axobj = document.createElement("object");
@ -41,7 +41,7 @@ window.addons_detect.hasActiveX = function (axo_name, method) {
 /**
 * Returns the version of Microsoft Office. If not found, returns null.
 **/
-window.addons_detect.getMsOfficeVersion = function () {
+window.ie_addons_detect.getMsOfficeVersion = function () {
  var version;
  var types = new Array();
  for (var i=1; i <= 5; i++) {
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@ -46,6 +46,7 @@ module Msf
      :arch      => 'arch',      # Example: x86
      :proxy     => 'proxy',     # 'true' or 'false'
      :office    => 'office',    # Example: "2007", "2010"
+      :java      => 'java',      # Example: 1.6, 1.6.0.0
      :clsid     => 'clsid',     # ActiveX clsid. Also requires the :method key
      :method    => 'method'     # ActiveX method. Also requires the :clsid key
    }
@ -336,6 +337,7 @@ module Msf
      <%= js_base64 %>
      <%= js_os_detect %>
      <%= js_ajax_post %>
+      <%= js_misc_addons_detect %>
      <%= js_ie_addons_detect if os == OperatingSystems::WINDOWS and client == HttpClients::IE %>

      function objToQuery(obj) {
@ -353,17 +355,18 @@ module Msf
          "<%=REQUIREMENT_KEY_SET[:os_flavor]%>" : osInfo.os_flavor,
          "<%=REQUIREMENT_KEY_SET[:ua_name]%>"   : osInfo.ua_name,
          "<%=REQUIREMENT_KEY_SET[:ua_ver]%>"    : osInfo.ua_version,
-          "<%=REQUIREMENT_KEY_SET[:arch]%>"      : osInfo.arch
+          "<%=REQUIREMENT_KEY_SET[:arch]%>"      : osInfo.arch,
+          "<%=REQUIREMENT_KEY_SET[:java]%>"      : window.misc_addons_detect.getJavaVersion()
        };

        <% if  os == OperatingSystems::WINDOWS and client == HttpClients::IE %>
-          d['<%=REQUIREMENT_KEY_SET[:office]%>'] = window.addons_detect.getMsOfficeVersion();
+          d['<%=REQUIREMENT_KEY_SET[:office]%>'] = window.ie_addons_detect.getMsOfficeVersion();
          <%
            clsid  = @requirements[:clsid]
            method = @requirements[:method]
            if clsid and method
          %>
-          d['activex'] = window.addons_detect.hasActiveX('<%=clsid%>', '<%=method%>');
+          d['activex'] = window.ie_addons_detect.hasActiveX('<%=clsid%>', '<%=method%>');
          <% end  %>
        <% end  %>

--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@ -817,6 +817,10 @@ protected
    @cache_ie_addons_detect ||= ::Rex::Exploitation::Js::Detect.ie_addons
  end

+  def js_misc_addons_detect
+    @cache_misc_addons_detect ||= ::Rex::Exploitation::Js::Detect.misc_addons
+  end
+
  # Transmits a html response to the supplied client
  #
  # HTML evasions are implemented here.
--- a/lib/rex/exploitation/js/detect.rb
+++ b/lib/rex/exploitation/js/detect.rb
@ -39,7 +39,7 @@ class Detect


  #
-  # Provides javascript functions to determine addon information.
+  # Provides javascript functions to determine IE addon information.
  #
  # getMsOfficeVersion(): Returns the version for Microsoft Office
  #
@ -50,6 +50,18 @@ class Detect
    Rex::Exploitation::JSObfu.new(js)
  end

+  #
+  # Provides javascript functions that work for all browsers to determine addon information
+  #
+  # getJavaVersion(): Returns the Java version
+  #
+  def self.misc_addons(custom_js = '')
+    js  = custom_js
+    js << ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "misc_addons.js"))
+
+    Rex::Exploitation::JSObfu.new(js)
+  end
+
 end
 end
 end
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@ -165,7 +165,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
    it "should make sure the keys are always symbols" do
      requirements = {'os_flavor'=>"XP", 'ua_name'=>"MSIE"}
      matches = server.extract_requirements(requirements)
-      puts matches.inspect
      matches.each do |k,v|
        k.class.should eq(Symbol)
      end
--- a/spec/lib/rex/exploitation/js/detect_spec.rb
+++ b/spec/lib/rex/exploitation/js/detect_spec.rb
@ -5,16 +5,23 @@ describe Rex::Exploitation::Js::Detect do
  context "Class methods" do

    context ".os" do
-      it "should load the OS Detect javascript" do
+      it "should load the OS detection in Javascript" do
        js = Rex::Exploitation::Js::Detect.os.to_s
        js.should =~ /window\.os_detect/
      end
    end

    context ".ie_addons" do
-      it "should load the IE Addons Detect javascript" do
+      it "should load the IE Addons detection in Javascript" do
        js = Rex::Exploitation::Js::Detect.ie_addons.to_s
-        js.should =~ /window\.addons_detect/
+        js.should =~ /window\.ie_addons_detect/
+      end
+    end
+
+    context ".misc_addons" do
+      it "should load the misc Addons detection in Javascript" do
+        js = Rex::Exploitation::Js::Detect.misc_addons.to_s
+        js.should =~ /window\.misc_addons_detect/
      end
    end

--- a/test/modules/exploits/test/browserexploitserver.rb
+++ b/test/modules/exploits/test/browserexploitserver.rb
@ -29,43 +29,13 @@ class Metasploit3 < Msf::Exploit::Remote
      'BrowserRequirements' =>
        {
          :source => /script|headers/i,
-          :clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
-          :method => "LoadMovie",
-          :os_name => /win/i
+          #:clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", # ShockwaveFlash.ShockwaveFlash.1
+          #:method => "LoadMovie",
+          #:os_name => /win/i
        },
      'Targets'        =>
        [
-          [ 'Automatic', {} ],
-          [
-            'Windows XP with IE 8',
-            {
-              'os_flavor' => 'XP',
-              'ua_name'   => 'MSIE',
-              'ua_ver'    => '8.0',
-              'Rop'       => true,
-              'Offset'    => 0x100
-            }
-          ],
-          [
-            'Windows 7 with IE 9',
-            {
-              'os_flavor' => '7',
-              'ua_name'   => 'MSIE',
-              'ua_ver'    => '9.0',
-              'Rop'       => true,
-              'Offset'    => 0x100
-            }
-          ],
-          [
-            'Windows 7 with IE 10',
-            {
-              'os_flavor' => '7',
-              'ua_name'   => 'MSIE',
-              'ua_ver'    => '10.0',
-              'Rop'       => true,
-              'Offset'    => 0x100
-            }
-          ]
+          [ 'Automatic', {} ]
        ],

      'Payload'        =>
@ -95,6 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote
    Flavor: #{target_info[:os_flavor]}<br>
    UA name: #{target_info[:ua_name]}<br>
    UA version: #{target_info[:ua_ver]}<br>
+    Java version: #{target_info[:java]}<br>
    Office version: #{target_info[:office]}
    |

@ -114,6 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
    Flavor: #{target_info[:os_flavor]}<br>
    UA name: #{target_info[:ua_name]}<br>
    UA version: #{target_info[:ua_ver]}<br>
+    Java version: #{target_info[:java]}<br>
    Office version: #{target_info[:office]}
    |
  end