Land rapid7#4745, fixes rapid7#4711, BrowserAutoPwn failing due to getpeername

Author: jvazquez-r7

lib/rex/socket.rb

@@ -732,7 +732,15 @@ def getlocalname
   # Return peer connection information.
   #
   def getpeername
-    return Socket.from_sockaddr(super)
+    peer_name = nil
+    begin
+      peer_name = Socket.from_sockaddr(super)
+    rescue ::Errno::EINVAL => e
+      # Ruby's getpeername method may call rb_sys_fail("getpeername(2)")
+      elog("#{e.message} (#{e.class})#{e.backtrace * "\n"}\n", 'core', LEV_3)
+    end
+
+    return peer_name
   end
 
   #

lib/rex/socket/tcp_server.rb

@@ -56,6 +56,9 @@ def accept(opts = {})
 
       pn = t.getpeername
 
+      # We hit a "getpeername(2)" from Ruby
+      return nil unless pn
+
       t.peerhost = pn[1]
       t.peerport = pn[2]
     end

modules/auxiliary/server/browser_autopwn.rb

@@ -236,9 +236,14 @@ def setup
       print_debug("NOTE: Debug Mode; javascript will not be obfuscated")
     else
       pre = Time.now
-      print_status("Obfuscating initial javascript #{pre}")
-      @init_js.obfuscate
-      print_status "Done in #{Time.now - pre} seconds"
+
+      #
+      # 2/12/2015: Obfuscation is disabled because this is currently breaking BrowserAutoPwn
+      #
+
+      #print_status("Obfuscating initial javascript #{pre}")
+      #@init_js.obfuscate
+      #print_status "Done in #{Time.now - pre} seconds"
     end
 
     #@init_js << "window.onload = #{@init_js.sym("bodyOnLoad")};";
@@ -826,8 +831,12 @@ def build_script_response(cli, request)
     js << "#{js_debug("'starting exploits (' + global_exploit_list.length + ' total)<br>'")}\n"
     js << "window.next_exploit(0);\n"
 
-    js = ::Rex::Exploitation::JSObfu.new(js)
-    js.obfuscate unless datastore["DEBUG"]
+    #
+    # 2/12/2015: Obfuscation is disabled because this is currently breaking BrowserAutoPwn
+    #
+
+    #js = ::Rex::Exploitation::JSObfu.new(js)
+    #js.obfuscate unless datastore["DEBUG"]
 
     response.body = "#{js}"
     print_status("Responding with #{sploit_cnt} exploits")

modules/exploits/windows/browser/ms12_004_midi.rb

@@ -10,19 +10,6 @@ class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpServer::HTML
   include Msf::Exploit::RopDb
-  include Msf::Exploit::Remote::BrowserAutopwn
-  autopwn_info({
-    :ua_name    => HttpClients::IE,
-    :ua_minver  => "6.0",
-    :ua_maxver  => "8.0",
-    :javascript => true,
-    :os_name    => OperatingSystems::Match::WINDOWS,
-    :vuln_test  => %Q|
-      var v = window.os_detect.getVersion();
-      var os_name = v['os_name'];
-      if (os_name.indexOf('Windows XP') == 0) {is_vuln = true;} else { is_vuln = false; }
-    |,
-  })
 
   def initialize(info={})
     super(update_info(info,

modules/exploits/windows/browser/ms13_090_cardspacesigninhelper.rb

@@ -9,6 +9,19 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Exploit::Remote::BrowserAutopwn
+  autopwn_info({
+    :ua_name    => HttpClients::IE,
+    :ua_minver  => "8.0",
+    :ua_maxver  => "8.0",
+    :javascript => true,
+    :os_name    => OperatingSystems::Match::WINDOWS_XP,
+# BrowserAutoPwn currently has a syntax error bug so we can't use classid and method,
+# so we have these commented out for now. But it's not so bad because by default
+# Windows XP has this ActiveX, and BrowserExploitServer's check will kick in.
+#    :classid    => "{19916E01-B44E-4E31-94A4-4696DF46157B}",
+#    :method     => "requiredClaims"
+  })
 
   def initialize(info={})
     super(update_info(info,

modules/exploits/windows/browser/ms14_064_ole_code_execution.rb

@@ -11,18 +11,8 @@ class Metasploit4 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
-  include Msf::Exploit::Remote::BrowserAutopwn
   include Msf::Exploit::Powershell
 
-  autopwn_info({
-    :ua_name    => HttpClients::IE,
-    :ua_minver  => "3.0",
-    :ua_maxver  => "10.0",
-    :javascript => true,
-    :os_name    => OperatingSystems::Match::WINDOWS,
-    :rank       => ExcellentRanking
-  })
-
   def initialize(info={})
     super(update_info(info,
       'Name'           => "Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution",