Update the java stuff again

2013-11-07 00:57:20 -06:00 · 2013-11-07 00:57:20 -06:00 · b34b4ac2b6
parent 991240a87e
commit b34b4ac2b6
2 changed files with 80 additions and 47 deletions
--- a/data/js/detect/misc_addons.js
+++ b/data/js/detect/misc_addons.js
@ -0,0 +1,64 @@
+window.misc_addons_detect = { };
+
+/**
+ * Returns the Java version
+ **/
+window.misc_addons_detect.getJavaVersion = function () {
+	var foundVersion = null;
+
+	//
+	// This finds the Java version from Java WebStart's ActiveX control
+	// This is specific to Windows
+	//
+	for (var i1=0; i1 < 10; i1++) {
+	for (var i2=0; i2 < 10; i2++) {
+	for (var i3=0; i3 < 10; i3++) {
+	for (var i4=0; i4 < 10; i4++) {
+		var version = String(i1) + "." + String(i2) + "." + String(i3) + "." + String(i4);
+		var progId = "JavaWebStart.isInstalled." + version;
+		try {
+			new ActiveXObject(progId);
+			return version;
+		}
+		catch (e) {
+			continue;
+		}		
+	}}}}
+
+	//
+	// This finds the Java version from window.navigator.mimeTypes
+	// This seems to work pretty well for most browsers except for IE
+	//
+	if (foundVersion == null) {
+		var mimes = window.navigator.mimeTypes;
+		for (var i=0; i<mimes.length; i++) {
+			var m = /java.+;version=(.+)/.exec(mimes[i].type);
+			if (m) {
+				var version = parseFloat(m[1]);
+				if (version > foundVersion) {
+					foundVersion = version;
+				}
+			}
+		}
+	}
+
+	//
+	// This finds the Java version from navigator plugins
+	// This is necessary for Windows + Firefox setup, but the check isn't as good as the mime one.
+	// So we do this last.
+	//
+	if (foundVersion == null) {
+		var foundJavaString = "";
+		var pluginsCount = navigator.plugins.length;
+		for (i=0; i < pluginsCount; i++) {
+			var pluginName = navigator.plugins[i].name;
+			var pluginVersion = navigator.plugins[i].version;
+			if (/Java/.test(pluginName) && pluginVersion != undefined) {
+				foundVersion = navigator.plugins[i].version;
+				break;
+			}
+		}
+	}
+
+	return foundVersion;
+}
--- a/test/modules/exploits/test/browserexploitserver.rb
+++ b/test/modules/exploits/test/browserexploitserver.rb
@ -26,18 +26,24 @@ class Metasploit3 < Msf::Exploit::Remote
          [ 'URL', 'http://metasploit.com' ]
        ],
      'Platform'       => 'win',
-      'BrowserRequirements' =>
+      'Requirements' =>
        {
          :source => /script|headers/i,
-          #:clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", # ShockwaveFlash.ShockwaveFlash.1
-          #:method => "LoadMovie",
-          #:os_name => /win/i
+          :clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
+          :method => "LoadMovie",
+          :os_name => /win/i
        },
      'Targets'        =>
        [
-          [ 'Automatic', {} ]
+          [ 'Automatic', {} ],
+          [ 'Windows XP with IE 8',
+            {
+              'Requirements' => { :os_flavor => 'XP', :ua_name => 'MSIE', :ua_ver => '8.0' },
+              'Rop'          => true,
+              'Offset'       => 0x100
+            }
+          ]
        ],
-
      'Payload'        =>
        {
          'BadChars'        => "\x00",  #Our spray doesn't like null bytes
@ -48,63 +54,26 @@ class Metasploit3 < Msf::Exploit::Remote
      'DefaultTarget'  => 0))
  end

-  #
-  # This example shows how to use ERB and being able to use the arguments and local vars
-  #
-  def exploit_template1(target_info, txt)
-    txt2 = "I can use local vars!"
-
-    template = %Q|
-    <% msg  = "This page is generated by an exploit" %>
-    <%=msg%><br>
-    <%=txt%><br>
-    <%=txt2%><br>
-    <p></p>
-    Data gathered from source: #{target_info[:source]}<br>
-    OS name: #{target_info[:os_name]}<br>
-    Flavor: #{target_info[:os_flavor]}<br>
-    UA name: #{target_info[:ua_name]}<br>
-    UA version: #{target_info[:ua_ver]}<br>
-    Java version: #{target_info[:java]}<br>
-    Office version: #{target_info[:office]}
-    |
-
-    return template, binding()
-  end
-
-  #
-  # This example shows how to generate an ERB template without passing binding
-  #
-  def exploit_template2(target_info)
+  def exploit_template(target_info)
+    #print_debug(get_target.inspect)
    %Q|
    <% msg  = "This page is generated by an exploit" %>
-    <%=msg%><br>
+    <%=msg%>
    <p></p>
    Data gathered from source: #{target_info[:source]}<br>
    OS name: #{target_info[:os_name]}<br>
    Flavor: #{target_info[:os_flavor]}<br>
    UA name: #{target_info[:ua_name]}<br>
    UA version: #{target_info[:ua_ver]}<br>
-    Java version: #{target_info[:java]}<br>
    Office version: #{target_info[:office]}
    |
  end

  def on_request_exploit(cli, request, target_info)
-    print_debug("Target selected: #{get_target.name}")
-    print_line(Rex::Text.to_hex_dump([rop_junk].pack("V*")))
-    print_line(Rex::Text.to_hex_dump([rop_nop].pack("V*")))
    p = get_payload(cli, target_info)
    vprint_line(Rex::Text.to_hex_dump(p))
    print_status("Sending exploit HTML...")
-
-    # Randomly pick a template to test
-    if [true, false].sample
-      txt = "I can pass more args"
-      send_exploit_html(cli, exploit_template1(target_info, txt))
-    else
-      send_exploit_html(cli, exploit_template2(target_info))
-    end
+    send_exploit_html(cli, exploit_template(target_info))
  end

  def exploit