add minver and maxver options and prepare for universal module ranking
git-svn-id: file:///home/svn/framework3/trunk@7598 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
3bca7d14c4
commit
d5e09a90e2
|
@ -30,6 +30,8 @@ module Exploit::Remote::BrowserAutopwn
|
|||
# vuln_test is only used for javascript exploits
|
||||
@autopwn_opts = {}
|
||||
@autopwn_opts[:ua_name] = opts[:ua_name] || nil
|
||||
@autopwn_opts[:ua_minver] = opts[:ua_minver] || opts[:ua_minversion] || nil
|
||||
@autopwn_opts[:ua_maxver] = opts[:ua_maxver] || opts[:ua_maxversion] || nil
|
||||
@autopwn_opts[:ua_ver] = opts[:ua_ver] || opts[:ua_version] || nil
|
||||
@autopwn_opts[:classid] = opts[:classid] || opts[:clsid] || nil
|
||||
@autopwn_opts[:javascript] = (opts[:javascript].nil?) ? true : opts[:javascript]
|
||||
|
@ -37,8 +39,8 @@ module Exploit::Remote::BrowserAutopwn
|
|||
@autopwn_opts[:os_ver] = opts[:os_ver] || opts[:os_version] || nil
|
||||
@autopwn_opts[:postfix_html] = opts[:postfix_html] || nil
|
||||
@autopwn_opts[:prefix_html] = opts[:prefix_html] || nil
|
||||
@autopwn_opts[:rank] = opts[:rank] || NormalRanking
|
||||
@autopwn_opts[:vuln_test] = opts[:vuln_test] || opts[:vulntest] || nil
|
||||
@autopwn_opts[:rank] = opts[:rank] || nil
|
||||
@autopwn_opts[:vuln_test] = opts[:vuln_test] || opts[:vulntest] || ""
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -6,6 +6,25 @@ require 'msf/core/auxiliary'
|
|||
module Rex
|
||||
module Exploitation
|
||||
|
||||
#
|
||||
# Provides several javascript functions for determining the OS and browser versions of a client.
|
||||
#
|
||||
# getVersion(): returns an object with the following properties
|
||||
# os_name - OS name, one of the Msf::Auxiliary::Report::OperatingSystems constants
|
||||
# os_flavor - OS flavor as a string (e.g.: "XP", "2000")
|
||||
# os_sp - OS service pack (e.g.: "SP2", will be empty on non-Windows)
|
||||
# os_lang - OS language (e.g.: "en-us")
|
||||
# ua_name - Client name, one of the Msf::Auxiliary::Report::HttpClients constants
|
||||
# ua_version - Client version as a string (e.g.: "3.5.1", "6.0;SP2")
|
||||
# arch - Architecture, one of the ARCH_* constants
|
||||
#
|
||||
# The following functions work on the version returned in obj.ua_version
|
||||
#
|
||||
# ua_ver_cmp(a, b): returns -1, 0, or 1 based on whether a < b, a == b, or a > b respectively
|
||||
# ua_ver_lt(a, b): returns true if a < b
|
||||
# ua_ver_gt(a, b): returns true if a > b
|
||||
# ua_ver_eq(a, b): returns true if a == b
|
||||
#
|
||||
class JavascriptOSDetect < ObfuscateJS
|
||||
|
||||
def initialize(custom_js = '', opts = {})
|
||||
|
@ -149,6 +168,7 @@ function getVersion(){
|
|||
break;
|
||||
case "566626":
|
||||
// IE 6.0.2600.0000, XP SP0 English
|
||||
// IE 6.0.2800.1106, XP SP1 English
|
||||
ua_version = "6.0";
|
||||
os_flavor = "XP";
|
||||
os_sp = "SP0";
|
||||
|
@ -329,6 +349,67 @@ function searchVersion(needle, haystack) {
|
|||
found_version = found_version.substring(0,found_version.indexOf(' '));
|
||||
return found_version;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Return -1 if a < b, 0 if a == b, 1 if a > b
|
||||
*/
|
||||
function ua_ver_cmp(ver_a, ver_b) {
|
||||
// shortcut the easy case
|
||||
if (ver_a == ver_b) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
a = ver_a.split(".");
|
||||
b = ver_b.split(".");
|
||||
for (i = 0; i < Math.max(a.length, b.length); i++) {
|
||||
// 3.0 == 3
|
||||
if (!b[i]) { b[i] = "0"; }
|
||||
if (!a[i]) { a[i] = "0"; }
|
||||
|
||||
if (a[i] == b[i]) { continue; }
|
||||
|
||||
a_int = parseInt(a[i]);
|
||||
b_int = parseInt(b[i]);
|
||||
a_rest = a[i].substr(a_int.toString().length);
|
||||
b_rest = b[i].substr(b_int.toString().length);
|
||||
if (a_int < b_int) {
|
||||
return -1;
|
||||
} else if (a_int > b_int) {
|
||||
return 1;
|
||||
} else { // ==
|
||||
// Then we need to deal with the stuff after the ints, e.g.:
|
||||
// "b4pre"
|
||||
if (a_rest == "b" && b_rest.length == 0) {
|
||||
return -1;
|
||||
}
|
||||
if (b_rest == "b" && a_rest.length == 0) {
|
||||
return 1;
|
||||
}
|
||||
// Just give up and try a lexicographical comparison
|
||||
if (a_rest < b_rest) {
|
||||
return -1;
|
||||
} else if (a_rest > b_rest) {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
// If we get here, they must be equal
|
||||
return 0;
|
||||
}
|
||||
|
||||
function ua_ver_lt(a, b) {
|
||||
if (-1 == ua_ver_cmp(a,b)) { return true; }
|
||||
return false;
|
||||
}
|
||||
function ua_ver_gt(a, b) {
|
||||
if (1 == ua_ver_cmp(a,b)) { return true; }
|
||||
return false;
|
||||
}
|
||||
function ua_ver_eq(a, b) {
|
||||
if (0 == ua_ver_cmp(a,b)) { return true; }
|
||||
return false;
|
||||
}
|
||||
ENDJS
|
||||
super @js
|
||||
update_opts(opts) if (opts)
|
||||
|
@ -343,7 +424,10 @@ ENDJS
|
|||
'needle',
|
||||
'haystack',
|
||||
],
|
||||
'Methods' => [ 'getVersion', 'searchVersion' ]
|
||||
'Methods' => [
|
||||
'getVersion',
|
||||
'searchVersion'
|
||||
]
|
||||
}
|
||||
})
|
||||
|
||||
|
|
|
@ -163,7 +163,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
#{js_debug('prop + " " + detected_version[prop] +"<br>"')}
|
||||
encoded_detection += detected_version[prop] + ":";
|
||||
}
|
||||
#{js_debug('encoded_detection + "<br>"')}
|
||||
//#{js_debug('encoded_detection + "<br>"')}
|
||||
encoded_detection = Base64.encode(encoded_detection);
|
||||
xhr.open("GET", document.location + "?sessid=" + encoded_detection);
|
||||
xhr.send(null);
|
||||
|
@ -316,6 +316,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
next if !(init_exploit(name))
|
||||
apo = mod.autopwn_opts
|
||||
apo[:name] = name
|
||||
if !apo[:rank]
|
||||
apo[:rank] = mod.const_defined?('Rank') ? mod.const_get('Rank') : NormalRanking
|
||||
end
|
||||
|
||||
if apo[:classid]
|
||||
# Then this is an IE exploit that uses an ActiveX control,
|
||||
# build the appropriate tests for it.
|
||||
|
@ -334,6 +338,16 @@ class Metasploit3 < Msf::Auxiliary
|
|||
apo[:vuln_test] << "}\n"
|
||||
end
|
||||
end
|
||||
if apo[:ua_minver]
|
||||
apo[:vuln_test] << "if (1 == ua_ver_cmp('#{apo[:ua_minver]}', detected_version.ua_version)){"
|
||||
apo[:vuln_test] << " is_vuln = false;\n"
|
||||
apo[:vuln_test] << "}\n"
|
||||
end
|
||||
if apo[:ua_maxver]
|
||||
apo[:vuln_test] << "if (-1 == ua_ver_cmp('#{apo[:ua_maxver]}', detected_version.ua_version)){"
|
||||
apo[:vuln_test] << " is_vuln = false;\n"
|
||||
apo[:vuln_test] << "}\n"
|
||||
end
|
||||
if apo[:javascript] && apo[:ua_name]
|
||||
if @js_tests[apo[:ua_name]].nil?
|
||||
@js_tests[apo[:ua_name]] = []
|
||||
|
@ -580,7 +594,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
if (host_info and host_info[:os_name] and s[:os_name])
|
||||
next unless s[:os_name].include?(host_info[:os_name])
|
||||
end
|
||||
if s[:vuln_test]
|
||||
if s[:vuln_test] and not s[:vuln_test].empty?
|
||||
# Wrap all of the vuln tests in a try-catch block so a
|
||||
# single borked test doesn't prevent other exploits
|
||||
# from working.
|
||||
|
|
Loading…
Reference in New Issue