Allow custom 404 as an option for BrowserExploitServer

wchen-r7 · wchen-r7 · commit 66703bfe5ac9 · 2015-01-27T18:53:02.000-06:00
When something fails, the target is given a hardcoded 404 message
generated by the framework. But the user (attacker) now can configure
this. When the Custom404 option is set, the mixin will actually
redirect (302) to that URL.

There are several scenarios that can trigger a 404 by BES (custom or
default):

* When the browser doesn't allow javascript
* When the browser directly visits the exploit URL, which is forbidden.
  If this actually happens, it probably means the attacker gave the
  wrong URL.
* The attacker doesn't allow the browser auto-recovery to retry the
  URL.
* If some browser requirements aren't met.
* The browser attempts to go to access a resource not set up by the
  mixin.
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -11,6 +11,9 @@
 #
 # The BrowserExploitServer mixin provides methods to do common tasks seen in modern browser
 # exploitation, and is designed to work against common setups such as on Windows, OSX, and Linux.
+# Wiki documentations about this mixin can be found here:
+# https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer
+# https://github.com/rapid7/metasploit-framework/wiki/Information-About-Unmet-Browser-Exploit-Requirements
 #
 ###
 
@@ -87,10 +90,20 @@ def initialize(info={})
 
       register_advanced_options([
         OptString.new('CookieName', [false,  "The name of the tracking cookie", DEFAULT_COOKIE_NAME]),
-        OptString.new('CookieExpiration', [false,  "Cookie expiration in years (blank=expire on exit)"])
+        OptString.new('CookieExpiration', [false,  "Cookie expiration in years (blank=expire on exit)"]),
+        OptString.new('Custom404', [false, "An external custom 404 URL (Example: http://example.com/404.html)"])
       ], Exploit::Remote::BrowserExploitServer)
     end
 
+    #
+    # Returns the custom 404 URL set by the user
+    #
+    # @return [String]
+    #
+    def get_custom_404_url
+      datastore['Custom404'].to_s
+    end
+
     #
     # Allows a block of code to access BES resources in a thread-safe fashion
     #
@@ -578,5 +591,19 @@ def js_vuln_test
       end
     end
 
+    private
+
+    #
+    # Sends a 404 respons. If a custom 404 is configured, then it will redirect to that instead.
+    #
+    def send_not_found(cli)
+      custom_404_url = get_custom_404_url
+      if custom_404_url.blank?
+        super(cli)
+      else
+        send_redirect(cli, custom_404_url)
+      end
+    end
+
   end
 end
