Land rapid7#4796, Handle incompatible payload architecture in BES

Author: wchen-r7

lib/msf/core/exploit/remote/browser_exploit_server.rb

@@ -20,6 +20,8 @@
 module Msf
   module Exploit::Remote::BrowserExploitServer
 
+    class BESException < RuntimeError; end
+
     include Msf::Exploit::Remote::HttpServer::HTML
     include Msf::Exploit::RopDb
     include Msf::Exploit::JSObfu
@@ -521,7 +523,13 @@ def on_request_uri(cli, request)
           try_set_target(profile)
           bad_reqs = get_bad_requirements(profile)
           if bad_reqs.empty?
-            method(:on_request_exploit).call(cli, request, profile)
+            begin
+              method(:on_request_exploit).call(cli, request, profile)
+            rescue BESException => e
+              elog("BESException: #{e.message}\n#{e.backtrace * "\n"}")
+              send_not_found(cli)
+              print_error("BESException: #{e.message}")
+            end
           else
             print_warning("Exploit requirement(s) not met: #{bad_reqs * ', '}. For more info: http://r-7.co/PVbcgx")
             if bad_reqs.include?(:vuln_test)
@@ -586,7 +594,15 @@ def get_payload(cli, browser_info)
       platform = platform.gsub(/^Mac OS X$/, 'OSX')
       platform = platform.gsub(/^Windows.*$/, 'Windows')
 
-      regenerate_payload(cli, platform, arch).encoded
+      p = regenerate_payload(cli, platform, arch)
+
+      unless p.arch.include?(arch)
+        err =  "The payload arch (#{p.arch * ", "}) is incompatible with the #{arch} target. "
+        err << "Please check your payload setting."
+        raise BESException, err
+      end
+
+      return p.encoded
     end
 
     # @return [String] custom Javascript to check if a vulnerability is present

spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb

@@ -4,7 +4,7 @@
 describe Msf::Exploit::Remote::BrowserExploitServer do
 
   subject(:server) do
-    mod = Msf::Exploit.allocate
+    mod = Msf::Exploit::Remote.allocate
     mod.extend described_class
     mod.send(:initialize, {})
     mod
@@ -17,6 +17,10 @@
     service
   end
 
+  let(:expected_user_agent) do
+    'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'
+  end
+
   let(:profile_name) do
     'random'
   end
@@ -25,26 +29,22 @@
     'linux'
   end
 
-  let(:expected_user_agent) do
-    'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'
-  end
-
   let(:exploit_page) do
     server.instance_variable_get(:@exploit_receiver_page)
   end
 
   let(:expected_profile) do
     {
-      :source=>'script',
-      :os_name=>'Windows XP',
-      :ua_name=>'MSIE',
-      :ua_ver=>'8.0',
-      :arch=>'x86',
-      :office=>'null',
-      :activex=>'true',
-      :proxy=>false,
-      :language=>'en-us',
-      :tried=>true
+      :source   =>'script',
+      :os_name  =>'Windows XP',
+      :ua_name  =>'MSIE',
+      :ua_ver   =>'8.0',
+      :arch     =>'x86',
+      :office   =>'null',
+      :activex  =>'true',
+      :proxy    =>false,
+      :language =>'en-us',
+      :tried    => true
     }
   end
 
@@ -296,6 +296,43 @@
         server.on_request_uri(cli, request)
       end
     end
+
+
+  describe '#get_payload' do
+    let(:cli) {
+      Rex::Socket::Tcp
+    }
+
+    before(:each) do
+      allow(cli).to receive(:peerhost).and_return('0.0.0.0')
+      allow(cli).to receive(:peerport).and_return(4444)
+    end
+
+    let(:encoded) { '@EXE@' }
+
+    let(:x86_payload) {
+      double(:encoded => encoded, :arch => ['x86'])
+    }
+
+    let(:x86_64_payload) {
+      double(:encoded => encoded, :arch => ['x86_64'])
+    }
+
+    context 'when the payload supports the visitor\'s browser architecture' do
+      it 'returns a payload' do
+        allow(server).to receive(:regenerate_payload).and_return(x86_payload)
+        expect(server.get_payload(cli, expected_profile)).to eq(encoded)
+      end
+    end
+
+    context 'when the payload does not support the visitor\'s browser architecture'  do
+      it 'raises a BESException' do
+        allow(server).to receive(:regenerate_payload).and_return(x86_64_payload)
+        expect{server.get_payload(cli, expected_profile)}.to raise_error(Msf::Exploit::Remote::BrowserExploitServer::BESException)
+      end
+    end
+  end
+
   end
 
 end