It looks like this works

wchen-r7 · wchen-r7 · commit 2900f57afd9b · 2015-03-23T16:46:53.000-05:00
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -65,7 +65,14 @@ class BESException < RuntimeError; end
       :mshtml_build, # mshtml build. Example: Returns "65535"
       :flash,        # Example: Returns "12.0" (chrome/ff) or "12.0.0.77" (IE)
       :vuln_test,    # Example: "if(window.MyComponentIsInstalled)return true;",
-      :activex       # Example: [{:clsid=>'String', :method=>'String'}]
+      # :activex is a special case.
+      # When you set this requirement in your module, this is how it should be:
+      # [{:clsid=>'String', :method=>'String'}]
+      # Where each Hash is a test case
+      # But when BES receives this information, the JavaScript will return this format:
+      # "{CLSID}=>Method=>Boolean;"
+      # Also see: #has_bad_activex?
+      :activex
     ])
 
     def initialize(info={})
@@ -188,8 +195,19 @@ def try_set_target(profile)
     end
 
 
+    # Returns true if there's a bad ActiveX, otherwise false.
+    # @param ax [String] The raw activex the JavaScript detection will return in this format:
+    #                    "{CLSID}=>Method=>Boolean;"
+    # @return [Boolean] True if there's a bad ActiveX, otherwise false
     def has_bad_activex?(ax)
-      return true unless ax.split(';').empty?
+      print_debug(ax)
+      ax.split(';').each do |a|
+        bool = a.split('=>')[2]
+        if bool == 'false'
+          return true
+        end
+      end
+
       false
     end
 
@@ -205,7 +223,7 @@ def get_bad_requirements(profile)
         vprint_debug("Comparing requirement: #{k}=#{expected} vs #{k}=#{profile[k.to_sym]}")
 
         if k == :activex
-          bad_reqs << k unless has_bad_activex?(profile[k.to_sym])
+          bad_reqs << k if has_bad_activex?(profile[k.to_sym])
         elsif k == :vuln_test
           bad_reqs << k unless profile[k.to_sym].to_s == 'true'
         elsif v.is_a? Regexp
@@ -408,9 +426,11 @@ def get_detection_html(user_agent)
                 method = a[:method]
           %>
                 var ax = ie_addons_detect.hasActiveX('<%=clsid%>', '<%=method%>');
-                d['activex'] = '';
-                if (ax == false) {
-                  d['activex'] += "<%=clsid%>=<%=method%>;";
+                d['activex'] = "";
+                if (ax == true) {
+                  d['activex'] += "<%=clsid%>=><%=method%>=>true;";
+                } else {
+                  d['activex'] += "<%=clsid%>=><%=method%>=>false;";
                 }
             <% end %>
           <% end %>
