Add support for Procs in browserexploit requirements.

2013-12-19 12:49:05 -06:00 · 2013-12-19 12:49:05 -06:00 · ca23b32161
parent eb08a30293
commit ca23b32161
2 changed files with 72 additions and 11 deletions
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@ -92,6 +92,15 @@ module Msf
      "#{get_resource.chomp("/")}/#{@exploit_receiver_page}"
    end

+    #
+    # Returns the absolute URL to the module's resource that points to on_request_exploit
+    #
+    # @return [String] absolute URI to the exploit page
+    #
+    def get_module_uri
+      "#{get_uri.chomp("/")}/#{@exploit_receiver_page}"
+    end
+
    #
    # Returns the current target
    #
@ -166,8 +175,10 @@ module Msf
        # Special keys to ignore because the script registers this as [:activex] = true or false
        next if k == :clsid or k == :method

-        if v.class == Regexp
+        if v.is_a? Regexp
          bad_reqs << k if profile[k.to_sym] !~ v
+        elsif v.is_a? Proc
+          bad_reqs << k unless v.call(profile[k.to_sym])
        else
          bad_reqs << k if profile[k.to_sym] != v
        end
--- a/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
+++ b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
@ -64,19 +64,69 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
  end

  describe ".get_bad_requirements" do
-    it "should not contain any bad requirements" do
-        server.get_bad_requirements(expected_profile).should eq([])
+    let(:rejected_requirements) do
+      server.get_bad_requirements(fake_profile)
    end

-    it "should have identify :os_name as a requirement not met" do
-      fake_profile = {
-        "rMWwSAwBHLoESpHbEGbsv" => {
-          :os_name   => expected_os_name
-        }}
+    context 'when given the expected profile' do
+      it "should not contain any bad requirements" do
+        server.get_bad_requirements(expected_profile).should eq([])
+      end
+    end

-      server.instance_variable_set(:@requirements, {:os_name => /win/i})
-      baddies = server.get_bad_requirements(fake_profile)
-      baddies.should eq([:os_name])
+    context 'when attempting to match :os_name' do
+      let(:fake_profile) do
+        { :os_name => expected_os_name }
+      end
+
+      before do
+        server.instance_variable_set(:@requirements, {:os_name => /win/i})
+      end
+
+      it "should have identify :os_name as a requirement not met" do
+        rejected_requirements.should eq([:os_name])
+      end
+    end
+
+    context 'when attempting to match :ua_ver' do
+      context 'against version 25.0' do
+        let(:expected_ua_ver) { '25.0' }
+        let(:fake_profile) do
+          { :ua_ver => expected_ua_ver }
+        end
+
+        before do
+          server.instance_variable_set(:@requirements, {:ua_ver => ua_ver})
+        end
+
+        context "with the regex /26\.0$/" do
+          let(:ua_ver) { /26\.0$/ }
+          it "should reject :ua_ver" do
+            rejected_requirements.should include(:ua_ver)
+          end
+        end
+
+        context "with the regex /25\.0$/" do
+          let(:ua_ver) { /25\.0$/ }
+          it "should accept :ua_ver" do
+            rejected_requirements.should_not include(:ua_ver)
+          end
+        end
+
+        context "with a Proc that checks if version is between 1-5" do
+          let(:ua_ver) { lambda{ |ver| ver.to_i.between?(1, 5) } }
+          it "should reject :ua_ver" do
+            rejected_requirements.should include(:ua_ver)
+          end
+        end
+
+        context "with a Proc that checks if version is between 20-26" do
+          let(:ua_ver) { lambda{ |ver| ver.to_i.between?(20, 26) } }
+          it "should accept :ua_ver" do
+            rejected_requirements.should_not include(:ua_ver)
+          end
+        end
+      end
    end
  end