Land rapid7#3840, @wchen-r7's tweaks to os.js and module addition.

Author: jvennix-r7

data/js/detect/ie_addons.js

@@ -1,10 +1,10 @@
-window.ie_addons_detect = { };
+var ie_addons_detect = { };
 
 /**
  * Returns true if this ActiveX is available, otherwise false.
  * Grabbed this directly from browser_autopwn.rb
  **/
-window.ie_addons_detect.hasActiveX = function (axo_name, method) {
+ie_addons_detect.hasActiveX = function (axo_name, method) {
   var axobj = null;
   if (axo_name.substring(0,1) == String.fromCharCode(123)) {
     axobj = document.createElement("object");
@@ -41,7 +41,7 @@ window.ie_addons_detect.hasActiveX = function (axo_name, method) {
 /**
  * Returns the version of Microsoft Office. If not found, returns null.
  **/
-window.ie_addons_detect.getMsOfficeVersion = function () {
+ie_addons_detect.getMsOfficeVersion = function () {
   var version;
   var types = new Array();
   for (var i=1; i <= 5; i++) {

data/js/detect/misc_addons.js

@@ -1,10 +1,10 @@
-window.misc_addons_detect = { };
+var misc_addons_detect = { };
 
 
 /**
  * Detects whether the browser supports Silverlight or not
  **/
-window.misc_addons_detect.hasSilverlight = function () {
+misc_addons_detect.hasSilverlight = function () {
 	var found = false;
 
 	//
@@ -49,7 +49,7 @@ window.misc_addons_detect.hasSilverlight = function () {
 /**
  * Returns the Adobe Flash version
 **/
-window.misc_addons_detect.getFlashVersion = function () {
+misc_addons_detect.getFlashVersion = function () {
 	var foundVersion = null;
 
 	//
@@ -96,7 +96,7 @@ window.misc_addons_detect.getFlashVersion = function () {
 /**
  * Returns the Java version
  **/
-window.misc_addons_detect.getJavaVersion = function () {
+misc_addons_detect.getJavaVersion = function () {
 	var foundVersion = null;
 
 	//

data/js/detect/os.js

@@ -1,36 +1,36 @@
 
 // Case matters, see lib/msf/core/constants.rb
 // All of these should match up with constants in ::Msf::HttpClients
-clients_opera = "Opera";
-clients_ie    = "MSIE";
-clients_ff    = "Firefox";
-clients_chrome= "Chrome";
-clients_safari= "Safari";
+var clients_opera = "Opera";
+var clients_ie    = "MSIE";
+var clients_ff    = "Firefox";
+var clients_chrome= "Chrome";
+var clients_safari= "Safari";
 
 // All of these should match up with constants in ::Msf::OperatingSystems
-oses_linux    = "Linux";
-oses_windows  = "Microsoft Windows";
-oses_mac_osx  = "Mac OS X";
-oses_freebsd  = "FreeBSD";
-oses_netbsd   = "NetBSD";
-oses_openbsd  = "OpenBSD";
+var oses_linux    = "Linux";
+var oses_windows  = "Microsoft Windows";
+var oses_mac_osx  = "Mac OS X";
+var oses_freebsd  = "FreeBSD";
+var oses_netbsd   = "NetBSD";
+var oses_openbsd  = "OpenBSD";
 
 // All of these should match up with the ARCH_* constants
-arch_armle    = "armle";
-arch_x86      = "x86";
-arch_x86_64   = "x86_64";
-arch_ppc      = "ppc";
-arch_mipsle   = "mipsle";
+var arch_armle    = "armle";
+var arch_x86      = "x86";
+var arch_x86_64   = "x86_64";
+var arch_ppc      = "ppc";
+var arch_mipsle   = "mipsle";
 
-window.os_detect = {};
+var os_detect = {};
 
 /**
  * This can reliably detect browser versions for IE and Firefox even in the
  * presence of a spoofed User-Agent.  OS detection is more fragile and
  * requires truthful navigator.appVersion and navigator.userAgent strings in
  * order to be accurate for more than just IE on Windows.
  **/
-window.os_detect.getVersion = function(){
+os_detect.getVersion = function(){
 	//Default values:
 	var os_name;
 	var os_flavor;
@@ -1121,7 +1121,7 @@ window.os_detect.getVersion = function(){
 	return { os_name:os_name, os_flavor:os_flavor, os_sp:os_sp, os_lang:os_lang, arch:arch, ua_name:ua_name, ua_version:ua_version };
 }; // function getVersion
 
-window.os_detect.searchVersion = function(needle, haystack) {
+os_detect.searchVersion = function(needle, haystack) {
 	var index = haystack.indexOf(needle);
 	var found_version;
 	if (index == -1) { return; }
@@ -1137,7 +1137,7 @@ window.os_detect.searchVersion = function(needle, haystack) {
 /*
  * Return -1 if a < b, 0 if a == b, 1 if a > b
  */
-window.ua_ver_cmp = function(ver_a, ver_b) {
+ua_ver_cmp = function(ver_a, ver_b) {
 	// shortcut the easy case
 	if (ver_a == ver_b) {
 		return 0;
@@ -1181,15 +1181,15 @@ window.ua_ver_cmp = function(ver_a, ver_b) {
 	return 0;
 };
 
-window.ua_ver_lt = function(a, b) {
+ua_ver_lt = function(a, b) {
 	if (-1 == this.ua_ver_cmp(a,b)) { return true; }
 	return false;
 };
-window.ua_ver_gt = function(a, b) {
+ua_ver_gt = function(a, b) {
 	if (1 == this.ua_ver_cmp(a,b)) { return true; }
 	return false;
 };
-window.ua_ver_eq = function(a, b) {
+ua_ver_eq = function(a, b) {
 	if (0 == this.ua_ver_cmp(a,b)) { return true; }
 	return false;
 };

lib/msf/core/exploit/jsobfu.rb

@@ -0,0 +1,31 @@
+# -*- coding: binary -*-
+
+require 'rex/exploitation/jsobfu'
+
+module Msf
+  module Exploit::JSObfu
+
+    def initialize(info={})
+      super
+      register_advanced_options([
+        OptInt.new('JsObfuscate', [false, "Number of times to obfuscate JavaScript", 0])
+      ], Exploit::JSObfu)
+    end
+
+    #
+    # Returns an JSObfu object. A wrapper of ::Rex::Exploitation::JSObfu.new(js).obfuscate
+    #
+    # @param js [String] JavaScript code
+    # @param opts [Hash] obfuscation options
+    #    * :iterations [FixNum] Number of times to obfuscate
+    # @return [::Rex::Exploitation::JSObfu]
+    #
+    def js_obfuscate(js, opts={})
+      iterations = (opts[:iterations] || datastore['JsObfuscate']).to_i
+      obfu = ::Rex::Exploitation::JSObfu.new(js)
+      obfu.obfuscate(:iterations=>iterations)
+      obfu
+    end
+
+  end
+end

lib/msf/core/exploit/remote/browser_exploit_server.rb

@@ -4,6 +4,7 @@
 require 'cgi'
 require 'date'
 require 'rex/exploitation/js'
+require 'msf/core/exploit/jsobfu'
 
 ###
 #
@@ -17,6 +18,7 @@ module Exploit::Remote::BrowserExploitServer
 
     include Msf::Exploit::Remote::HttpServer::HTML
     include Msf::Exploit::RopDb
+    include Msf::Exploit::JSObfu
 
     # this must be static between runs, otherwise the older cookies will be ignored
     DEFAULT_COOKIE_NAME = '__ua'
@@ -371,27 +373,27 @@ def get_detection_html(user_agent)
 
 
       window.onload = function() {
-        var osInfo = window.os_detect.getVersion();
+        var osInfo = os_detect.getVersion();
         var d = {
           "<%=REQUIREMENT_KEY_SET[:os_name]%>"     : osInfo.os_name,
           "<%=REQUIREMENT_KEY_SET[:os_flavor]%>"   : osInfo.os_flavor,
           "<%=REQUIREMENT_KEY_SET[:ua_name]%>"     : osInfo.ua_name,
           "<%=REQUIREMENT_KEY_SET[:ua_ver]%>"      : osInfo.ua_version,
           "<%=REQUIREMENT_KEY_SET[:arch]%>"        : osInfo.arch,
-          "<%=REQUIREMENT_KEY_SET[:java]%>"        : window.misc_addons_detect.getJavaVersion(),
-          "<%=REQUIREMENT_KEY_SET[:silverlight]%>" : window.misc_addons_detect.hasSilverlight(),
-          "<%=REQUIREMENT_KEY_SET[:flash]%>"       : window.misc_addons_detect.getFlashVersion()
+          "<%=REQUIREMENT_KEY_SET[:java]%>"        : misc_addons_detect.getJavaVersion(),
+          "<%=REQUIREMENT_KEY_SET[:silverlight]%>" : misc_addons_detect.hasSilverlight(),
+          "<%=REQUIREMENT_KEY_SET[:flash]%>"       : misc_addons_detect.getFlashVersion()
         };
 
         <% if os == OperatingSystems::WINDOWS and client == HttpClients::IE %>
-          d['<%=REQUIREMENT_KEY_SET[:office]%>'] = window.ie_addons_detect.getMsOfficeVersion();
+          d['<%=REQUIREMENT_KEY_SET[:office]%>'] = ie_addons_detect.getMsOfficeVersion();
           d['<%=REQUIREMENT_KEY_SET[:mshtml_build]%>'] = ScriptEngineBuildVersion().toString();
           <%
             clsid  = @requirements[:clsid]
             method = @requirements[:method]
             if clsid and method
           %>
-          d['activex'] = window.ie_addons_detect.hasActiveX('<%=clsid%>', '<%=method%>');
+          d['activex'] = ie_addons_detect.hasActiveX('<%=clsid%>', '<%=method%>');
           <% end %>
         <% end %>
 
@@ -453,7 +455,8 @@ def on_request_uri(cli, request)
         ua = request.headers['User-Agent'] || ''
         init_profile(tag)
         print_status("Sending response HTML.")
-        send_response(cli, get_detection_html(ua), {'Set-Cookie' => cookie_header(tag)})
+        html = get_detection_html(ua)
+        send_response(cli, html, {'Set-Cookie' => cookie_header(tag)})
 
       when /#{@info_receiver_page}/
         #

spec/lib/msf/core/exploit/jsobfu_spec.rb

@@ -0,0 +1,61 @@
+require 'spec_helper'
+require 'msf/core'
+require 'msf/core/exploit/jsobfu'
+
+
+describe Msf::Exploit::JSObfu do
+  subject(:jsobfu) do
+    mod = ::Msf::Module.new
+    mod.extend described_class
+    mod.send(:initialize, {})
+    mod
+  end
+
+  let (:js) do
+    %Q|alert("hello, world");|
+  end
+
+  let(:default_jsobfuscate) do
+    0
+  end
+
+  before do
+    subject.datastore['JsObfuscate'] = default_jsobfuscate
+  end
+
+  context 'when iteration is set' do
+    it 'returns a ::Rex::Exploitation::JSObfu object' do
+      opts = {:iterations=>0}
+      obj = jsobfu.js_obfuscate(js, opts)
+      expect(obj).to be_kind_of(::Rex::Exploitation::JSObfu)
+    end
+
+    it 'does not obfuscate if iteration is 0' do
+      opts = {:iterations=>0}
+      obj = jsobfu.js_obfuscate(js, opts)
+      expect(obj.to_s).to include js
+    end
+
+    it 'obfuscates if iteration is 1' do
+      opts = {:iterations=>1}
+      obj = jsobfu.js_obfuscate(js, opts)
+      expect(obj.to_s).not_to include js
+    end
+  end
+
+  context 'when iteration is nil' do
+    let (:opts) do
+      {:iterations=>nil}
+    end
+
+    it 'returns a ::Rex::Exploitation::JSObfu object' do
+      obj = jsobfu.js_obfuscate(js, opts)
+      expect(obj).to be_kind_of(::Rex::Exploitation::JSObfu)
+    end
+
+    it 'does not obfuscate' do
+      obj = jsobfu.js_obfuscate(js, opts)
+      expect(obj.to_s).to include(js)
+    end
+  end
+end