From 4c91f2e0f5e93517776ca6dcc4741999a7b7428d Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 15 Oct 2013 16:27:23 -0500 Subject: [PATCH 1/2] Add detection code MS Office Add detection code for MS Office XP, 2003, 2007, 2010, and 2012. [SeeRM #8413] --- lib/msf/core/exploit/http/server.rb | 1 + .../exploitation/javascriptaddonsdetect.js | 51 +++++++++++++++++++ .../exploitation/javascriptaddonsdetect.rb | 29 +++++++++++ 3 files changed, 81 insertions(+) create mode 100644 lib/rex/exploitation/javascriptaddonsdetect.js create mode 100644 lib/rex/exploitation/javascriptaddonsdetect.rb diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index 5a17c1c6ae..af639e8e08 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -4,6 +4,7 @@ require 'rex/exploitation/obfuscatejs' require 'rex/exploitation/encryptjs' require 'rex/exploitation/heaplib' require 'rex/exploitation/javascriptosdetect' +require 'rex/exploitation/javascriptaddonsdetect' module Msf diff --git a/lib/rex/exploitation/javascriptaddonsdetect.js b/lib/rex/exploitation/javascriptaddonsdetect.js new file mode 100644 index 0000000000..9f3c9f5608 --- /dev/null +++ b/lib/rex/exploitation/javascriptaddonsdetect.js @@ -0,0 +1,51 @@ +window.addons_detect = { }; + +/** + * Returns the version of Microsoft Office. If not found, returns null. + **/ +window.addons_detect.getMsOfficeVersion = function () { + var version; + var types = new Array(); + for (i=1; i <= 5; i++) { + try { + types[i-1] = typeof(new ActiveXObject("SharePoint.OpenDocuments." + i.toString())); + } + catch (e) { + types[i-1] = null; + } + } + + if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' && + types[3] == 'object' && types[4] == 'object') + { + version = "2012"; + } + else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' && + types[3] == 'object' && types[4] == null) + { + version = "2010"; + } + else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' && + types[3] == null && types[4] == null) + { + version = "2007"; + } + else if (types[0] == 'object' && types[1] == 'object' && types[2] == null && + types[3] == null && types[4] == null) + { + version = "2003"; + } + else if (types[0] == 'object' && types[1] == null && types[2] == null && + types[3] == null && types[4] == null) + { + // If run for the first time, you must manullay allow the "Microsoft Office XP" + // add-on to run. However, this prompt won't show because the ActiveXObject statement + // is wrapped in an exception handler. + version = "xp"; + } + else { + version = null; + } + + return version; +} \ No newline at end of file diff --git a/lib/rex/exploitation/javascriptaddonsdetect.rb b/lib/rex/exploitation/javascriptaddonsdetect.rb new file mode 100644 index 0000000000..0d9be8aa88 --- /dev/null +++ b/lib/rex/exploitation/javascriptaddonsdetect.rb @@ -0,0 +1,29 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'rex/text' +require 'rex/exploitation/jsobfu' + +module Rex +module Exploitation + +# +# Provides javascript functions to determine addon information. +# +# getMsOfficeVersion(): Returns the version for Microsoft Office +# +class JavascriptAddonsDetect < JSObfu + + def initialize(custom_js = '', opts = {}) + @js = custom_js + @js += ::File.read(::File.join(::File.dirname(__FILE__), "javascriptaddonsdetect.js")) + + super @js + + return @js + end + +end +end + +end From 0081e186f76b6bcad9275e4f99c775079e1d09ed Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 15 Oct 2013 23:59:23 -0500 Subject: [PATCH 2/2] Make sure i var is local --- lib/rex/exploitation/javascriptaddonsdetect.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/exploitation/javascriptaddonsdetect.js b/lib/rex/exploitation/javascriptaddonsdetect.js index 9f3c9f5608..277c1fd469 100644 --- a/lib/rex/exploitation/javascriptaddonsdetect.js +++ b/lib/rex/exploitation/javascriptaddonsdetect.js @@ -6,7 +6,7 @@ window.addons_detect = { }; window.addons_detect.getMsOfficeVersion = function () { var version; var types = new Array(); - for (i=1; i <= 5; i++) { + for (var i=1; i <= 5; i++) { try { types[i-1] = typeof(new ActiveXObject("SharePoint.OpenDocuments." + i.toString())); }