Land rapid7#3052 - Fix nil error in BES

Author: wchen-r7

data/js/network/ajax_post.js

@@ -1,10 +1,18 @@
-function postInfo(path, data) {
+function postInfo(path, data, cb) {
   var xmlHttp = new XMLHttpRequest();
 
   if (xmlHttp.overrideMimeType) {
     xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
   }
 
-  xmlHttp.open('POST', path, false);
+  xmlHttp.open('POST', path, !!cb);
+
+  if (cb) {
+    xmlHttp.onreadystatechange = function() {
+      if (xmlHttp.readyState == 4) { cb.apply(this, arguments); }
+    };
+  }
+
   xmlHttp.send(data);
-}
+  return xmlHttp;
+}

lib/msf/core/exploit/http/server.rb

@@ -761,7 +761,6 @@ def js_ajax_post
     @cache_ajax_post ||= Rex::Exploitation::Js::Network.ajax_post
   end
 
-
   #
   # This function takes advantage of MSTIME's CTIMEAnimationBase::put_values function that's
   # suitable for a no-spray technique.  There should be an allocation that contains an array of

lib/msf/core/exploit/remote/browser_exploit_server.rb

@@ -1,6 +1,8 @@
 # -*- coding: binary -*-
 
 require 'erb'
+require 'cgi'
+require 'date'
 require 'rex/exploitation/js'
 
 ###
@@ -16,6 +18,9 @@ module Exploit::Remote::BrowserExploitServer
     include Msf::Exploit::Remote::HttpServer::HTML
     include Msf::Exploit::RopDb
 
+    # this must be static between runs, otherwise the older cookies will be ignored
+    DEFAULT_COOKIE_NAME = '__ua'
+
     PROXY_REQUEST_HEADER_SET = Set.new(
       %w{
          CLIENT_IP
@@ -72,10 +77,15 @@ def initialize(info={})
       [
         OptBool.new('Retries', [false,  "Allow the browser to retry the module", true])
       ], Exploit::Remote::BrowserExploitServer)
+
+      register_advanced_options([
+        OptString.new('CookieName', [false,  "The name of the tracking cookie", DEFAULT_COOKIE_NAME]),
+        OptString.new('CookieExpiration', [false,  "Cookie expiration in years (blank=expire on exit)"])
+      ], Exploit::Remote::BrowserExploitServer)
     end
 
     #
-    # Syncs a block of code
+    # Allows a block of code to access BES resources in a thread-safe fashion
     #
     # @param block [Proc] Block of code to sync
     #
@@ -89,7 +99,7 @@ def sync(&block)
     # @return [String] URI to the exploit page
     #
     def get_module_resource
-      "#{get_resource.chomp("/")}/#{@exploit_receiver_page}"
+      "#{get_resource.chomp("/")}/#{@exploit_receiver_page}/"
     end
 
     #
@@ -191,7 +201,7 @@ def get_bad_requirements(profile)
 
     #
     # Returns the target profile based on the tag. Each profile has the following structure:
-    # 'cookie' =>
+    # 'cookie_name' =>
     # {
     #   :os_name   => 'Windows',
     #   :os_flavor => 'something'
@@ -238,13 +248,13 @@ def update_profile(target_profile, key, value)
     end
 
     #
-    # Initializes a profile
+    # Initializes a profile, if it did not previously exist
     #
     # @param tag [String] A unique string as a way to ID the profile
     #
     def init_profile(tag)
       sync do
-        @target_profiles[tag] = {}
+        @target_profiles[tag] ||= {}
       end
     end
 
@@ -256,14 +266,18 @@ def init_profile(tag)
     #
     # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
     #
-    def retrieve_tag(request)
-      tag = request.headers['Cookie'].to_s
+    def retrieve_tag(cli, request)
+      cookie = CGI::Cookie.parse(request.headers['Cookie'].to_s)
+      tag = cookie.has_key?(cookie_name) && cookie[cookie_name].first
 
       if tag.blank?
         # Browser probably doesn't allow cookies, plan B :-/
+        vprint_status("No cookie received, resorting to headers hash.")
         ip = cli.peerhost
         os = request.headers['User-Agent']
         tag = Rex::Text.md5("#{ip}#{os}")
+      else
+        vprint_status("Received cookie '#{tag}'.")
       end
 
       tag
@@ -277,31 +291,25 @@ def retrieve_tag(request)
     # @param request [Rex::Proto::Http::Request] The HTTP request sent by the browser
     #
     def process_browser_info(source, cli, request)
-      tag = retrieve_tag(request)
-
-      # Browser doesn't allow cookies. Can't track that, use a different way to track.
-      init_profile(tag) if request.headers['Cookie'].blank?
+      tag = retrieve_tag(cli, request)
+      init_profile(tag)
       target_info = get_profile(tag)
+      update_profile(target_info, :source, source.to_s)
 
       # Gathering target info from the detection stage
       case source
       when :script
         # Gathers target data from a POST request
-        update_profile(target_info, :source, 'script')
-        raw = Rex::Text.uri_decode(Rex::Text.decode_base64(request.body))
-        raw.split('&').each do |item|
-          k, v = item.scan(/(\w+)=(.*)/).flatten
-          update_profile(target_info, k.to_sym, v)
-        end
-
+        parsed_body = CGI::parse(Rex::Text.decode_base64(request.body) || '')
+        vprint_debug("Received sniffed browser data over POST: \n#{parsed_body}.")
+        parsed_body.each { |k, v| update_profile(target_info, k.to_sym, v.first) }
       when :headers
         # Gathers target data from headers
         # This may be less accurate, and most likely less info.
         fp = fingerprint_user_agent(request.headers['User-Agent'])
         # Module has all the info it needs, ua_string is kind of pointless.
         # Kill this to save space.
         fp.delete(:ua_string)
-        update_profile(target_info, :source, 'headers')
         fp.each do |k, v|
           update_profile(target_info, k.to_sym, v)
         end
@@ -356,6 +364,7 @@ def get_detection_html(user_agent)
         return Base64.encode(q.join('&'));
       }
 
+
       window.onload = function() {
         var osInfo = window.os_detect.getVersion();
         var d = {
@@ -380,8 +389,9 @@ def get_detection_html(user_agent)
         <% end %>
 
         var query = objToQuery(d);
-        postInfo("<%=get_resource.chomp("/")%>/<%=@info_receiver_page%>/", query);
-        window.location = "<%=get_resource.chomp("/")%>/<%=@exploit_receiver_page%>/";
+        postInfo("<%=get_resource.chomp("/")%>/<%=@info_receiver_page%>/", query, function(){
+          window.location="<%= get_module_resource %>";
+        });
       }
       |).result(binding())
 
@@ -394,11 +404,26 @@ def get_detection_html(user_agent)
       </script>
       <noscript>
       <img style="visibility:hidden" src="#{get_resource.chomp("/")}/#{@noscript_receiver_page}/">
-      <meta http-equiv="refresh" content="1; url=#{get_resource.chomp("/")}/#{@exploit_receiver_page}/">
+      <meta http-equiv="refresh" content="1; url=#{get_module_resource}">
       </noscript>
       |
     end
 
+    # @return [String] name of the tracking cookie
+    def cookie_name
+      datastore['CookieName'] || DEFAULT_COOKIE_NAME
+    end
+
+    def cookie_header(tag)
+      cookie = "#{cookie_name}=#{tag};"
+      if datastore['CookieExpiration'].present?
+        expires_date = (DateTime.now + 365*datastore['CookieExpiration'].to_i)
+        expires_str  = expires_date.to_time.strftime("%a, %d %b %Y 12:00:00 GMT")
+        cookie << " Expires=#{expires};"
+      end
+      cookie
+    end
+
     #
     # Handles exploit stages.
     #
@@ -411,45 +436,51 @@ def on_request_uri(cli, request)
         #
         # This is the information gathering stage
         #
-        if get_profile(retrieve_tag(request))
-          send_redirect(cli, "#{get_resource.chomp("/")}/#{@exploit_receiver_page}")
+        if get_profile(retrieve_tag(cli, request))
+          send_redirect(cli, get_module_resource)
           return
         end
 
         print_status("Gathering target information.")
         tag = Rex::Text.rand_text_alpha(rand(20) + 5)
-        ua = request.headers['User-Agent']
+        ua = request.headers['User-Agent'] || ''
         init_profile(tag)
-        html = get_detection_html(ua)
-        send_response(cli, html, {'Set-Cookie' => tag})
+        print_status("Sending response HTML.")
+        send_response(cli, get_detection_html(ua), {'Set-Cookie' => cookie_header(tag)})
 
       when /#{@info_receiver_page}/
         #
         # The detection code will hit this if Javascript is enabled
         #
-        process_browser_info(source=:script, cli, request)
-        send_response(cli, '')
+        vprint_status "Info receiver page called."
+        process_browser_info(:script, cli, request)
+        send_response(cli, '', {'Set-Cookie' => cookie_header(tag)})
 
       when /#{@noscript_receiver_page}/
         #
         # The detection code will hit this instead of Javascript is disabled
         # Should only be triggered by the img src in <noscript>
         #
-        process_browser_info(source=:headers, cli, request)
+        process_browser_info(:headers, cli, request)
         send_not_found(cli)
 
       when /#{@exploit_receiver_page}/
         #
         # This sends the actual exploit. A module should define its own
         # on_request_exploit() to get the target information
         #
-        tag = retrieve_tag(request)
+        tag = retrieve_tag(cli, request)
+        vprint_status("Serving exploit to user with tag #{tag}")
         profile = get_profile(tag)
-        if profile[:tried] and datastore['Retries'] == false
+        if profile.nil?
+          print_status("Browsing directly to the exploit URL is forbidden.")
+          send_not_found(cli)
+        elsif profile[:tried] and datastore['Retries'] == false
           print_status("Target with tag \"#{tag}\" wants to retry the module, not allowed.")
           send_not_found(cli)
         else
           update_profile(profile, :tried, true)
+          vprint_status("Setting target \"#{tag}\" to :tried.")
           try_set_target(profile)
           bad_reqs = get_bad_requirements(profile)
           if bad_reqs.empty?

lib/rex/exploitation/js/network.rb

@@ -37,8 +37,8 @@ def self.ajax_download(opts={})
   # @option opts [Boolean] :obfuscate toggles js obfuscation. defaults to true.
   # @option opts [Boolean] :inject_xhr_shim automatically stubs XHR to use ActiveXObject when needed.
   #   defaults to true.
-  # @return [String] javascript code to perform a synchronous ajax request to the remote with
-  #   the data specified
+  # @return [String] javascript code to perform a synchronous or asynchronous ajax request to
+  #   the remote with the data specified.
   def self.ajax_post(opts={})
     should_obfuscate = opts.fetch(:obfuscate, true)
     js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "ajax_post.js"))
@@ -47,7 +47,7 @@ def self.ajax_post(opts={})
       js = ::Rex::Exploitation::ObfuscateJS.new(js,
         {
           'Symbols' => {
-            'Variables' => %w{ xmlHttp }
+            'Variables' => %w{ xmlHttp cb path data }
           }
         }).obfuscate
     end

spec/lib/msf/core/exploit/remote/browser_exploit_server_spec.rb

@@ -15,7 +15,6 @@
     service = double("service")
     service.stub(:server_name=)
     service.stub(:add_resource)
-
     service
   end
 
@@ -31,6 +30,10 @@
     "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)"
   end
 
+  let(:exploit_page) do
+    server.instance_variable_get(:@exploit_receiver_page)
+  end
+
   let(:expected_profile) do
     {
       :source=>"script",
@@ -57,9 +60,8 @@
 
   describe ".get_module_resource" do
     it "should give me a URI to access the exploit page" do
-      ivar_exploit_page = server.instance_variable_get(:@exploit_receiver_page)
       module_resource = server.get_module_resource
-      module_resource.should match(ivar_exploit_page)
+      module_resource.should match(exploit_page)
     end
   end
 
@@ -221,4 +223,73 @@
     end
   end
 
+  describe '.on_request_uri' do
+    let(:cli)     { double(:peerhost => '0.0.0.0') }
+    let(:cookie)  { '' }
+    let(:headers) { {'Cookie' => cookie, 'User-Agent' => ''} }
+    let(:body)    { '' }
+    let(:cookie_name) { Msf::Exploit::Remote::BrowserExploitServer::DEFAULT_COOKIE_NAME }
+    let(:request) do
+      double(:body => body, :headers => headers, :uri => server.get_resource )
+    end
+
+    before do
+      server.stub(:send_redirect)
+      server.stub(:send_response)
+      server.stub(:send_not_found)
+    end
+
+    context 'when a new visitor requests the exploit' do
+      it 'calls send_response once' do
+        server.should_receive(:send_response).once
+        server.on_request_uri(cli, request)
+      end
+
+      it 'serves the os.js detection script' do
+        server.should_receive(:send_response) do |cli, html, headers|
+          expect(html).to include('window.os_detect')
+        end
+        server.on_request_uri(cli, request)
+      end
+    end
+
+    context 'when a returning visitor requests the exploit' do
+      let(:body) { '' }
+      let(:tag) { 'joe' }
+      let(:cookie) { "#{cookie_name}=#{tag}" }
+
+      before { server.init_profile(tag) }
+
+      it 'calls send_redirect once' do
+        server.should_receive(:send_redirect).once
+        server.on_request_uri(cli, request)
+      end
+
+      it 'redirects to the exploit URL' do
+        server.should_receive(:send_redirect) do |cli, url|
+          expect(url).to end_with("#{exploit_page}/")
+        end
+        server.on_request_uri(cli, request)
+      end
+    end
+
+    context 'when a returning visitor from a previous msf run requests the exploit' do
+      let(:body) { '' }
+      let(:tag) { 'joe' }
+      let(:cookie) { "#{cookie_name}=#{tag}" }
+
+      it 'calls send_response once' do
+        server.should_receive(:send_response).once
+        server.on_request_uri(cli, request)
+      end
+
+      it 'serves the os.js detection script' do
+        server.should_receive(:send_response) do |cli, html, headers|
+          expect(html).to include('window.os_detect')
+        end
+        server.on_request_uri(cli, request)
+      end
+    end
+  end
+
 end